Security researchers Philipp Markert, Daniel V. Bailey, Maximilian Golla, Markus Dürmuth and Adam J. Aviv studied in their study, how users choose PIN codes for their mobile devices and how they can be persuaded to use a safer combination of numbers. As it turned out, using 6-digit PIN-codes is not much more effective than 4-digit ones.
In the experiment, users of Apple and Android devices were instructed to set four- or six-digit PIN codes. Some participants were free to choose a PIN, while others were only allowed to choose combinations that were not blacklisted. If they tried to use one of the prohibited combinations, they received a corresponding warning.
The specialists used various blacklists, including the ones that they extracted from the iPhone as a result of another experiment. As it turns out, six-digit PIN codes do not provide much more security than four-digit ones.
“From a mathematical point of view, of course, there is a huge difference. A four-digit PIN can be used to create 10,000 different combinations, and a six-digit PIN to create 1 million. However, users prefer certain sets of numbers and use them much more often, for example, 123456 and 654321, ”the experts explained.
As noted by the researchers, the "ideal" PIN blacklist should contain about 1,000 entries and slightly different from Apple's list. The most common four-digit PIN codes were 1234, 0000, 2580, 1111, 5555, 5683, 0852, 2222, 1212 and 1998, and the six-digit PIN codes were 123456, 654321, 111111, 000000, 123123, 666666, 121212, 112233, 789456 and 159753.
The experts intend to present the results of their research at the IEEE Symposium on Security & Privacy conference in San Francisco (USA) in May 2021.
