The Most Secure PIN Number Is 8068

Here's an interesting read from a statistician who analyzed a set of over three million stolen banking PIN codes purchased online in 2012. After analyzing the dataset, he reported his findings:

The 'Best' (least commonly used) PIN:

"In my dataset the answer is 8068 with just 25 occurrences in 3.4 million (this equates to 0.000744%, far, far fewer than random distribution would predict, and five orders of magnitude behind the most popular choice)."

The 'Worst' (most often used) PIN:

"The most popular password is 1234 with nearly 11% of the 3.4 million passwords using it. It's utterly staggering how popular this password appears to be."

His reports provides good insight on how/why people chose certain PINs they think are unique, ie:

"Statistically, one third of all codes can be guessed by trying just 61 distinct combinations!"

"Many people also asked the significance of 1004 i n the four character PIN table. This comes from Korean speakers. When spoken, "1004" is cheonsa (cheon = 1000, sa=4). "Cheonsa" also happens to be the Korean word for Angel."

There are plenty of parallels between banking PINs and those used in access control. The author's recommendation is not surprising: Use 'layers' of authentication, or multiple authentication factors:

"Bottom line: Security strengthens with layers, and the simple application of encryption on your database table can help protect your customer’s data if this table is exposed. It does not defend against all possible attacks, but it does nothing but good things.


Ironic: Announcing a specific code as being more secure will cause it to become less secure.

That 11% of people use 1234 is insane. Now, that's quite a security risk. Also, shows the importance people have for simplicity / convenience.

Ironic: Announcing a specific code as being more secure will cause it to become less secure.

Strongly disagree (in this example). In theory one would expect it actually to become more secure, because hackers try the numbers statistically most likely to work first and those least likely to work last,when running a fixed set of known keys, i.e. integers between 0 and 9999.

However, in practice it will have little effect since, if it is indeed one of the least used numbers then hackers know better than anyone what works and what doesn't, and its at the bottom of the list already.

Perhaps you are thinking that now that more people will start to use it, and therefore it will become less secure (as hackers start to see it being used more)? Although surely there would be some idiotic adoption of this secure number if it were publicized enough to reach enough consumers, that would be more than offset by the number of current 8068 holders who would now change their number away, thinking their PIN is now known.

If you are not yet convinced, then imagine you are trying to get in a door without knowing the code and you have 5 guesses. Are you really gonna try 8068?

When conducting assessments where the facility has keypad access devices, I often try entering a 4 digit code that represents recent years of birth, graduation, etc. (1970, 1971, 1972, etc...).

I find that I can usually get in after about ten tries.

..now I need to change the combination on my luggage..