Never use this 4-digit PIN — hackers know it instantly
The short digital password, which is often used to access a smartphone, online banking, or ATM, has proven to be much less secure than commonly thought. The analysis of 29 million combinations from the database Have I Been Pwned? showed that almost 10% of people enter the same four digits.
ABC writes about it.
How is it easy to guess the "secret" code?
Four symbols seem to be a strong last line of defence, but a person's choice reduces 10,000 theoretical options to a few hundred really popular ones. This can be seen most clearly on the "heat" grid, which decomposes each PIN into pairs of digits: the first two vertically, the last two horizontally. The lighter the cell, the more frequent the code is, and these spots are the first thing an attacker looks at.
The absolute record holder is 1234, which occurs in almost one case out of ten. The diagonal from the bottom left to the top right is filled with repeating numbers: 0000, 1111, 2222, and 4444, while 1212 and 4444 are also in the top ten. The horizontal line between "19" and "20" resembles the years of birth: 1986 and 2004 are among the twenty most common combinations.
The lower left sector contains date codes such as 2512. 2902 is less common, as February 29 occurs only in leap years, and in the United States, the 0229 format creates a symmetrical "mirror" grid. Other "tricky" choices include 4321 (just a reverse order), 1342 (a substitution of positions in 1234), and 2580, a vertical line on a telephone keypad.
The implication is obvious: if a thief is given only five attempts to unlock a device or withdraw cash, statistics promise him a one-in-eight chance of guessing the combination. A similar vulnerability exists in common passwords: 1234 ranks fourth on the NordPass list, behind only 123456, "admin", and "password".
Earlier this year, journalists who attended a briefing at the UK's National Cyber Security Centre received the temporary access code 1234. The institution explained that this combination was valid for only a few hours, but the story leaves an obvious conclusion: if you use a questionable PIN, it is never too late to change it.
As a reminder, the analysis of more than 29 million PINs from the leaked databases revealed a dangerous pattern: every tenth user chooses the same four-digit combination. This makes it much easier for attackers to get access to a smartphone, SIM card, or personal information faster.
We also wrote that at the Google I/O Conference, the new feature in the Chrome browser was announced — automatic change of weak or compromised passwords. If the system detects an insecure password when you log in to a website, the built-in manager will offer to create a new, strong password and update it on compatible web resources.