DeepAI AI Chat
Log In Sign Up

This PIN Can Be Easily Guessed

by   Philipp Markert, et al.

In this paper, we provide the first comprehensive study of user-chosen 4- and 6-digit PINs (n=1220) collected on smartphones with participants being explicitly primed for the situation of device unlocking. We find that against a throttled attacker (with 10, 30, or 100 guesses, matching the smartphone unlock setting), using 6-digit PINs instead of 4-digit PINs provides little to no increase in security, and surprisingly may even decrease security. We also study the effects of blacklists, where a set of "easy to guess" PINs is disallowed during selection. Two such blacklists are in use today by iOS, for 4-digits (274 PINs) as well as 6-digits (2910 PINs). We extracted both blacklists compared them with four other blacklists, including a small 4-digit (27 PINs), a large 4-digit (2740 PINs), and two placebo blacklists for 4- and 6-digit PINs that always excluded the first-choice PIN. We find that relatively small blacklists in use today by iOS offer little or no benefit against a throttled guessing attack. Security gains are only observed when the blacklists are much larger, which in turn comes at the cost of increased user frustration. Our analysis suggests that a blacklist at about 10 provide the best balance between usability and security.


page 4

page 12


This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs

In this paper, we provide the first comprehensive study of user-chosen 4...

Knock, Knock. Who's There? On the Security of LG's Knock Codes

Knock Codes are a knowledge-based unlock authentication scheme used on L...

Increasing the Security of Weak Passwords: the SPARTAN Interface

Password authentication suffers from the well-known tradeoff between sec...

Charting the Security Landscape of Programmable Dataplanes

Emerging programmable dataplanes will revamp communication networks, all...

Mobile Device Type Substitution

Mobile users today interact with a variety of mobile device types includ...

Seniors' Media Preference for Receiving Internet Security Information: A Pilot Study

Due to the increasing use of Internet by older adults and their low comp...

Long Passphrases: Potentials and Limits

Passphrases offer an alternative to traditional passwords which aim to b...