In theory, it’s very simple: the more digits a PIN consists of, the greater the number of combinations that it can consist of. But that also makes it more difficult to keep them in mind. That is why users of smartphones like to choose combinations of numbers that are quickly typed in, easy to remember or have a personal recognition value. However, this also makes it easier for unauthorized persons to unlock the cell phone.
A team of researchers from the Ruhr University Bochum, the Max Plank Institute for Cyber Security and George Washington University found in a user study with 1200 participants that six-digit PIN codes usually do not provide more security than four-digit ones.
“Mathematically, there is of course a huge difference,” says Philipp Markert, co-author of the study. With a four-digit PIN, 10,000 different combinations can be made, with a six-digit one million. “But users have preferences for certain combinations, some PINs are used particularly often, for example 123456 and 654321,” explains Markert.
A well-chosen four-digit PIN can therefore be more secure than a six-digit PIN. Also because the smartphone manufacturers only allow a limited number of entry attempts. How Apple locks iOS devices after ten incorrect entries. On Android devices, no more than 100 combinations of numbers can be entered in eleven hours. Both four- and six-digit PINs are less secure than passwords, but at least more secure than unlock patterns.
The hit list of the ten most popular – and potentially unsafe – four-digit PINs: 1234, 0000, 2580, 1111, 5555, 5683, 0852, 2222, 1212 and 1998. And the ten most popular six-digit PINs: 123456, 654321, 111111, 000000, 123123 , 666666, 121212, 112233, 789456 and 159753 – each sorted by descending popularity. Sequences of numbers that result in a specific word after the T9 key assignment are just as popular as they are uncertain. As an example, the scientists cite about 5683 as a string of digits for the English word love.