Understanding Human-Chosen PINs: Characteristics, Distribution and Security

@article{Wang2017UnderstandingHP,
  title={Understanding Human-Chosen PINs: Characteristics, Distribution and Security},
  author={Ding Wang and Qianchen Gu and Xinyi Huang and Ping Wang},
  journal={Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security},
  year={2017}
}
  • Ding Wang, Qianchen Gu, +1 author Ping Wang
  • Published 2 April 2017
  • Computer Science
  • Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security
Personal Identification Numbers (PINs) are ubiquitously used in embedded computing systems where user input interfaces are constrained. Yet, little attention has been paid to this important kind of authentication credentials, especially for 6-digit PINs which dominate in Asian countries and are gaining popularity worldwide. Unsurprisingly, many fundamental questions (e.g., what's the distribution that human-chosen PINs follow?) remain as intact as about fifty years ago when they first arose. In… Expand
On the Security of Smartphone Unlock PINs
TLDR
This article provides the first comprehensive study of user-chosen four- and six-digit PINs collected on smartphones with participants being explicitly primed for device unlocking, and recommends that for four-digitPINs a blocklist should contain the 1,000 most popular PINs to provide the best balance between usability and security and for six- digit PINs the 2,000most popularPINs should be blocked. Expand
Your PIN Sounds Good! On The Feasibility of PIN Inference Through Audio Leakage
TLDR
An attack based on the extraction of inter-keystroke timing from the feedback sound when users type their PINs is proposed, showing that combining the inter- keystroke timing with other information drastically reduces attempts to guess a PIN, outperforming random guessing. Expand
This PIN Can Be Easily Guessed
TLDR
This paper provides the first comprehensive study of user-chosen 4- and 6-digit PINs collected on smartphones with participants being explicitly primed for the situation of device unlocking, and suggests that a blacklist at about 10% of the PIN space may provide the best balance between usability and security. Expand
A Quest for Inspiration: How Users Create and Reuse PINs
Personal Identification Numbers (PINs), required to authenticate on a multitude of devices, are ubiquitous nowadays. To increase the security and safety of their assets, users are advised to createExpand
Your PIN Sounds Good! Augmentation of PIN Guessing Strategies via Audio Leakage
TLDR
Results show that inter-keystroke timings can be extracted from audio feedback far more accurately than from previously explored sources, and this increase in accuracy translated to a meaningful increase in guessing performance. Expand
An Improved PIN Input Method for the Visually Impaired
  • N. Caporusso
  • Computer Science
  • 2021 44th International Convention on Information, Communication and Electronic Technology (MIPRO)
  • 2021
TLDR
A new method for improving the trade-off between security and accessibility in PIN-based authentication systems is introduced and the results of an evaluation study are discussed that demonstrates the advantages of the solution compared to state-of-the-art systems. Expand
Two-Thumbs-Up: Physical protection for PIN entry secure against recording attacks
TLDR
The proposed “Two-Thumbs-Up” (TTU) scheme is resilient against observation attacks such as shoulder-surfing and camera recording, and guides users to protect their PIN information from eavesdropping by shielding the challenge area on the touch screen. Expand
Double Patterns: A Usable Solution to Increase the Security of Android Unlock Patterns
TLDR
Double Patterns (DPatts), a natural advancement on Android unlock patterns that maintains the core design but instead of selecting a single pattern, a user selects two patterns entered one-after-the-other super-imposed on the same 3x3 grid, is proposed. Expand
On Smartphone Users’ Difficulty with Understanding Implicit Authentication
TLDR
Evaluating how Android's Smart Lock (SL), which is the first widely deployed IA solution on smartphones, is understood by its users suggests that users often have difficulty understanding SL semantics, leaving them unable to judge when their phone would be (un)locked. Expand
"I have no idea what they're trying to accomplish: " Enthusiastic and Casual Signal Users' Understanding of Signal PINs
TLDR
Better communication about the purpose of the Signal PIN could help more casual users understand the features PINs enable (such as that it is not simply a personal identification number) and encourage a stronger security posture. Expand
...
1
2
3
...

References

SHOWING 1-10 OF 54 REFERENCES
Understanding Passwords of Chinese Users: Characteristics, Security and Implications
TLDR
This work begins a systematic study into the fundamental properties that characterize passwords of Chinese users, the largest Internet population in the world, and reveals a “reversal principle”: when the guess number allowed is small, Chinese web passwords are much weaker than their English counterparts, yet this relationship will be reversed when the Guess number is large. Expand
Analysis and Improvement of a PIN-Entry Method Resilient to Shoulder-Surfing and Recording Attacks
TLDR
The analysis that takes both the experimental and theoretical approaches reveals multiple serious shortcomings of the previous method, including round redundancy, unbalanced key presses, highly frequent system errors, and insufficient resilience to recording attacks, and these are used to improve the black-and-white PIN entry scheme. Expand
Analysis of dictionary methods for PIN selection
TLDR
This work evaluates several dictionary-based methods of choosing the PIN and uses entropy, covering of the PIN space, guess work, marginal guesswork, and marginal success rate metrics to assess their resistance to guessing attacks. Expand
Quantifying the security of graphical passwords: the case of android unlock patterns
TLDR
This paper systematically improves the security of the Android Unlock Pattern by finding a small, but still effective change in the pattern layout that makes graphical user logins substantially more secure. Expand
A Birthday Present Every Eleven Wallets? The Security of Customer-Chosen Banking PINs
TLDR
It is found that guessing PINs based on the victims’ birthday will enable a competent thief to gain use of an ATM card once for every 11–18 stolen wallets, depending on whether banks prohibit weak PINs such as 1234. Expand
From Very Weak to Very Strong: Analyzing Password-Strength Meters
TLDR
Light is shed on how the server-end of some meters functions, examples of highly inconsistent strength outcomes for the same password in different meters are provided, and examples of many weak passwords being labeled as strong or even very strong may confuse users in choosing a stronger password. Expand
Zipf’s Law in Passwords
TLDR
This paper proposes two Zipf-like models (i.e., PDF-Zipf and CDF- Zipf) to characterize the distribution of passwords and suggests a new metric for measuring the strength of password data sets. Expand
Your Password is Your New PIN
TLDR
This chapter will describe a method of deriving new PINs from existing passwords, useful for obtaining friction-free user onboarding to mobile platforms and describes real-life password distributions to quantify exactly how much information about the passwords the derived PINs contain, and how much Information is lost during the derivation. Expand
Do Strong Web Passwords Accomplish Anything?
TLDR
It is found that relatively weak passwords, about 20 bits or so, are sufficient to make brute-force attacks on a single account unrealistic so long as a "three strikes" type rule is in place. Expand
On the Implications of Zipf's Law in Passwords
TLDR
Researchers recently reveal that user-chosen passwords generally follow the Zipf’s law, a distribution which is vastly different from the uniform one. Expand
...
1
2
3
4
5
...