## Wednesday, July 04, 2012

### Unintuitive probability: PIN selection

I was thinking about PIN digits the other day, because I'm weird like that and started working out probabilities for a standard 4-digit length code (nnnn) from a selection of 10 digits (0-9).

Calculating how many combinations is simple: the first digit can be any from 0-9 as can the second, the third and the fourth resulting in 10x10x10x10 or 10,000 combinations; but are there really this many? I decided to delve a little deeper. The obvious point to me was that there would only be this number if duplications were allowed; if in the interests of making your PIN 'harder' you ensured there were no duplications i.e. 1234 rather than 1123 you would in fact have the opposite affect and make it easier.

Again the first digit can be any from 0-9, but the second can't be a duplicate and thus only 9 choices remain; the same for the third leaving only 8 and the fourth leaves 7. 10x9x8x7 = 5040; if someone trying to guess your PIN knows you won't use duplicates you've halved the options they have to try.

Let's try another tack. Consider a door lock with a numbered keypad and a 4-length PIN. You want to gain illicit entry, but don't know the code - how to get it. Simply spray some UV liquid onto the keypad; wait until a legitimate users types in the code and then shine a UV light on to it and see which numbers are smudged. In this case let's say 1, 2, 3 and 4.

Knowing it's a four length code what's the maximum number of attempts you would need to make?

As before the first code can be any of the digits 1-4, but the second can't be a repeat nor the third and fourth because we're using all the digits shown. This means we have 4x3x2x1 or 24 possibilities. An easy way to show this is by drawing a probability tree. For all possibilities of the PIN code starting with a 1 it would look like the following:

Count the end points and there are six of them. substitute the number 2 for 1 and 1 for 2, then repeat for all four starting numbers and there are 4x6 or 24 possibilities.

Okay you've broken in and stolen their top-secret files. They now change the code and you try again; this time the numbers that appear are only 1, 2 and 3 what would be the maximum number of attempts needed now?

This is a little more tricky to work out. Again the first digit can be any of the three, but then so can the second, but the third can also be one of three unless it's already been duplicated. We have to use all three digits, but can only repeat one a single time. A tree is more helpful here:

Counting the end results gives us 12; substituting for the other two starting numbers gives us a total number of 3x12 or 36. That's twelve more than using four digits.

It gets better if all we knew was that only three digits were in use for a four-length PIN the number of combinations possible is 10x10x9x8 or 7200 rather than the 5400 for using four digits.

So by using one less digit than is called for the number of possibilities an attacker has to try actually increases.

One even sneakier trick involves mobile phones particularly the Android. By default if you lock the phone  you tap in a number and then hit the OK button. The important bit is that the phone won't unlock automatically as soon as the correct number is entered. This is important as despite common conviction a PIN on a mobile does not have to be four digits long; it can be five (or even more or less).

Use  three digits in a 3-length PIN and anyone who knows those numbers and tries to use them in the 36 different ways of a 4-length PIN will never unlock your phone, use four digits on a 5-length PIN and they can try all 24 combinations without success;.

So even if they know this trick and that you're 'limiting' yourself to 3 or 4 digits of a 4 or 5-length PIN it's still safer than using four different digits for a 4-length PIN.

What an odd world probabilities can be.

Oh and on one final note for the truly paranoid out there one of the most potent defences is in using the delete key. Have three digits in a 4-length PIN and type in 4 numbers but delete the false one and even though an attacker may be able to see you used the delete key they won't know when or even how many times it was used.. In other words with a PIN of 1233 type 1234 DEL 3. The 36 possible combination has now jumped to 120.

For the truly, truly paranoid type in a four digits that don't match to your PIN then delete them all and type in the real one. An attacker now has a full eight numbers to try, without any indication if duplications are allowed that's 4096 combinations.

rdallison said...

Nice post! "The truly paranoid out there" can use a similar "type-and-delete" approach when entering sensitive information (including passwords) on their computer. Insert additional nonsense characters, then when you're ready, use the mouse to select and delete them. This will protect against keyloggers and/or people watching your fingers on the keyboard, but of course not against packet sniffers on insecure http connections.

FlipC said...

Thanks. The important bit to highlight on your comment for other readers is "use the mouse" because a keylogger will see you using the delete key whereas using the mouse is almost impossible to detect. This is why a lot of security use the 'select a letter from this list' technique.