I’m the least mathey person I know. My bio will attest to that – my skills are terrible but my curiousity is high. There’s a certain magic to numbers that I get a glimpse of every now again when I manage to win a struggle with them and it’s compelling to me. Math is a representation of data and while me and Math don’t along very well, me and Data are best bros. I spend my days mucking about in log files on other people’s systems looking for reasons, root causes, and footprints. The trails become clear once you tame the data and turn thousands of unruly log lines into succint sorted output. These same techniques are used by good guys and bad guys alike and from them we learn that some things are truly hard. We also learn that some things only look hard, but really aren’t.
Four digit numbers crop up repeatedly in our society. In the late 1990’s I had a TD bank account and my bank card had a 6-digit PIN. That did not last long because the international consortium of bankey people standardized on 4-digits for PINS which is too bad because that exponentially decreased the security of my PIN. Overnight the odds of guessing my PIN plummeted from 1 in 1,000,000 to 1 in 10,000. But, hey, the bankey heads know what they’re doing, right? But I digress…
I’m not sure how we landed on 4 digits, but that frequency turns up all over the place. My bank card PIN is 4-digits, my credit card PINs are 4 digits, even my front door lock is 4 digits. That begs the question: how long would it take to guess the code to open my front door? Let’s ask math.
Straight up, the odds of guessing a 4-digit number is 1 in 10,000. You can figure this out by the following formula: The numer of digits raised to the power of the allowed values for one digit. So, since each digit of a bank PIN can be 0 through 9 there are 10 allowed values. 10x10x10x10 = 10,000.
The idea of cracking PINs is almost academic because you would also need the physical card which drastically increases the difficulty of a successful attack. But, my front door is just 4-digits; no other number, no card, no nothing. And it’s just hanging out there on the street for anyone to play with. So how long would it take for someone to get in?
I’m not going to tell you the model of my door lock because obscurity is a valid security layer, but my testing has shown that after 5 incorrect attempts it times out for about 20 seconds and there seems to be no limit to the amount of times I can trigger that delay. It takes me about 2 seconds to enter a 4-digit combination and get a response from the device. So, 2*5+20=30 seconds. I can therefore try 10 combinations per minute. That means that even for the most terribly unlucky bad guy who managed to pick every other pin but mine 9,999 times it would take less than 17 hours to get into my house. OK, I hear you…you can’t hang around someone’s front door for 17 hours without someone noticing right? Depends on your neighbourhood, I guess. It’s definitely quicker to break the window 2 inches above my lock and open it from the inside.
Almost nobody is that unlucky. If the basic bad guy tactic was to start at 0000 and work his way to 9999, everyone would pick 9999 as their code. While that sounds silly, the truth is really not that far away from it and there are some numbers that are used much more often than others. Data Genetics has done a really interesting analysis on dumped stolen passwords. They extracted all passwords that were exactly 4 digits long and postulate that those are likely re-used as PINs. I agree with that postulation for reasons which make a great story over a beer, but not something I’m going to publicly post on the Internet.
The resulting dataset was 3.4 million PIN numbers. Almost half the countries in the world have a total population less than that.
So, what did they learn that is useful for breaking into my front door? The most obvious stuff is that 18% of the PINs were either 1234, 1111, or 0000. I’m going to discount those because I like to think that people picking such weak PINs are aware that in order for a bad guy to use them successfully they’d also have to physically steal or scan their card which significantly increases the difficulty of the attack. Since my front door lock needs no secondary item such as a card, it would be patently insane to pick one of those as a code, but for the sake of argument let’s see how long it would take to break into my house using the sequential 0000 -> 9999 attack model.
- 0000 -> 2 seconds. (first try)
- 1111 -> 74 minutes (1111/5*20/60)
- 1234 -> 82 minutes (1234/5*20/60)
It’s a lot easier to hang around outside my house for an hour than it is for 17 hours. But these codes are pretty unlikely for a front door code. The more likely ones are deeper in the report. This is the statistic that really resonates with me:
Every single 19?? combination can be found in the top fifth of the dataset!
This reeks of birth years. The penchant to pick birth years as a password or a part of a password is very obvious to me. I work in IT security and I see a lot of passwords every day and there are a lot of 19’s in those passwords. Since it’s just 2016 now, I don’t think it is too far a stretch to assume that most people picking PINs these days were born in the 1900s. Assuming 19 to be the first two digits of any PIN puts my chances of being correct in the 80% range so I just have to run through a paltry 99 numbers to check all 19xx combinations. How long would that take?
- 00-99 -> 7 minutes (99/5*20/60)
The final insult to dates is that there is a subset of people who use dates as PINs, but they don’t use years. Explaining one of the graphs in the post:
[T]here is a huge contrast change at the height of around 30-31 (the number of days in a month), extending to 12 on the x-axis
They use month/day combinations. That’s also a very finite number of options because there are only 12 months and only a maximum of 31 days in any month. We all know that even in leap years there are only 366 days in a year. If my door code was a month/day combination, how long would it take to get into my house?
- 365 -> 24 minutes (366/5*20/60)
My hope is that while you were reading this you were thinking of your own PINs and other codes that you have in your life and if you’ve said “Crap! That’s me!” and now you’ll now go change that code. But if you’re stubborn or stupid, here’s the takeaway. Do not use a a 4-digit code anywhere that use dates in any form. That’s simple, right?