Based on a recent Twitter conversation I had a thought about bank and credit card PIN numbers (sorry for the redundancy): are really all possible PINs issued or are some kept back because bank customers could feel uncomfortable with certain combinations of digits? And would it really matter if some of them were kept back?
It should be obvious that in case of a truly random PIN 4 identical digits are just as likely to occur as any other combination. But certain combinations just do not feel random (I don’t know how to explain it better, I’m not a psychologist).
So I’ve made a small Gedankenexperiment:
- Let’s assume that a bank issues by default a 4-digit PIN. (I know that my bank issues 4-digit PINs by default but they can be changed to any 4- to 6-digit number afterwards.)
- Customers would not accept a PIN with four identical digits (0000, 1111, …, 9999) out of fear that they might be insecure.
- An ATM allows 3 attempts to enter a PIN before locking/withholding a bank/credit card. (This limit is actually the main reason why 4-digit PINs are mostly safe, btw.)
If all possible PINs would be issued there would be 10000 possibilities to choose from. The probability of guessing the correct PIN in three attempts is obviously 3/10000, or 0.03 %.
If (according to point 2) the 10 PINs with identical digits would be left away (and the attacker knows about that) the probability to guess the correct PIN would be 3/9990, which is still about 0.03 %. If furthermore the 20 consecutive numbers (e.g. 1234, 9876) would not be issued the probability would minimally increase to 3/9970, still about 0.03 %.
In my eyes this does not make a huge difference from a mathematical point of view but could calm down customers who fear a PIN with 4 identical digits might be insecure. But: in some situations a PIN with identical digits could actually be a security issue. Imagine pressing the same number pad four times (e.g. when unlocking your iPhone in a crowded environment). Even from some distance the PIN should be pretty simple to recognize due to the consistent movement of your fingers.
Update 2015-12-16: I’ve asked my bank for some background information on the PIN generation and got the following (German) feedback:
Der PIN-Berechnung liegen diverse Algorithmen zugrunde. Die möglichen Zahlenkombinationen werden nach keinem System verteilt. Da die Berechnung in einem geschlossenen System erfolgt und das Ergebnis deshalb nicht bekannt ist, gibt es auch keine Statistiken über die Häufigkeit von bestimmten Kombinationen.
Translation: The PIN calculation is based on various algorithms. The possible numerical combinations are not based on a defined system. Since the calculation is performed in a closed system and the result therefore is not known, there are no statistics on the frequency of certain combinations.
Addendum 1: Just for fun – I’ve added a more detailed approach to calculate the probability. If someone tries to guess a truly random 4-digit PIN he has a probability of 1/10000 to succeed on the first attempt. To succeed on the second attempt the probability is 1/9999. We have to multiply that with 9999/10000, the probability of failing on the first attempt. The third attempt is calculated similarly: a probability of 1/9998 to succeed, multiplied by 9999/10000 (first failure) and 9998/9999 (second failure). The result by simplifying the fractions and summing up the probabilities is:
1/10000 + 9999/10000 * 1/9999 + 9999/10000 * 9998/9999 * 1/9998 = 3/10000
Addendum 2: I’m talking here about truly random PINs issued to customers by a bank. Statistical analysis of leaked password data (Bonneau et al. 2012., DataGenetics 2013) shows that custom PINs are far from being random. (We humans are really bad at that.)