University of California, Santa Cruz
The authors provide the first published estimates of the difficulty of guessing a human-chosen 4-digit PIN. They begin with two large sets of 4-digit sequences chosen outside banking for online passwords and Smartphone unlock-codes. They use a regression model to identify a small number of dominant factors influencing user choice. Using this model and a survey of over 1,100 banking customers, they estimate the distribution of banking PINs as well as the frequency of security-relevant behavior such as sharing and reusing PINs. They find that guessing PINs based on the victims' birthday, which nearly all users carry documentation of, will enable a competent thief to gain use of an ATM card once for every 11-18 stolen wallets, depending on whether banks prohibit weak PINs such as 1234.