Researchers found that some smartphone PIN codes are much more secure than others.
Your smartphone holds a huge amount of data about you, so it goes without saying that you need to keep it secure. Today, biometric identification such as Face ID and Face Unlock are available on iPhones and Android smartphones, and when these fail you will fall back on your device’s PIN code.
But some PIN codes are much more secure than others, and you might be surprised to find out which are the most easy to guess. You would assume, for example, that a longer PIN code was better, but six digit numbers provide little more security than four digit ones, according to a study by researchers from Ruhr University, the Max Planck Institute for Security and Privacy in Bochum, Germany and George Washington University in the U.S.
How the smartphone PIN study worked, and what it found
The researchers asked Android and Apple users to set either a four or six digit PIN on their smartphone and then assessed how easy the number combination was to guess. They assumed the attacker did not know the victim and the best attack strategy would be to try the most likely PINs first.
While some of the Android and Apple users were free to choose their own code, others were only allowed to select PINs not included in a blacklist. The researchers used several blacklists including one already available from Apple, and they also created their own.
One of the most surprising findings was that a six digit PIN was less secure than a four digit one. It should in theory be more secure, but in reality, users were more likely to use insecure combinations such as 123456 if they were given more numbers to play with.
A four-digit PIN can be used to create 10,000 different combinations, while a six-digit PIN can be used to create one million. “However, users prefer certain combinations; some PINs are used more frequently, for example, 123456 and 654321,” explains one of the researchers, Philipp Markert.
“It seems that users currently do not understand intuitively what it is that makes a six-digit PIN secure,” added another researcher Markus Dürmuth.
The study also found that although four and six-digit PINs are less secure than passwords, they are more secure than pattern locks.
The researchers will present the results at the IEEE Symposium on Security and Privacy in San Francisco in May 2020.
The most popular smartphone PINs
Here are the most popular and hence most dangerous PINs, which of course you should avoid:
How to secure your smartphone
Your smartphone PIN is a password, comprised of numbers. It should be complex but you also need to be able to remember what it is. It’s therefore no surprise that many people fall back to memorable dates such as their date of birth, or the dreaded 123456.
But given the importance of the data on your smartphone–your credit card details, and other private information–cybersecurity specialist Jake Moore says he is surprised users would choose such weak PIN options: “It baffles me that anyone would choose the weakest form of security for the most important device they own. It’s only one up from no PIN at all, plus there are tools that can break these codes in a few hours.”
Many people use numbers related to them so after some simple open source research, this code may be found online, Moore warns.
And once in to a phone, an attacker can gain control over other accounts too. “Password recovery links sent to an email on a smartphone with a simple PIN is all it takes–and it overrides SMS two-factor authentication.”
To secure your smartphone, Moore recommends “complex alpha numeric passwords” and I wholeheartedly agree. When combined with biometrics such as Face ID, you don’t need to type it in every time. But you do get that important extra layer of security that’s needed on your smartphone.