These Are the 20 PINs You Should Stop Using on Your Smartphone Today

IT security researchers at Ruhr-Universität Bochum, Max Planck Institute for Security and Privacy, and The George Washington University joined forces to study how safe Android and Apple users are when setting up PINs on their smartphones. The findings were published in the This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs study in April 2020, and they are quite interesting. For one, the researchers proved that 6-digit PINs are not automatically stronger than 4-digit PINs. In fact, in some cases, 6-digit PINs can be much weaker and can be guessed quicker. Unfortunately, a strong smartphone PIN is often an afterthought for Android and Apple users, and most people set up whatever comes to mind first when setting up a new device. The idea is to get back to the PIN and make it stronger, but of course, people never do that. That being said, everyone must add strong PINs on smartphones.

This PIN Can Be Easily Guessed, they said

Philipp Markert, Daniel V. Bailey, Maximilian Golla, Markus Dürmuth, and Adam J. Aviv are the IT researchers behind the comprehensive study. They set out to learn how quickly they could guess the smartphone PINs that most Android and Apple users are likely to add. They obtained lists of PINs that are blacklisted to see how weak they actually were. Some of the participants in the study were asked to choose PINs from the obtained lists, while others were asked to choose PINs that were not included in the lists. They concluded that the 6-digit smartphone PINs were not superior to 4-digit PINs and that, in some cases, they were even weaker. For example, a smartphone PIN 123456 is just as weak as 1234, and it certainly is much weaker that a 4-digit smartphone PIN that is not used as frequently. According to Forbes, these are the 20 most popular 4-digit and 6-digit PINs that smartphone users employ. Unfortunately, because they are so popular, they are also incredibly weak.

4-digit smartphone PINs you must stop using today:

  • 0000
  • 0852
  • 1111
  • 1212
  • 1234
  • 1998
  • 2222
  • 2580
  • 5555
  • 5683

6-digit smartphone PINs you must stop using today:

  • 000000
  • 111111
  • 112233
  • 121212
  • 123123
  • 123456
  • 159753
  • 654321
  • 666666
  • 789456

Although four numbers are meant to offer 10,000 unique combinations and six numbers 1,000,000 unique combinations, that is not a big challenge for cybercriminals. When the researchers from Germany and the US studied how hackers guess PIN codes, they learned that within about 1.5 hour (which is restricted by the limit of guesses), hackers can compromise 4.6% of 4-digit PINs and 6.5% of 6-digit PINs on iOS and 13.6% and 11.7% PINs (respectively) on Android. Needless to say, attackers guess the most commonly used combinations first, and so the users of such PINs are the most vulnerable.

Hackers have always been inventive with how they crack PIN codes. In 2017, researchers from Nanyang Technological University in Singapore discovered that smartphone PIN codes can be guessed using sensor data that is collected by accelerometers, gyroscopes, proximity sensors, and other similar tools that are integrated into the devices. The researchers were able to guess the correct PINs with a 99.5% accuracy with only three tries, but only if the PINs were from the list of 50 most commonly used ones. To guess PIN codes, the researchers also employed machine learning and deep learning algorithms, which is what hackers can use to crack weak passwords and PIN codes. Even strong passwords/PINs can be cracked, but that takes much longer, and the success rate, therefore, is lower.

How to create strong PINs on smartphones

There is no trick here, and there certainly is no 4-digit or 6-digit combination that is a winner. If we all knew of a combination that worked best, we would all use it, and then it would automatically become the weakest. The thing is that an uncrackable smartphone PIN does not exist. That does not mean that you just have to accept whatever might happen. Instead, you should combine different security methods to protect your smartphone against hackers. A strong PIN on smartphone devices is a myth, and if you only use a digit-based code, you will never be safe. At the very least, smartphone owners should set up alphanumeric codes, which means that both numbers and letters are included. Of course, just because you add letters to a weak smartphone PIN it does not make it stronger. For example, 123ABC is just as bad. It is also a mistake to stick with the shortest combination. Of course, if you can only choose from six characters, you have nowhere to expand, but if you can choose eight, ten, twelve, or even more characters, go for it.

It is also a terrible idea to stick with a PIN code alone. As we mentioned already, you want to combine different authentication methods, and there is no doubt that when it comes to smartphones, biometric authentication is most rewarding. While a PIN code can be guessed – no matter how strong it is – not all hackers are able to forge fingerprints or mess with facial and vocal recognition. If you set up biometric authentication, a smartphone PIN might seem like a non-essential part of your virtual security. However, note that even if a hacker cannot fake a fingerprint authentication, if they can bypass security with a weak PIN code, they will do it. Therefore, you must NOT neglect it.

If you are using biometric authentication primarily, a PIN code is requested for authentication less often, and if you do a good job at creating a PIN that is hard to guess (think numbers, letters, and special characters), you might forget it, and that would be a disaster. This is why you need to make sure that you store a copy of your password in a secure location just in case. If you think that writing down the strong PIN on smartphone’s notes app or a post-it note is a good idea, let us warn you that it is not. What you want is an encrypted vault that only you can access. That is what the Cyclonis Password Manager offers. Use the Private Notes feature to store all sensitive pieces of data, and you will not need to memorize them.

By Foley
April 20, 2020
April 20, 2020