Why You Should Use A Random PIN

There’s safety in numbers – but only if your PIN isn’t your birthday or one of 100 commonly used examples. In fact, according to research by Cambridge University, using your birthday means that there’s an 8.9% chance a stranger could guess your PIN in three attempts.

This means that if everyone was to use their birthday as a PIN (and, thankfully, only around 7% of us do), thieves would be able to get into our accounts once every 11 tries.

The researchers Joseph Bonneau, Soren Preibusch and Ross Anderson modelled the PIN information after scouring through 32 million passwords, made available after the RockYou hack in 2009, 200,000 iPhone PINs and 1,337 results from an online questionnaire about bank PINs.

The results showed that 84% of PINs for iPhone’s and banks used random or “pseudo-random” numbers. This is the safest type of PIN available, so if you’re issued a random PIN, you should really keep it.

For the non-random PINs, 23% of us use dates – with 29% using their own birthday. Romantically, 26% use their partner’s or a family member’s birthday. 9% use a pattern on the keypad and 5% use a numeric pattern such as repeated numbers.

The problem for the 29% that use their own birthday is that their bank card is usually found in their wallet, alongside information that reveals their date of birthday (such as a driver’s license). In fact, 99% of survey respondents reported keeping their bank card in their wallets along with a card that revealed their birthday.

This means, to quote Cambridge, “if an attacker knows the cardholder’s date of birth and guesses optimally, the chance of being successful is nearly 9%.” That’s pretty high!

Luckily, for the majority of us that use the randomly-generated PIN the bank issued, there’s only a 0.03% chance that the attacker will be able to guess our pin in three attempts. Phew.

I think there’s one oversight here, however – what if your random PIN is accidentally the same as one of the most-common PINs, like 1234? Then you’re back in the high-risk area of having your PIN guessed.

The guys at Cambridge suggest banks could use the following PIN blacklist to prevent the use of these predictable numbers. Until this practice is wide-spread, however, I suggest that you read the list below, and if you PIN is in it, change it!

0000, 0101-0103, 0110, 0111, 0123, 0202, 0303, 0404, 0505, 0606, 0707, 0808, 0909, 1010, 1101-1103, 1110-1112, 1123, 1201-1203, 1210-1212, 1234, 1956-2015, 2222, 2229, 2580, 3333, 4444, 5252, 5683, 6666, 7465, 7667.