• Corpus ID: 3846612

Measuring Human-Chosen PINs : Characteristics , Distribution and Security

  title={Measuring Human-Chosen PINs : Characteristics , Distribution and Security},
  author={Ding Wang},
Personal Identification Numbers (PINs) are ubiquitously used in computer systems where user input interfaces are constrained, such as ATMs, POS terminals, electronic doors and mobile devices. Yet, so far little attention has been paid to this important kind of authentication credentials, especially for 6-digit PINs which dominate in Asian countries and are gaining popularity worldwide. Unsurprisingly, many fundamental questions (e.g., what’s the distribution that human-chosen PINs follow… 


A Birthday Present Every Eleven Wallets? The Security of Customer-Chosen Banking PINs
It is found that guessing PINs based on the victims’ birthday will enable a competent thief to gain use of an ATM card once for every 11–18 stolen wallets, depending on whether banks prohibit weak PINs such as 1234.
Analysis of dictionary methods for PIN selection
Your Password is Your New PIN
This chapter will describe a method of deriving new PINs from existing passwords, useful for obtaining friction-free user onboarding to mobile platforms and describes real-life password distributions to quantify exactly how much information about the passwords the derived PINs contain, and how much Information is lost during the derivation.
Of passwords and people: measuring the effect of password-composition policies
A large-scale study investigates password strength, user behavior, and user sentiment across four password-composition policies, and describes the predictability of passwords by calculating their entropy, finding that a number of commonly held beliefs about password composition and strength are inaccurate.
Zipf’s Law in Passwords
This paper proposes two Zipf-like models (i.e., PDF-Zipf and CDF- Zipf) to characterize the distribution of passwords and suggests a new metric for measuring the strength of password data sets.
Fast dictionary attacks on passwords using time-space tradeoff
It is demonstrated that as long as passwords remain human-memorable, they are vulnerable to "smart-dictionary" attacks even when the space of potential passwords is large, calling into question viability of human- Memorable character-sequence passwords as an authentication mechanism.
Measuring password guessability for an entire university
This work studies the single-sign-on passwords used by over 25,000 faculty, staff, and students at a research university with a complex password policy to find significant correlations between a number of demographic and behavioral factors and password strength.
Testing metrics for password creation policies by attacking large sets of revealed passwords
This paper attempts to determine the effectiveness of using entropy, as defined in NIST SP800-63, as a measurement of the security provided by various password creation policies, by modeling the success rate of current password cracking techniques against real user passwords.
Investigating the distribution of password choices
This work uses password lists from four different web sites to investigate if Zipf's law is a good description of the frequency with which passwords are chosen, and shows how to stochastically shape the distribution of passwords, by occasionally asking users to choose a different password.
The usability of passphrases for authentication: An empirical field study