Here's an interesting read from a statistician who analyzed a set of over three million stolen banking PIN codes purchased online in 2012. After analyzing the dataset, he reported his findings:
The 'Best' (least commonly used) PIN:
"In my dataset the answer is 8068 with just 25 occurrences in 3.4 million (this equates to 0.000744%, far, far fewer than random distribution would predict, and five orders of magnitude behind the most popular choice)."
The 'Worst' (most often used) PIN:
"The most popular password is 1234 with nearly 11% of the 3.4 million passwords using it. It's utterly staggering how popular this password appears to be."
His reports provides good insight on how/why people chose certain PINs they think are unique, ie:
"Statistically, one third of all codes can be guessed by trying just 61 distinct combinations!"
"Many people also asked the significance of 1004 i n the four character PIN table. This comes from Korean speakers. When spoken, "1004" is cheonsa (cheon = 1000, sa=4). "Cheonsa" also happens to be the Korean word for Angel."
There are plenty of parallels between banking PINs and those used in access control. The author's recommendation is not surprising: Use 'layers' of authentication, or multiple authentication factors:
"Bottom line: Security strengthens with layers, and the simple application of encryption on your database table can help protect your customer’s data if this table is exposed. It does not defend against all possible attacks, but it does nothing but good things.