Almost one in 10 people use the same four-digit PIN

Original Article ↗ Hacker News Discussion ↗

How secure are 4‑digit PINs really?

  • Several comments note that 4‑digit space (10,000 combos) overstates real security because humans choose predictable values (1234, years, birthdays, patterns like 4321).
  • Attacks often don’t need your PIN, just any valid one (e.g., shared gates, car washes, calling cards), making “dictionary attacks” of common numbers very effective.
  • Some mention that many devices only require the last 4 digits and treat overlapping keypresses as multiple attempts; de Bruijn sequences can test all codes in near‑minimal keypresses.
  • Others argue 4‑digit PINs are acceptable when they’re only a second factor, backed by bank fraud detection and the difficulty of stealing the physical card.

What is the PIN in the auth model?

  • One side: card = “password” (secret you have), PIN = “username” (identifier), account number = underlying identity.
  • Opposing view: PIN behaves like a password, not a username, since many people can share the same PIN and even multiple cardholders on one account can use identical PINs.
  • Consensus leans toward the standard “something you have” (card) + “something you know” (PIN) two‑factor framing, rather than username/password analogies.

Terminology and data‑model pedantry

  • Debate over whether PINs and phone numbers are “numbers” or digit strings; risk highlighted when developers store identifiers as integers and lose leading digits.
  • Others note dictionaries explicitly define “number” as any figure(s) used for identification, so identifiers with digits/letters still count.
  • Recommendation appears: treat such identifiers as strings; represent phone numbers in standardized E.164 format.

Visualization and data quirks

  • Many like the ABC visualisation but criticize lack of hover labels and difficulty seeing relationships in only two spatial dimensions; some suggest gridlines or interactive versions.
  • Observations from the heatmap:
    • Strong clustering around dates (DDMM, MMDD) and birth years.
    • PINs starting with 0 and not forming dates are noticeably rarer (leading‑zero bias).
    • Some culturally meaningful numbers (e.g., 2112, 1701, 6969) are less common than expected.

Usability, reuse, and alternatives

  • People commonly reuse the same PIN across phones, cards, and banking apps, effectively turning PINs into shared, weaker passwords.
  • Complaints about finance apps forcing 4‑digit “fast access” PINs instead of allowing strong passwords or password managers.
  • Some propose biometrics on cards; others push back that biometrics can’t be changed if compromised.