At a time when password breaches like the one at LinkedIn are once more making the news, there's plenty of good advice around about how to select a strong password as opposed to the sort of stereotyped easy-to-remember-but-stupendously-easy-to-guess password that turns up again and again in dumped lists of hacked passwords. So if your favourite, much-used password (or something very like it) is in the following list, it might be a good idea to stop reading this now, go to the link on how to select a strong password and use it as a basis for changing all your passwords to something safer (then come back and think about the PINs you use). The list is abstracted from one compiled by Mark Burnett, representing the most-used passwords in a data set of around 6 million:

  1. password
  2. 123456
  3. 12345678
  4. 1234
  5. qwerty
  6. 12345
  7. dragon
  8. pussy
  9. baseball
  10. football
  11. letmein
  12. monkey
  13. 696969
  14. abc123
  15. mustang
  16. michael
  17. shadow
  18. master
  19. jennifer
  20. 111111
  21. 2000
  22. jordan
  23. superman
  24. harley
  25. 1234567

I've included the top 25 because it amused me to see my own name at number 24. I suspect, though, that has more to do with motorcycles than my own superstar status. ;-)

However, it's worth remembering that even the humble all-digit PIN (Personal Identification Number) has its issues with selecting a string of digits that isn't too easy to guess, Think about the number of times you might use a short PIN (four or even three digits) in your daily life:

  •  ATM/Cashpoint keypad
  • Chip & PIN Scanner
  • Digital locks with keypads
  • Handheld authentication devices like an RSA or Digipass token, or a software implementation on a mobile device: authentication via laptops, netbooks tablets and smartphones

 In some contexts, a thief would get very little chance to try guessing your PIN: for instance, some ATMs will actually decline to return your card after three incorrect PIN entries. In other contexts, however, the thief gets a lot more chances. I originally discussed a data set of common PINs compiled by Daniel Amitay in a Virus Bulletin article called Hearing a PIN drop, published last year. And at this year's EICAR conference I presented a paper on the strategies people use to choose and memorize PINs: PIN Holes: Passcode Selection Strategies, especially four-digit PINs. The Amitay data set is quite a lot smaller (204,508), but still large enough to give us a reasonable idea of the most commonly-used PINs, and to speculate about the ways in which they were chosen. Here's the top 25 from those data:

  1. 1234
  2. 0000
  3. 2580
  4. 1111
  5. 5555
  6. 5683
  7. 0852
  8. 2222
  9. 1212
  10. 1998
  11. 6969
  12. 1379
  13. 1997
  14. 2468
  15. 9999
  16. 7777
  17. 1996
  18. 2011
  19. 3333
  20. 1999
  21. 8888
  22. 1995
  23. 2525
  24. 1590
  25. 1235

 You can probably make an educated guess already at the strategies behind many of these choices of PIN, and the paper makes some explicit suggestions. (I'll be coming back to that topic in an upcoming blog series.) But you might in any case want to check the list simply to see if your favourite PIN is in there. If it is, change it:  it turns out that the top ten choices accounted for 15% of Amitay’s sample set, which means that if a thief has ten opportunities to guess the PIN for a stolen card or device, he has a pretty good chance of getting it right.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow