Passwords and PINs: the worst choices

 

At a time when password breaches like the one at LinkedIn are once more making the news, there's plenty of good advice around about how to select a strong password as opposed to the sort of stereotyped easy-to-remember-but-stupendously-easy-to-guess password that turns up again and again in dumped lists of hacked passwords. So if your favourite, much-used password (or something very like it) is in the following list, it might be a good idea to stop reading this now, go to the link on how to select a strong password and use it as a basis for changing all your passwords to something safer (then come back and think about the PINs you use). The list is abstracted from one compiled by Mark Burnett, representing the most-used passwords in a data set of around 6 million:

1. password
2. 123456
3. 12345678
4. 1234
5. qwerty
6. 12345
7. dragon
8. pussy
9. baseball
10. football
11. letmein
12. monkey
13. 696969
14. abc123
15. mustang
16. michael
17. shadow
18. master
19. jennifer
20. 111111
21. 2000
22. jordan
23. superman
24. harley
25. 1234567

I've included the top 25 because it amused me to see my own name at number 24. I suspect, though, that has more to do with motorcycles than my own superstar status. ;-)
However, it's worth remembering that even the humble all-digit PIN (Personal Identification Number) has its issues with selecting a string of digits that isn't too easy to guess, Think about the number of times you might use a short PIN (four or even three digits) in your daily life:

•  ATM/Cashpoint keypad
• Chip & PIN Scanner
• Digital locks with keypads
• Handheld authentication devices like an RSA or Digipass token, or a software implementation on a mobile device: authentication via laptops, netbooks tablets and smartphones

 In some contexts, a thief would get very little chance to try guessing your PIN: for instance, some ATMs will actually decline to return your card after three incorrect PIN entries. In other contexts, however, the thief gets a lot more chances. I originally discussed a data set of common PINs compiled by Daniel Amitay in a Virus Bulletin article called Hearing a PIN drop, published last year. And at this year's EICAR conference I presented a paper on the strategies people use to choose and memorize PINs: PIN Holes: Passcode Selection Strategies, especially four-digit PINs. The Amitay data set is quite a lot smaller (204,508), but still large enough to give us a reasonable idea of the most commonly-used PINs, and to speculate about the ways in which they were chosen. Here's the top 25 from those data:

1. 1234
2. 0000
3. 2580
4. 1111
5. 5555
6. 5683
7. 0852
8. 2222
9. 1212
10. 1998
11. 6969
12. 1379
13. 1997
14. 2468
15. 9999
16. 7777
17. 1996
18. 2011
19. 3333
20. 1999
21. 8888
22. 1995
23. 2525
24. 1590
25. 1235

 You can probably make an educated guess already at the strategies behind many of these choices of PIN, and the paper makes some explicit suggestions. (I'll be coming back to that topic in an upcoming blog series.) But you might in any case want to check the list simply to see if your favourite PIN is in there. If it is, change it:  it turns out that the top ten choices accounted for 15% of Amitay’s sample set, which means that if a thief has ten opportunities to guess the PIN for a stolen card or device, he has a pretty good chance of getting it right.