Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 8 Mar 2016 15:13:50 +0100
From: Per Thorsheim <>
Subject: Re: Article on pin numbers randomness

Den 08.03.2016 13.21, skrev Martin Rublik:
> On 08.03.2016 13:04, Daniel Cussen wrote:

First of all: thank you Daniel for officially bringing the mailing list
to life! :-)

Second: fascinating to see that old blog post suddenly come to life
again all over Twitter during the past week or so.

1. Daniel Amitay / Big Brother iOS app
US-based Web developer Daniel Amitay was the one who really kicked pin
code research into the spotlight in 2010-2011. You can still read his
blog post with story & stats here:
Media did stories based on that *everywhere*

2. Howard Smith / Oracle / PasswordsCon
Our first speaker at our first PasswordsCon in December 2010 was Howard
Smith, head of internal penetration testing at Oracle (UK). His topic:
user selected PIN numbers. You can watch the recorded talk here:

3. Joseph Bonneau / Cambridge
Joe authored the paper "A birthday present every eleven wallets? the
security of customer-chosen banking PINs" in 2012. You can find the PDF
and related data at his site:

TL;DR: Steal eleven credit cards. The only things you know are a)
4-digit pin, b) selected by the user. Statistically you'll guess the
correct pin on every eleventh card, 3 attempts per card. That's pretty
good odds!

Oh, and if you ask Joe nicely, he may share his code for generating the
PIN plots.

4. PIN plotting
A friend of mine (@kluzz) made a browser/client-side version for doing
the same thing. It is still available here:

Some of this is already already on my "free research ideas for everyone"
list here:, and I realize again that I need
to update that page with many new ideas.

5. Amir Nickel, University of South Wales, UK
I am currently a co-supervisor to Amir, B.Sc. student at UoSW, and his
ongoing work is about PIN reuse, based on ideas from me. You can learn
more about his work, do his survey and check out his "easy to remember
PIN" generator at

Feedback very welcome of course!


> Well, as I said earlier, the trouble here is that we don't know how
> well does the password sample align with actual PIN distribution.

Daniel Amitay collected 200K+ user selected pins, but we do not know if
all those were originally selected by the user, or if it could be a pin
they have already received & memorized from others (sim card, bank, work
access card etc.)

...Which is why Joe also used data from other sources as well. I have
also done some work that I haven't fully made available online, will try
do that during the next week or two.

> I'd say that I could use a password 1234 for a site I don't care at
> all but I won't certainly use it as a PIN to protect the ATM card.

I know some banks have implemented blacklists, but I don't know if those
blacklists are based on guesswork or real statistics. But 1234 is
extremely popular, no doubt.

> On the other hand the article is interesting and I'd say that If we
> strip the marginal/obvious results that it can reflect the reality
> well.


Best regards,
Per Thorsheim
Founder of PasswordsCon

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.