Blog
What is Passwork?
By Iliya Garakh, CTO in Security

Is it safe to use a four- or six-digit PIN on a mobile phone?

In order to keep its customers' devices safe, both Apple and Android employ a variety of safeguards. A group of IT security specialists from around the world looked at the effectiveness of these tools, and that’s what we’re going to be discussing today.

Indeed, IT security researchers from Germany and the US conducted a study into how mobile phone users pick their PINs and how they may be persuaded to choose a more secure number combination. According to the researchers, six-digit PINs are no more secure than four-digit ones in terms of protection. Apple's usage of a "blacklist" to keep track of frequent PINs might be improved, and it would make more sense to deploy one on Android devices as well, they found.

Dr. Maximilian Golla of the Max Planck Institute for Security and Privacy in Bochum and Professor Adam Aviv of the George Washington University in the United States collaborated on the study with Philipp Markert, Daniel Bailey, and Professor Markus Dürmuth from the Horst Görtz Institute for IT Security at Ruhr-Universität Bochum. The findings will be presented at the IEEE Symposium on Security and Privacy in San Francisco in May 2020, according to the researchers. The paper's preprint may be downloaded at arxiv.org.

What do users really need?

In the study, researchers had participants create either four- or six-digit PINs on Apple and Android smartphones and then analysed how simple it was to guess them afterwards. It was considered that the assailant had no idea who the victim was or cared about unlocking his or her phone. As a result, the most effective method of attack is to start with the most likely PINs.

PINs might be chosen at random by some research participants. Only PINs that were not on a blacklist were available to the rest of the population. One of the PINs that had been banned had a warning that this combination of digits was simple to guess.

IT security specialists utilised a variety of common passcode blocklists in the experiment, including the official list from Apple. The experiment involved a machine that tested all conceivable PIN combinations on an iPhone. The specialists also compiled their own lists which were tested too.

Is there any benefit in using a six-digit PIN over a four-digit PIN?

Six-digit PINs have been shown to be no more secure than four-digit ones. As Philipp Markert explains, "Mathematically speaking, of course, there is a tremendous difference." Ten thousand four-digit PINs and one million six-digit PINs may be generated, respectively. Philipp Markert also notes that consumers favour particular combinations of PINs, such as 123456 and 654321. This implies that the six-digit codes are not utilised to their full capacity by consumers. PIN security is something people don't seem to grasp instinctively, according to Markus Dürmuth.

Manufacturers restrict the amount of PIN entry tries, thus, a well-chosen four-digit PIN is safe. After 10 unsuccessful attempts to enter the pass code, Apple permanently locks the device. On an Android phone, several codes cannot be input in rapid succession. Philipp Markert points out that "in eleven hours, 100 number combinations may be examined."

Do blocklists matter?

Researchers discovered 274 four-digit PINs that were on Apple’s blocklist. This list is used as a mechanism for improving PIN selection, as Apple iOS users are shown the warning "This PIN Can Be Easily Guessed" with a choice to "Use Anyway" or "Change PIN." It’s effectively a list of very easily-guessed pins. Maximilian Golla says, "Since iPhone users only have 10 chances to guess the PIN, the blocklist does not make it any more secure." Using a blocklist for Android devices would make more sense, according to the researchers, because attackers may test out a wider range of PINs.

According to the study, the optimum blocklist for four-digit PINs should contain around 1,000 entries and varies somewhat from the list now utilised by Apple. Four-digit PINs like 1234, 0000, 2580 (the numbers show vertically below each other on the numeric keypad), 1111, and 5555 were found to be the most popular.

Now, iPhone users can choose to disregard the alert that they have entered a commonly used PIN, as we have seen. Because of this, the device does not reliably prevent entries on the blacklist from being chosen. The IT security professionals also took a closer look at this element as part of their research. It was up to the individual test participants to decide whether or not to enter a new PIN after receiving the warning. Those who were not on the list had to create a new PIN for themselves. Both groups' PINs were equally difficult to guess on average.

Pattern locks are less secure

Four and six-digit PINs were shown to be more secure than pattern locks, but not as safe as passwords.

The simpler the pattern is, the easier it is for lurkers to copy it, if they are watching over your shoulder. In fact, research found that lurkers were successful in recreating the swipe pattern 64.2% of the time after looking at it once. Of course, with multiple observations, that success rate rises.

According to the study, these are the most frequently used PINs:

  • Four-digit PINs of the following kinds: 1234, 0000, 2580, 1111, 5555, 5683, 0852, 2222, 1212
  • Six-digit PINs of the following kinds: 123456, 654321, 111111, 000000, 123123, 666666, 121212, 112233, 789456, 159753

So, don’t forget to double check that your PIN is not on the list above. If you’re interested in evaluating your password security, we strongly recommend checking them against the security.org password checker.

This tool checks users’ passwords against a database of common weak passwords. It evaluates each password based on key factors such as:

  • Its number of characters. The password should have at least eight to 10 characters, but 16 to 20 characters is ideal.
  • Combinations. The password should include a combination of letters, numbers, and symbols rather than taking the form of a phrase. Each character has an associated numerical value, and these characters are summed to create a grand total.
  • Uniqueness. The password shouldn’t be repetitive in terms of its characters, with unique combinations used instead.
A self-hosted password manager for your business

Passwork provides an advantage of effective teamwork with corporate passwords in a totally safe environment

Learn more