Based on a recent Twitter conversation I had a thought about bank and credit card PIN numbers (sorry for the redundancy): are really all possible PINs issued or are some kept back because bank customers could feel uncomfortable with certain combinations of digits? And would it really matter if some of them were kept back?
It should be obvious that in case of a truly random PIN 4 identical digits are just as likely to occur as any other combination. But certain combinations just do not feel random (I don’t know how to explain it better, I’m not a psychologist).
So I’ve made a small Gedankenexperiment:
- Let’s assume that a bank issues by default a 4-digit PIN. (I know that my bank issues 4-digit PINs by default but they can be changed to any 4- to 6-digit number afterwards.)
- Customers would not accept a PIN with four identical digits (0000, 1111, …, 9999) out of fear that they might be insecure.
- An ATM allows 3 attempts to enter a PIN before locking/withholding a bank/credit card. (This limit is actually the main reason why 4-digit PINs are mostly safe, btw.)