An experiment about PINs

[sophie]

I want to try an experiment.

Imagine you're calling an automated phone system to set up an account. The phone system asks you to make up your own PIN code to control access to the account, and to press the # key when done.

Did you think of a number? Good. Hold that in your head. I'm not going to ask you for it, but I do want to ask you a few questions about the number you chose under the cut, as an anonymous poll. (Meaning that even I can't see who answered what, for security.) If you haven't thought of the PIN code you would use in this hypothetical situation, do so now.

I explain why I'm doing this in another cut inside the cut below!

And here are the questions:

Poll #13945 PIN questions

This poll is anonymous.
Open to: Registered Users, detailed results viewable to: Just the Poll Creator, participants: 43

How many digits did your chosen PIN have? (Choose 10 if your number has more than 10 digits.)

Mean: 4.47 Median: 4 Std. Dev 1.25

1		0 (0.0%)
2		0 (0.0%)
3		0 (0.0%)
4		35 (81.4%)
5		4 (9.3%)
6		1 (2.3%)
7		0 (0.0%)
8		2 (4.7%)
9		0 (0.0%)
10		1 (2.3%)

Discard the last 2 digits of your chosen PIN (for example, 384 -> 3, and 48932 -> 489). What number are you left with? (Remember, nobody, not even me, can see your answer.)

Mean: 25.72 Median: 29 Std. Dev 6.00

or below 9		1 (2.3%)
10		1 (2.3%)
11		0 (0.0%)
12		1 (2.3%)
13		1 (2.3%)
14		0 (0.0%)
15		1 (2.3%)
16		0 (0.0%)
17		1 (2.3%)
18		0 (0.0%)
19		2 (4.7%)
20		1 (2.3%)
21		1 (2.3%)
22		0 (0.0%)
23		0 (0.0%)
24		0 (0.0%)
25		0 (0.0%)
26		2 (4.7%)
27		0 (0.0%)
28		0 (0.0%)
or above 29		31 (72.1%)

The reason I'm asking this is because I strongly suspect that almost everybody, when they think of a PIN code, will think of one which is 4 digits long - because most things will ask for a 4-digit PIN. Notice that I never stipulated above that it had to be 4 digits! In fact, I explicitly made clear that the phone system would ask you to use the # key to finish your number, meaning that it's not assuming anything.

Further, I also suspect that a lot of people will think of a year, that the majority of those people will pick a year above 1000, and that the majority of *those* will pick a year within their lifetime, which would put their answer to the second question as 19 or 20. I'm curious to see if the data supports my thoughts, and to what extent!

Comments

[princessofgeeks]

I never use a year in my pins. Never.

Also, I guess I DID think that PINS have to be four digits, because all the ones I use in real life ARE four digits and are presented as HAVING to be four digits. Because of that experience, I did indeed make an assumption about the definition of a PIN. Your secret experiment kind of felt like a gotcha to me. I would have wanted, if this had been a real set of instructions, your instructions to specify "the PIN can be up to X digits in length." Because I use several PINS in real life and without exception they were all defined as four digits to me. Other types of numerical access codes are usually not called PINS but passwords or access codes, in my experience.

Definitions and assumptions. They crop up all the time, don't they?

Hi!

[shanaqui]

I have two pin codes I use by default -- one is the four digit PIN I use for my bank, etc, and the other is an eight digit code I use when I can. There is a year in my long pin code somewhere, but it isn't 19-- or 20--, it's --56 (or not, that's not the real number) and it's not one within my lifetime.

[cxcvi]

Amusingly, the voicemail pin for my old phone number isn't 4 digits, it's 8; and doesn't just have a year but a day and month as well.

[busaikko]

Here via DW network: I did use a year, but I think most people I know who do choose the second 2 digits (for example, 55 or 79 or 92) plus something connected to that date (7603 -> 1976, third child born; 5523 -> Married on February 23, 1955). Otherwise, the 19 or the 20 would be way too easy to guess.

[ephemera]

I totally fell into that assumption that PIN = 4 digits. That's almost hard wired!

[ninetydegrees]

Yeah anything above 4 digits is pretty hard to remember for me but anything less doesn't seem secure enough for some reason. Also it seems like a natural sequence ( like 2, 4, 6, 8). I never use years for 4-digit PINs I can choose either. I use numbers I like and a gesture I can visually remember doing. Don't know if I'm clear.

[kaberett]

I suspect we're a staggeringly biased self-selecting sample when it comes to security, which might be affecting your assumption about years?

(I find it very easy to remember numbers, so I just... generated a number, I'm not sure how, so.)

[sophie]

The thing is, there are a lot of PINs that don't have to be 4 digits - the international standard for PINs is ISO 9564. I don't know if this applies to debit/credit cards (I just phoned my bank and apparently they only support 4 digits), but the standard does say that PINs can be from 4-12 digits long, and I remember reading about cards that have more digits, so I'm not sure what's up with that.

The reason I thought about it was because some time ago I was creating a voicemail system for use in an online game which was there solely for players to be able to hack it. The prompt it used for the players was "Please enter your password followed by the pound key". It was instantly assumed that this was 4 digits (and reported as such in the in-game forums), to the extent that players never considered that it might have been any other length. It actually *was* four digits and they managed to get it from in-game clues, but it could easily have been more. The fact that players never considered that it might be longer astounded me, and I wanted to follow up on it at some point.

[princessofgeeks]

I don't know enough about computers to have realized where to look for the ISO standard, or anything similar; I am approaching this only as a consumer.

I'm going at this from the end user mindset, not from the computer or game designer mindset, so that's me -- your typical ignorant noob. :) If all the PINS I encounter in RL are four digit, it's an assumption I've made, wrongly or rightly.

[azurelunatic]

Not based on a year.

[dreamatdrew]

5 digits
not based on year
is basis for standard pin usage everywhere but certain high-security entities (which gets a substring of a different 14 character string).

[alexwlchan]

I went for a 4-digit PIN as well (2459, chosen as randomly as I could, for what it’s worth), although I rarely use a 4-digit PIN in real life.

On my mobile devices, I still use numeric PINs, but they’re fairly long and correspond to words. Since most phone keypads have three or four letters assigned to a number, I tap in the numbers corresponding to the word. (e.g. DREAMWIDTH would be 3732694384) You only get eight choices, since the 0 and the 1 aren’t used, but I find it sufficient, since it’s not the 4-digit PIN most people expect. It also means that somebody looking over my shoulder finds it that much harder to remember the number, because it appears pretty random.

An unfortunate side-effect of this is that I regularly try to enter one of my long PINs when I’m using my bank cards. I’ve got more than one confused look about that, but next time I’m in I might ask about a longer PIN; would be good.

You’ve probably seen stuff like this already, but here’s some statistics from an iOS developer of the pass codes used in his app. What’s especially interesting is how he breaks it down by first, second, third and fourth digit, and the statistics for each. (Although Apple booted him out of the store for doing it.)

[metawidget]

6 digits (what my bank, ING Direct, requires!), based on a slice of phone number that's not easily connectable to me but that I remember well.

I do 4-digit codes based on phone numbers, too, on the assumption that the later digits are more or less random but that I've had to commit them to memory. I wonder if that skill/source will die out now that many people have smartphones with directories built in...

[batrachian]

mine is/was five digits, is immediately recognizable to me, not sure how much it'd be noted outside of the fandom I pulled it from.

[marahmarie]

OK, I use a year, but not usually as a PIN, more for the password end of things. So say you have a debit card, as I do, and per your bank's rules you can have two different PINs tied to that card; one for the automated phone system and one to actually perform debit transactions. The one I use the year on; the other I use the non-year PIN number on.

The PIN I use is the last four numbers of a telephone number I had for 18 years back in NY. Interestingly, no one but me can remember that number; my mom never could, though she had it as long as I did; my fiance cannot recall it either, even though it was the only number he ever called me on the entire first and second time we dated as kids. I have amazing recall of, like, the dumbest things. :)

And yes, I hear ya on the "your PIN can usually be much more than four characters" but for me, it's just plain easier to stick to four until the day something forces me to change that either for peace of mind, actual security reasons or whatever (also, the year I chose is no one's birthday; it was the year we moved into a certain place with a certain phone number that we kept for over 18 years).

My PINs

[https://www.google.com/accounts/o8/id?id=AItOawkBCvMqygGx3_CQM99D8lisB8nBs6wPOU4]

I tend to use 4 digit PINs as, again, that's what most systems expect. I don't use years though [well, not intentionally], but "looks random" numbers (i.e. combination of my bicycle lock[s] lost decades ago, computer model numbers, bits of serial numbers I have, previously bank-allocated PINs from other cards etc etc). For "longer things" (such as online accounting software) which needs a "longer numeric value for validation", I pick things such as national insurance numbers, postcodes with house numbers, old telephone numbers (especially not mine and pre-phoneday ones) etc etc.