Why are PIN typically four digits?

Why are PIN typically four digits? Was there some science involved in determining this is the optimal number of digits? Why not three or five digits?

It’s the minimum number needed to make a brute force hack expensive in time (10,000 possibilities). But they are not, in my experience, limited to 4 digits - my previous one was 7.

When I first got a bank PIN it was four digits (or at least a minimum of 4 digits). That was in the 80s. When BankAmerica took over the bank that took over the bank that took over the one I started with some time in the 90s, we were required to use 6 or more digits.

My WAG is along the lines of what Askance said. I would imagine 4 was determined to be the minimum required to be reasonably secure without being too difficult for the average card-carrying schlub to remember.

Because one of the people responsible for the development of the ATM machine checked with his wife, and she said she could only remember 4 digits.

http://news.bbc.co.uk/2/hi/business/6230194.stm

Really? I have a B of A account and use a 4 digit PIN. I think the original bank (SeaFirst) was directly taken over.

I have no evidence to support it, but think that the human brain is very good at remembering things in pairs. So four digits may contain 10,000 combinations but it’s actually always just two pairs…

Five is ridiculous
Not sure how it is now, but when ATMs first came out - you didn’t slide your card thru a reader - it took your card (at least where I was). If you didn’t get it in X number of tries (for some reason I think it was 4-5 tries) - it kept your card and you needed to go to the bank the next day.

You can’t (or couldn’t) really brute force an ATM card - with 3 digits - you’d basically have a 1 in around 200 chance of guessing (with five guesses) - more like 1~25-50 if you used what patterns people would be likely to pick.

This wouldn’t be enough to sort of be able to dissuade people from “losing” their card - and also doesn’t appear as secure as four digits.

Four digits is enough to prevent and make it boring enough to try and guess - the pay off is too low.

I have brute forced 3 digit combination locks - not as long as you might think - less than 10 minutes depending on mechanism.

Four digits is fucking boring as hell

Five is over kill and too many people would either forget or pick their zipcode. At least with four digits you could pick the last four of your first phone number or something.

Yes of course you shouldn’t do that.

FWIW - 1234 is obviously most used
Care to guess least used?[SPOILER]
8068 - which of course means you shouldn’t use it

Second most unused?
8093
Better go with third
9629[/SPOILER]

The “study” - which I’m afraid to navigate away from my phone to post link lists most popular ones as very obvious, but has 1004 as 6th most common - the other nine are easy to understand, but why 1004? Is this an important number in some way I’m not thinking of?

This might bethe linkyou were looking at.

I’m astonished that so many people use anything on the 20 most-common. It would be interesting to know why the least-common are so.

The best I could find for 1004 is that it’s numerical text speak for “angel” in Korean and there’s a couple songs referencing it in this manner.

Very interesting.

That’s a ten-four, good buddy.

That would make even more sense. I’d never had thought of that for a four-digit pin.

Three would not be enough, to guard against a lucky guess, and five would be more than necessary and too hard to remember.

Shhhh like me you we’re probably grandfathered in with your old number. My wife did need to get a new one for some reason though, I don’t recall. She picked 00xxxx where xxxx was her old number. I wonder what fraction of six digit B of A PINs are 00xxxx.

I was in the military for four years.
I got out in 1964.
I don’t use or write my military serial number for anything.
It has 2 letters & 8 numbers.
I still know it backwards & forwards.
I still remember my first weapon’s serial number.
First phone # from when I was a child, 3 letters & 5 numbers.

And I am not good with numbers and CRS.

I don’t brute force 4 digit anymore, what is 10 times worse than boring?

I have several sizes of bolt cutters.

Just sayin. he he he :smiley:

Question:
What about dates? Everybody has many that they will never forget that are pretty unique to just them without being sort of universal like 911 or D day or some such.

2014730
20140730
7201430
300720147
Etc., etc., just for today’s date as an example. I quit because you get the idea.

Without a magic box to zip through actually trying each, how secure would just 8 or 9 numbers be?

Add last 3 letters from your birth month in front or back? ( January ) jan or ary ? Very easy to remember and should be pretty hard to hack??

Many others can be thought of so why is this hard for so may people to remember?

Nobody wants into my stuff near as much as a bank or business secrets or such so???

Who uses PINs anymore? Just select Credit and move on.

PS- Impressed with GusNSpot and all those bolt cutters.

I was going to guess that 1004 was people who meant to hit 1001 and screwed up, but 1001 isn’t on the list.

The poster who pointed out that using 5 digits would be a mistake because a lot of people would use their zip code is onto something. In smaller towns, there might be only two or three zip codes, so it’d be pretty easy to guess. A lot of people probably pick their birth year for their PIN, so if you find a wallet with a driver’s license, you have a goof clue (if it’s not the birth year, it might be the four digit date), but a lot of cards got lifted in the bad old days, because people walked away, forgetting to take them out of the machine, back when the machine held your card for the whole transaction, so your thief had the card, but not the whole wallet.

It might also have something to do with the limitations of the technology at the time. How many digits could an ATM handle? back when they first came on the streets, in the late 80s, they only had so much memory. I’m sure there was a balance between security and the what the machine could handle.

I got my first ATM/debit card when I was a sophomore in college and used my 4-digit dorm room number for my PIN. At that time it was a terrible PIN because anyone who knew much about me might guess that number in the first 20 tries or so.

26 years later, it’s a pretty good random code. I doubt even my roommate that year remembers our room number today.

outside the US, it’s very common to use PINs on everything.

Steve Gibson has done some password research going back years. You can test your password’s “hackability,” even generate your own paper passcards.

I have a master password I’ve used for more than [del]20[/del] 30+ years. I only use it now for accessing my Keepass safe. It’s 16 charaters long and according to the hackability test, would require 1.54 hundred thousand centuries to break it, assuming one hundred trillion guesses per second. I can’t use it for a bank pin, but even at eight characters I’m quite confident. I only access my own bank’s ATM and never any other ATM with it.

I think anyone who takes a regular precautions with computer access and never ever crosses several wide lines is safe. Paranoia about online access is just paranoia. For me, it’s the same scenario if both of us are being chased by a bear. I only have to outrun you to be safe. There are million I easily outrun when it comes to my computer security.