PIN selection policies: Are they really effective?

Abstract

Users have conflicting sets of requirements when it comes to choosing Personal Identification Numbers (PINs) for mobile phones or other systems that use PINs for authentication: the conflict lies between the ‘easy to remember’ usability requirement and the ‘hard to guess’ security requirement. Users often ignore the security requirement and choose PINs that are easy to remember and reuse, making it also easy for attackers to guess and compromise them. Just as the password strength is controlled through various password policies, PIN selection policies may be used to help users choose stronger PINs and meet various security requirements. An example policy would not allow the use of the most commonly selected PINs.An online user study was conducted to investigate the effectiveness of such PIN selection policies, requesting the participants to choose PINs under some carefully designed policies. The participants were also asked to record the memorability (remembrance difficulty) score of each PIN, indicating how easy/hard it was to remember the selected PIN. Based on the entropies calculated on the collected PINs and their memorability scores, this paper demonstrates that restricting some number of commonly used PINs (e.g. restricting the 200 most commonly used ones) is beneficial: this type of policy would significantly increase the randomness of PINs without incurring significant memorability overhead. Our results also showed that any PIN- or PIN-pattern-based blacklisting policy should be constructed with caution since the total PIN space may become too small, making it easier for attackers to guess PINs.