How to Choose a PIN

I’ve written often about the importance of choosing strong passwords. But most physical devices are protected with short PIN (personal identification number) codes. How do you pick a good one? Let’s figure out how to choose a PIN.

Image credit here

How NOT to Choose a PIN

It’s probably best to start with how not to choose a PIN code. The number one rule for choosing a PIN code or password is to make it unguessable. Notice that I didn’t say “long” or (in the case of passwords) “composed of different types of characters”. Those can be very important. But a long password with mixed characters that’s easy to guess is worthless. For example, “TaylorSwift1989!!” is long and checks all the usual “password strength” boxes. But if I know you’re a huge T.Swizzle fan, I could guess your password pretty quickly.

As humans, we gravitate towards patterns – things that make some sort of sense to our brains. A common technique for remembering seemingly disjoint words or objects is to construct some sort of mnemonic device to give them a structure or scheme, like a memory palace. And so, when we are left to our own devices, humans tend to choose PIN codes and passwords are that easy for us to remember – something that has meaning for us or conforms to a pattern that we like. But this also makes these PIN codes and passwords much, much easier to guess.

Visualizing PIN Code Patterns

This whole article was inspired by the photo below. I’ve actually redacted the annotations because I want you to try to guess where the patterns come from before I tell you. But let me first explain how this chart was made. (A much longer analysis and more interesting charts can be found on the original site here.) This researcher took several data breaches and searched for 4-digit PIN codes in the data. They found 3.4 million codes and charted the popularity of the codes using a heat map. They split the four digits into two parts: the first pair of digits and the second pair. These pairs are then plotted on a 100×100 grid, with the brightness of each cell representing how common that PIN code was in the data set – bright yellow being most popular, black being least.

See original here.

The most obvious feature of this image is the diagonal line from lower left to upper right. That corresponds to all the PIN codes with repeated pairs of numbers, including codes like 0000, 1111, 2222 but also 0101, 3434, 9292 and so on. Very simple XXXX or XYXY patterns. But there’s also a bright line at the last half of the “19” row and a little at the beginning of the “20” row. What’s a very common four-digit number? A modern year. What would be a popular year choice? A birth year. They would start with 19 for most of us, and 20 for the rest of us. You’ll also see a rectangular area at the lower left that is pretty bright. These would correspond to calendar months and days, mostly in MM/DD format. Months range from 01 to 12, and days of the month range from 01 to 31. You can also see some other popular values called out, 1234 and 4321, which are sequential patterns.

Think Like an Attacker

Okay, so this is interesting – but how does this help choose a PIN code? Let’s look at the raw data a little closer. (Again, full details here.) First of all, out of 10,000 possible combinations of four digits, in this data set, fully 10.7% of all 3.4 million PIN codes were 1234! 1111 accounted for the next 6%. If you guessed the top 20 PIN codes from this list, you’d have a 27% chance of breaking the code.

But if I were targeting you specifically, I could go further. For example, I could check your social media accounts or use open source intelligence (OSINT) to figure out your birthday, your anniversary, and your kid’s birthday. I might also look up your phone numbers and addresses (past and present), which are other common sources of numerical values. And if you used any of this information to create your PIN codes, then I might be able to get into your ATM account, your garage, your smartphone, or your smart door lock. (I could use these same techniques to guess your passwords, too.)

Now, you have to also consider your threat model here. In most cases, PIN codes are used on physical devices – meaning the attacker would need to steal your phone or your ATM card, or come to your house. But if I’m targeting you specifically, I may very well live near you.

Choosing a Good PIN

So, given all of this, how do you maximize the security of devices that are locked with a PIN code? The main rule is to avoid using values that use simple patterns or that someone would associate with you or those close to you. Again, you want to avoid any PIN code that would be easy to guess. For keypads that have alpha characters associated with the digits (like phones or ATMs), you could perhaps think of four letters instead of four digits. However, this also limits your digits to 2-9 since 0 and 1 don’t have letters on these keypads. You could try using a phone number or zip code that you can easily remember that’s not your own. Or just suck it up and memorize some random digits. Use random.org to generate a truly random number. You can write the code down somewhere safe and/or store it as a secure note in your password manager. (Don’t use your Social Security Number – it’s not nearly as secret as it should be.)

Note: if you can increase the PIN code length, you should do so. Most smartphones today require at least a 6-digit PIN, but you may have an older phone or you may have manually set the PIN code length to 4 digits. You can also use an alphanumeric PIN. However, since attacking a smartphone requires physical access and the phone will lock you out after too many bad guesses, 6 digits are enough most people (as long as the code isn’t easy to guess). Get help here: iPhone, Android.

One more thing: if you’re using a physical keypad like the one at the top of this article, consider changing your PIN code periodically. Look at that picture for just a second and you’ll understand why.

Need practical security tips?

Sign up to receive Carey's favorite security tips + the first chapter of his book, Firewalls Don't Stop Dragons.

Don't get caught with your drawbridge down!

Scroll to Top