This PIN Can Be Easily Guessed

03/10/2020
by   Philipp Markert, et al.
0

In this paper, we provide the first comprehensive study of user-chosen 4- and 6-digit PINs (n=1220) collected on smartphones with participants being explicitly primed for the situation of device unlocking. We find that against a throttled attacker (with 10, 30, or 100 guesses, matching the smartphone unlock setting), using 6-digit PINs instead of 4-digit PINs provides little to no increase in security, and surprisingly may even decrease security. We also study the effects of blacklists, where a set of "easy to guess" PINs is disallowed during selection. Two such blacklists are in use today by iOS, for 4-digits (274 PINs) as well as 6-digits (2910 PINs). We extracted both blacklists compared them with four other blacklists, including a small 4-digit (27 PINs), a large 4-digit (2740 PINs), and two placebo blacklists for 4- and 6-digit PINs that always excluded the first-choice PIN. We find that relatively small blacklists in use today by iOS offer little or no benefit against a throttled guessing attack. Security gains are only observed when the blacklists are much larger, which in turn comes at the cost of increased user frustration. Our analysis suggests that a blacklist at about 10 provide the best balance between usability and security.

READ FULL TEXT

page 4

page 12

research
03/10/2020

This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs

In this paper, we provide the first comprehensive study of user-chosen 4...
research
06/05/2020

Knock, Knock. Who's There? On the Security of LG's Knock Codes

Knock Codes are a knowledge-based unlock authentication scheme used on L...
research
05/20/2019

Increasing the Security of Weak Passwords: the SPARTAN Interface

Password authentication suffers from the well-known tradeoff between sec...
research
06/30/2018

Charting the Security Landscape of Programmable Dataplanes

Emerging programmable dataplanes will revamp communication networks, all...
research
03/24/2018

Mobile Device Type Substitution

Mobile users today interact with a variety of mobile device types includ...
research
03/06/2019

Seniors' Media Preference for Receiving Internet Security Information: A Pilot Study

Due to the increasing use of Internet by older adults and their low comp...
research
10/13/2020

FPSelect: Low-Cost Browser Fingerprints for Mitigating Dictionary Attacks against Web Authentication Mechanisms

Browser fingerprinting consists into collecting attributes from a web br...

Please sign up or login with your details

Forgot password? Click here to reset