The importance of changing your PIN is not widely advertised.
We know to change our smoke alarm batteries with time changes, automotive oil change services advertise “every 3,000 miles”, and many schedule annual medical appointments to coincide with their birthdays. Each of us should add the process of periodically changing passwords and PINs to our routines. Deciding on a cadence for password and PIN change, if it is not decided for you by a security policy, should be based upon the risk of breach of a given system, and the harm or damage that could result.
PIN selection is an important topic that is often overlooked. The guidance usually given for a PIN is a “four-digit number that would be easy for you to remember but difficult for another to guess”. The reality is that this is not good advice, and the reason becomes clear when you consider four-digit numbers that would be easy for most people to remember.
The false sense of security is that while there are 10,000 possible choices between 0000 – 9999, most people significantly reduce the set they will select their PIN from.
Consider this: The most common selection is a day and month of a date of significance (birthday, anniversary, etc.) in the format DDMM. The second most common selection is a month and year of significance (birthday, graduation, etc.) in the format MMYY.
The mathematical result of this is that if a day-month is selected it is 1/366 values. If month-year is selected it is 1/1,200 values. Every day-month is included in the 1,200 possible month-year. It should not surprise you that over 90% of PINs are four-digits between 0100 and 1299!
Other common selections include: The home or building number of an address (forward or backwards), the keypad numbers that correspond to a person’s first name (Mary is 6279 and Lisa is 5472), and easy combinations including such as 1234, 2468 and 5555.
Statistically, the probability of a bad actor who possesses publicly available information guessing a “common” person’s PIN is between 1/15 and 1/6, or 6.66% and 16.6%. In other words, a bad actor does not need a complicated, brute force algorithm to figure out a PIN – it takes just fifteen educated guesses!
Fibonacci numbers are part of the series of numbers that is formed when: Start with 1, 1. Add the two numbers together (=2), which is the third number in the series, or 1, 1, 2. The next number in the series is the sum of the two prior numbers, thus 1+2=3, the series becomes 1, 1, 2, 3. The first 12 numbers in the series are 1, 1, 2, 3, 5, 8, 14, 24, 55, 89, 144 and 233.
Fibonacci numbers appear more places than you could imagine. In nature, for example, the leaves on a stem, the fruit sprouts of a pineapple and the flowering of an artichoke, when counted, are Fibonacci. The human mind usually guesses Fibonacci numbers, in fact, algorithms that evaluate financial reports are programmed to find Fibonacci numbers – too many 089, 144, 233 (etc.) and someone is likely cooking the books.
How Do You Select a Pin?
The best guidance is to choose a number between 1299 and 9999 that does not directly correspond to anything, memorize it, use it, and change it periodically. It should not be easy for you to remember without effort! As I look around my office for some inspiration, I note that I have a microphone (Model #N382), there is a market that I shop at periodically that is at 6651 <street redacted>, and I looked up the phone number of a restaurant I never eat at. The last four digits are 8066 and the first four are 5848. So, if I need a PIN, I could use 6382 (6 for N on telephone keypad), 6651, 8066 or 5848. If I forget the number – there is a way for me to recover it.
For PINs, select a four-digit number that you will not remember without effort, and change it periodically.