This PIN Can Be Easily Guessed

by   Philipp Markert, et al.

In this paper, we provide the first comprehensive study of user-chosen 4- and 6-digit PINs (n=1220) collected on smartphones with participants being explicitly primed for the situation of device unlocking. We find that against a throttled attacker (with 10, 30, or 100 guesses, matching the smartphone unlock setting), using 6-digit PINs instead of 4-digit PINs provides little to no increase in security, and surprisingly may even decrease security. We also study the effects of blacklists, where a set of "easy to guess" PINs is disallowed during selection. Two such blacklists are in use today by iOS, for 4-digits (274 PINs) as well as 6-digits (2910 PINs). We extracted both blacklists compared them with four other blacklists, including a small 4-digit (27 PINs), a large 4-digit (2740 PINs), and two placebo blacklists for 4- and 6-digit PINs that always excluded the first-choice PIN. We find that relatively small blacklists in use today by iOS offer little or no benefit against a throttled guessing attack. Security gains are only observed when the blacklists are much larger, which in turn comes at the cost of increased user frustration. Our analysis suggests that a blacklist at about 10 provide the best balance between usability and security.



There are no comments yet.


page 4

page 12


This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs

In this paper, we provide the first comprehensive study of user-chosen 4...

Knock, Knock. Who's There? On the Security of LG's Knock Codes

Knock Codes are a knowledge-based unlock authentication scheme used on L...

Increasing the Security of Weak Passwords: the SPARTAN Interface

Password authentication suffers from the well-known tradeoff between sec...

Charting the Security Landscape of Programmable Dataplanes

Emerging programmable dataplanes will revamp communication networks, all...

Smartphone Security Behavioral Scale: A NewPsychometric Measurement for Smartphone Security

Despite widespread use of smartphones, there is no measurement standard ...

Seniors' Media Preference for Receiving Internet Security Information: A Pilot Study

Due to the increasing use of Internet by older adults and their low comp...

FPSelect: Low-Cost Browser Fingerprints for Mitigating Dictionary Attacks against Web Authentication Mechanisms

Browser fingerprinting consists into collecting attributes from a web br...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.