Quantitative analysis of PIN choices: a contribution to the establishment of authentication requirements

Abstract

The authentication using a PIN number remains one of the most used ways to enter a system (mobile phone, ATM, etc.). Many people seem to dislike this form of authentication because they simply despise their use, placing unsafe PINs just because they have to put some. Some relevant results are the combination 1234, the combinations using only one digit (example: 1111), or the central line of the numerical keypad. On the other hand there is some understanding because it is proven that remember strong passwords is a difficult task for humans, and the tendency is to choose the simplest ones. This research had a sample of 497 participants and aimed to understand the preferred choice of the participants in relation to the number of digits used for a PIN number (a choice between four and/or six digits) and realized the amount of times that each of the available digits was used. To this end it was developed a web-based tool for entering the data. This application was intended only to the data collection process, being the information processed further. Through this application, the user was asked to enter four and/or six-digit PINs. The method does not raise any doubt on the participants, which were informed about the anonymity and confidentiality of the data, and never they were asked to identify themselves. Participants were asked to use the PINs that they normally use in other contexts. With the analysis of the data it was possible to understand the distribution of digits per position in a PIN, check which digits is more/less used in each position, and check which digit is more/less used regardless of its position. Among the conclusions it appears that the layout of the numeric keypad of the system influence the PIN choice.