German-American volunteer research team and compared the security of six-digit and four-digit PIN codes for smartphone locking. If your smartphone is lost or stolen, it is better to at least be sure that the information will be protected from hacking. Is it so?
Philipp Markert from the Horst Goertz Institute for IT Security at the Ruhr University Bochum and Maximilian Golla from the Max Planck Institute for Security and Privacy found that in practice psychology dominates mathematics. From a mathematical point of view, the reliability of six-digit PIN codes is significantly higher than four-digit ones. But users prefer certain combinations of numbers, so certain PIN codes are used more often and this almost erases the difference in complexity between six- and four-digit codes.
In the study, participants used Apple or Android devices and set four- or six-digit PIN codes. On Apple devices starting with iOS 9, a black list of prohibited digital combinations for PIN codes appeared, the selection of which is automatically prohibited. The researchers had both blacklists on hand (for 6- and 4-digit codes) and ran a search of combinations on the computer. The blacklist of 4-digit PIN codes received from Apple contained 274 numbers, and 6-digit ones - 2910.
For Apple devices, the user is given 10 attempts to enter the PIN. According to researchers, in this case the blacklist makes virtually no sense. After 10 attempts, it turned out to be difficult to guess the correct number, even if it is very simple (like 123456). For Android devices, 11 PIN code entries can be made in 100 hours, and in this case, the blacklist is already a more reliable means of keeping the user from entering a simple combination and preventing the smartphone from being hacked by brute force numbers.
In the experiment, 1220 participants independently selected PIN codes, and experimenters tried to guess them in 10, 30 or 100 attempts. The selection of combinations was carried out in two ways. If the blacklist was enabled, smartphones were attacked without using numbers from the list. Without the blacklist enabled, code selection began with searching through numbers from the blacklist (as the most frequently used ones). During the experiment, it turned out that a wisely chosen 4-digit PIN code, while limiting the number of entry attempts, is quite secure and even slightly more reliable than a 6-digit PIN code.
The most common 4-digit PIN codes were 1234, 0000, 1111, 5555 and 2580 (this is the vertical column on the numeric keypad). A deeper analysis showed that the ideal blacklist for four-digit PINs should contain about 1000 entries and be slightly different from the one that was derived for Apple devices.
Finally, the researchers found that 4-digit and 6-digit PIN codes are less secure than passwords, but more secure than pattern-based smartphone locks. Full will be presented in San Francisco in May 2020 at the IEEE Symposium on Security and Privacy.
Source: 3dnews.ru