Posted Wednesday, Sept. 19, 2012, at 3:20 PM
Research suggests thieves can guess one in five PINs by trying just three combinations.
Photo by Justin Sullivan/Getty Images
How easy would it be for a thief to guess your four-digit PIN? If he were forced to guess randomly, his odds of getting the correct number would be one in 10,000—or, if he has three tries, one in 3,333. But if you were careless enough to choose your birth date, a year in the 1900s, or an obvious numerical sequence, his chances go up. Way up.
Researchers at the data analysis firm Data Genetics have found that the three most popular combinations—"1234," "1111," and "0000"—account for close to 20 percent of all four-digit passwords. Meanwhile, every four-digit combination that starts with "19" ranks above the 80th percentile in popularity, with those in the late—er, upper—1900s coming in the highest. Also quite common are MM/DD combinations—those in which the first two digits are between "01" and "12" and the last two are between "01" and "31." So choosing your birthday, your birth year, or a number that might be a lot of other people's birthday or birth year makes your password significantly easier to guess.
On the other end of the scale, the least popular combination—8068—appears less than 0.001 percent of the time. (Although, as Data Genetics acknowledges, you probably shouldn't go out and choose "8068" now that this is public information.) Rounding out the bottom five are "8093," "9629," "6835," and "7637," which all nearly as rare.
Data Genetics came up with the numbers by analyzing a database of 3.4 million stolen passwords that have been made public over the years. Most of these are passwords for websites. But by looking specifically at those that comprise exactly four characters, all of which are numerals, the researchers figured they could get a decent proxy for ATM PINs as well.
One would hope, of course, that fewer people choose "1234" to protect their checking accounts than to log in to random websites. But Data Genetics found some circumstantial evidence to support its hypothesis that there are some strong correlations between the two. For instance, the combination "2580" was the 22nd-most popular in their data set. Why so high? Probably because those four numbers appear in a single column from top to bottom on a phone or ATM keypad. On most computer keyboards, they do not.
Some other interesting anedcotes from the data:
- Half of all passwords are among the 426 most popular (out of 10,000 total).
- People prefer even numbers to odd, so "2468" ranks higher than "1357."
- Far more passwords start with "1" than any other number. In a distant second and third are "0" and "2."
- Among seven-digit passwords, the fourth-most popular is "8675309," which should ring familiar to fans of '80s music.
- The 17th-most popular 10-digit password is "3141592654."
- Two-digit sequences with large numerical gaps, such as "29" and "37," are found often among the least popular passwords.
For those who get a kick out of these sorts of things, Data Genetics' blog post is worth perusing in full. Just keep in mind that guessing isn't the only way thieves can swipe your PIN or password. So "8068" alone—or whatever the equivalent is now that people know about "8068"—won't protect you from ATM skimmers or hackers who breach the databases of sites that don't encrypt users' passwords.