Pin Complexity

Every few months, my bank card decides it's not going to work.  Usually generic ATMs or those of other banks refuse to accept it, but this time it was an ATM belonging to the bank I'm with.  Once again, I walked inside the branch and arranged for another card to be sent to me.

In addition to ordering me another card, the customer service rep offered to link my Visa card to my savings account so I could use it to withdraw money from my main account.  I've never had problems with the Visa, so this may be a more permanent solution.  Regardless, I needed to choose a new PIN for this to work.

Here's where it gets interesting.  I was asked to type in a new four-digit PIN with various obvious restrictions such as no birth dates or other important dates, but also with no consecutive double digits.  My initial reaction was that it was an unusual requirement (given that I've had PINs with double digits assigned to me by the same bank in the past), but I didn't think much of it.  That was my initial reaction.  As I considered it more, I thought, wouldn't this would have the opposite of the desired effect?

Now my probability mathematics is a little rusty, but here goes.  There are 10,000 possible four digit PINs.  If a truly random PIN is chosen, the probability of guessing it on the first try is one in ten thousand.  Given you usually only get three tries before the machine swallows your card, the odds aren't good.  If you let people choose their own PIN with no restrictions, it could be a little easier - you'd probably try their birth date, or an anniversary or something like that.  Let's face it, people need to be able to remember this number so they'll have to choose something that relates to them.  The odds of guessing a PIN like this are a lot better.

I was asked to choose a PIN that didn't correspond to any important dates, so given that restriction, we'll make an assumption that the PIN isn't guessable.  Brute force (albeit three attempts) is really all that's left, so we're back to one in ten thousand.  But if you add a rule that says you can't have double digits, then the number of options available decreases to 7,290A person who finds my card has a better chance of guessing my PIN than if this rule didn't exist.

This seems like a case of implementing decisions that sound good without any real analysis.  Have I got this totally wrong?  Does this seem silly to anyone else?

Damo

Damian Brady

I'm an Australian developer, speaker, and author specialising in DevOps, developer process, and software architecture. I love Octopus Deploy, Visual Studio Team Services, and reducing process waste.