ACM Digital Library Logo
ACM Logo
Advanced Search
10.1145/3052973.3053031acmconferencesArticle/Chapter ViewAbstractPublication Pagesasia-ccsConference Proceedings
research-article

Understanding Human-Chosen PINs: Characteristics, Distribution and Security

Publication: ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications SecurityApril 2017 Pages 372–385https://doi.org/10.1145/3052973.3053031
  • 0citation
  • 210
    • Downloads
Metrics
Total Citations0
Total Downloads210
Last 12 Months41
Last 6 weeks1
ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security
Understanding Human-Chosen PINs: Characteristics, Distribution and Security
Pages 372–385
PreviousChapterNextChapter

ABSTRACT

Personal Identification Numbers (PINs) are ubiquitously used in embedded computing systems where user input interfaces are constrained. Yet, little attention has been paid to this important kind of authentication credentials, especially for 6-digit PINs which dominate in Asian countries and are gaining popularity worldwide. Unsurprisingly, many fundamental questions (e.g., what's the distribution that human-chosen PINs follow?) remain as intact as about fifty years ago when they first arose. In this work, we conduct a systematic investigation into the characteristics, distribution and security of both 4-digit PINs and 6-digit PINs that are chosen by English users and Chinese users. Particularly, we, for the first time, perform a comprehensive comparison of the PIN characteristics and security between these two distinct user groups. Our results show that there are great differences in PIN choices between these two groups of users, a small number of popular patterns prevail in both groups, and surprisingly, over 50% of every PIN datasets can be accounted for by just the top 5%~8% most popular PINs. What's disturbing is the observation that, as online guessing is a much more serious threat than offline guessing in the current PIN-based systems, longer PINs only attain marginally improved security: human-chosen 4-digit PINs can offer about 6.6 bits of security against online guessing and 8.4 bits of security against offline guessing, and this figure for 6-digit PINs is 7.2 bits and 13.2 bits, respectively. We, for the first time, reveal that Zipf's law is likely to exist in PINs. Despite distinct language/cultural backgrounds, both user groups choose PINs with almost the same Zipf distribution function, and such Zipf PIN-distribution from one source (about which we may know little information) can be well predicted by real-world attackers by running Markov-Chains with PINs from another known source. Our Zipf theory would have foundational implications for analyzing PIN-based protocols and for designing PIN creation policies, while our security measurements provide guidance for bank agencies and financial authorities that are planning to conduct PIN migration from 4-digits to 6-digits.

References

  1. China now has 656m mobile web users, and 710m total Internet users, Aug. 2016. http://bit.ly/2avZdlK.Google ScholarGoogle Scholar
  2. M. Abdalla, F. Benhamouda, and P. MacKenzie. Security of the j-pake password-authenticated key exchange protocol. In Proc. IEEE S&P 2015, pages 571--587. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. R. L. Axtell. Zipf distribution of US firm sizes. Science, 293(5536):1818--1820, 2001.Google ScholarGoogle ScholarCross RefCross Ref
  4. B. Bátiz-Lazo and R. Reid. The development of cash-dispensing tech- nology in UK. IEEE Ann. Hist. Comput., 33(3):32--45, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. N. Berry. PIN analysis, Sep. 2012. http://www.datagenetics.com/blog/september32012/index.html.Google ScholarGoogle Scholar
  6. J. Bonneau. The science of guessing: Analyzing an anonymized corpus of 70 million passwords. In IEEE S&P 2012, pages 538--552. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. J. Bonneau, S. Preibusch, and R. Anderson. A birthday present every eleven wallets? The security of customer-chosen banking PINs. In Proc. FC 2012, pages 25--40.Google ScholarGoogle ScholarCross RefCross Ref
  8. W. Burr, D. Dodson, R. Perlner, W. Polk, S. Gupta, and E. Nabbus. NIST SP800--63--2 -- electronic authentication guideline. Technical report, NIST, Reston, VA, Aug. 2013.Google ScholarGoogle Scholar
  9. A. Clauset, C. R. Shalizi, and M. E. Newman. Power-law distributions in empirical data. SIAM Review, 51(4):661--703, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. A. Das, J. Bonneau, M. Caesar, N. Borisov, and X. Wang. The tangled web of password reuse. In Proc. NDSS 2014, pages 1--15.Google ScholarGoogle ScholarCross RefCross Ref
  11. EMVCo Ltd. Issuer PIN Security Guidelines, 2010. http://usa.visa.com/ download/merchants/visa-issuer-pin-security-guideline.pdf.Google ScholarGoogle Scholar
  12. S. Fahl, M. Harbach, Y. Acar, and M. Smith. On the ecological validity of a password study. In Proc. SOUPS 2013, pages 1--15. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. D. Florêncio, C. Herley, and B. Coskun. Do strong web passwords accomplish anything? Proc. HotSec 2007, pages 1--6. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. J. H. Huh, S. Oh, H. Kim, K. Beznosov, A. Mohan, and S. R. Rajagopalan. Surpass: System-initiated user-replaceable passwords. In Proc. ACM CCS 2015, pages 170--181. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. International Organisation for Standardisation. ISO 9564: Financial services -- Personal Identification Number (PIN) management and security, 2011. https://www.iso.org/obp/ui/#iso:std:54083:en.Google ScholarGoogle Scholar
  16. M. Jakobsson and D. Liu. Your password is your new PIN. In Mobile Authentication, pages 25--36. Springer, 2013.Google ScholarGoogle ScholarCross RefCross Ref
  17. J. Katz, R. Ostrovsky, and M. Yung. Efficient and secure authenticated key exchange using weak passwords. J. ACM, 57:1--41, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. M. Keith, B. Shao, and P. J. Steinbart. The usability of passphrases for authentication: An empirical field study. Int. J. of human-computer studies, 65(1):17--28, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. B. Köpf and D. Basin. Automatically deriving information-theoretic bounds for adaptive side-channel attacks. J. Comput. Secur., 19(1):1--31, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Korean Banks to Possibly Adopt a 6-Digit PIN System, Oct. 2015. www.seoulsync.com/news/korean-banks-adopt-6-digit-pin-system.Google ScholarGoogle Scholar
  21. T. Kwon and J. Hong. Analysis and improvement of a PIN-entry method resilient to shoulder-surfing and recording attacks. IEEE Trans. Inform. Foren. Secur., 10(2):278--292, 2015.Google ScholarGoogle ScholarCross RefCross Ref
  22. Chip and PIN: Final deadline in UAE, Dec. 2014. https://www.souqalmal.com/financial-education/ae-en/chip-and-pin/.Google ScholarGoogle Scholar
  23. L. Lundin. PINs and Passwords, Part 1, Aug. 2013. http://www.sleuthsayers.org/2013/08/pins-and-passwords-part-1.html.Google ScholarGoogle Scholar
  24. J. Ma, W. Yang, M. Luo, and N. Li. A study of probabilistic password models. In Proc. IEEE S&P 2014, pages 689--704. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. D. Malone and K. Maher. Investigating the distribution of password choices. In Proc. WWW 2012, pages 301--310. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. R. Martin. Amid Widespread Data Breaches in China, Jan. 2012. https://sg.finance.yahoo.com/news/Amid-Widespread-Data-Breaches-pennolson-706259476.html.Google ScholarGoogle Scholar
  27. M. Mehrnezhad, E. Toreini, S. Siamak, and F. Hao. Touchsignatures: Identification of user touch actions and PINs based on mobile sensor data via javascript. J. Inform. Secur. Appl., 26:23--38, 2016. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. M. Nicholas. The 10 Biggest Data Breaches of Summer 2016, Sep. 2016. https://blog.dashlane.com/biggest-data-breaches-summer-16/.Google ScholarGoogle Scholar
  29. Reuters. Russia launches China UnionPay credit card, Aug. 2014. http://rt.com/business/180696-china-russia-union-pay/.Google ScholarGoogle Scholar
  30. Y. Song, G. Cho, S. Oh, H. Kim, and J. H. Huh. On the effectiveness of pattern lock strength meters: Measuring the strength of real world pattern locks. In Proc. CHI 2015, pages 2343--2352. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. L. Stanekovaa and M. Stanek. Analysis of dictionary methods for PIN selection. Comput. Secur., 39:289--298, 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. G. Steel. Formal analysis of PIN block attacks. Theor. Comput. Sci., 367(1):257--270, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. S. Uellenbeck, M. Dürmuth, C. Wolf, and T. Holz. Quantifying the security of graphical passwords: The case of android unlock patterns. In Proc. ACM CCS 2013, pages 161--172. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. B. Ur, J. Bees, S. Segreti, and et al. Do users' perceptions of password security match reality? In Proc. CHI 2016, pages 161--170. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. R. Veras, J. Thorpe, and C. Collins. Visualizing semantics in passwords: The role of dates. In Proc. ACM VizSec 2012, pages 88--95. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. D. Wang, G. Jian, X. Huang, and P. Wang. Zipf's law in passwords. IEEE Trans. Inform. Foren. Secur., 2016. In press, http://t.cn/RqT51U8.Google ScholarGoogle Scholar
  37. D. Wang and P. Wang. The emperor's new password creation policies. In Proc. ESORICS 2015, pages 456--477.Google ScholarGoogle ScholarCross RefCross Ref
  38. D. Wang, Z. Zhang, P. Wang, J. Yan, and X. Huang. Targeted online password guessing: An underestimated threat. In Proc. ACM CCS 2016, pages 1242--1254. Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. M. Weir, S. Aggarwal, and B. Medeiros. Password cracking using probabilistic context-free grammars. In IEEE S&P 2009, pages 391--405. Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. J. Yan, A. Blackwell, R. Anderson, and A. Grant. Password memorability and security: Empirical results. IEEE Secur. Priv., 2(5):25--31, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Understanding Human-Chosen PINs

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in

        Full Access

        Get this Publication

        • Article Metrics

          • Downloads (Last 12 months)41
          • Downloads (Last 6 weeks)1

          Other Metrics

          View Author Metrics

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader
        View Table of Contents
        About Cookies On This Site

        We use cookies to ensure that we give you the best experience on our website.

        Learn more

        Got it!