A German-American team of IT security researchers has investigated how users choose the PIN for their mobile phones and how they can be convinced to use a more secure number combination. They found that six-digit PINs actually provide little more security than four-digit ones. They also showed that the blacklist used by Apple to prevent particularly frequent PINs could be optimised and that it would make even greater sense to implement one on Android devices.
Philipp Markert, Daniel Bailey, and Professor Markus Dürmuth from the Horst Görtz Institute for IT Security at Ruhr-Universität Bochum conducted the study jointly with Dr. Maximilian Golla from the Max Planck Institute for Security and Privacy in Bochum and Professor Adam Aviv from the George Washington University in the USA. The researchers will present the results at the IEEE Symposium on Security and Privacy in San Francisco in May 2020. A preprint of the paper can be found online.
Extensive user study
In the study, the researchers had users on Apple and Android devices set either four or six-digit PINs and later analysed how easy they were to guess. In the process, they assumed that the attacker did not know the victim and did not care whose mobile phone is unlocked. Accordingly, the best attack strategy would be to try the most likely PINs first.
Some of the study participants were free to choose their PIN at random. Others could only choose PINs that were not included in a blacklist. If they tried to use one of the blacklisted PINs, they received a warning that this combination of digits was easy to guess.
In the experiment, the IT security experts used various blacklists, including the real one from Apple, which they obtained by having a computer test all possible PIN combinations on an iPhone. Moreover, they also created their own more or less comprehensive blacklists.
Six-digit PINs not more secure than four-digit ones
It emerged that six-digit PINs do not provide more security than four-digit ones. “Mathematically speaking, there is a huge difference, of course,” says Philipp Markert. A four-digit PIN can be used to create 10,000 different combinations, while a six-digit PIN can be used to create one million. “However, users prefer certain combinations; some PINs are used more frequently, for example, 123456 and 654321,” explains Philipp Markert. This means users do not take advantage of the full potential of the six-digit codes. “It seems that users currently do not understand intuitively what it is that makes a six-digit PIN secure,” supposes Markus Dürmuth.
A prudently chosen four-digit PIN is secure enough, mainly because manufacturers limit the number of attempts to enter a PIN. Apple locks the device completely after ten incorrect entries. On an Android smartphone, different codes cannot be entered one after the other in quick succession. “In eleven hours, 100 number combinations can be tested,” points out Philipp Markert.
Blacklists can be useful
The researchers found 274 number combinations on Apple’s blacklist for four-digit PINs. “Since users only have ten attempts to guess the PIN on the iPhone anyway, the blacklist does not make it any more secure,” concludes Maximilian Golla. According to the researchers, the blacklist would make more sense on Android devices, as attackers can try out more PINs there.
The study has shown that the ideal blacklist for four-digit PINs would have to contain about 1,000 entries and differ slightly from the list currently used by Apple. The most common four-digit PINs, according to the study, are 1234, 0000, 2580 (the digits appear vertically below each other on the numeric keypad), 1111 and 5555.
On the iPhone, users have the option to ignore the warning that they have entered a frequently used PIN. The device, therefore, does not consistently prevent entries from being selected from the blacklist. For the purpose of their study, the IT security experts also examined this aspect more closely. Some of the test participants who had entered a PIN from the blacklist were allowed to choose whether or not to enter a new PIN after the warning. The others had to set a new PIN that was not on the list. On average, the PINs of both groups were equally difficult to guess.