Passwords and PINs: the worst choices

At a time when password breaches like the one at LinkedIn are once more making the news, there's plenty of good advice around about how to select a strong password as opposed to the sort of stereotyped easy-to-remember-but-stupendously-easy-to-guess password that turns up again and again in dumped lists of hacked passwords. So if your favourite, much-used password (or something very like it) is in the following list, it might be a good idea to stop reading this now, go to the link on how to select a strong password and use it as a basis for changing all your passwords to something safer (then come back and think about the PINs you use). The list is abstracted from one compiled by Mark Burnett, representing the most-used passwords in a data set of around 6 million:

  1. password
  2. 123456
  3. 12345678
  4. 1234
  5. qwerty
  6. 12345
  7. dragon
  8. pussy
  9. baseball
  10. football
  11. letmein
  12. monkey
  13. 696969
  14. abc123
  15. mustang
  16. michael
  17. shadow
  18. master
  19. jennifer
  20. 111111
  21. 2000
  22. jordan
  23. superman
  24. harley
  25. 1234567

I've included the top 25 because it amused me to see my own name at number 24. I suspect, though, that has more to do with motorcycles than my own superstar status. ;-)

However, it's worth remembering that even the humble all-digit PIN (Personal Identification Number) has its issues with selecting a string of digits that isn't too easy to guess, Think about the number of times you might use a short PIN (four or even three digits) in your daily life:

  •  ATM/Cashpoint keypad
  • Chip & PIN Scanner
  • Digital locks with keypads
  • Handheld authentication devices like an RSA or Digipass token, or a software implementation on a mobile device: authentication via laptops, netbooks tablets and smartphones

 In some contexts, a thief would get very little chance to try guessing your PIN: for instance, some ATMs will actually decline to return your card after three incorrect PIN entries. In other contexts, however, the thief gets a lot more chances. I originally discussed a data set of common PINs compiled by Daniel Amitay in a Virus Bulletin article called Hearing a PIN drop, published last year. And at this year's EICAR conference I presented a paper on the strategies people use to choose and memorize PINs: PIN Holes: Passcode Selection Strategies, especially four-digit PINs. The Amitay data set is quite a lot smaller (204,508), but still large enough to give us a reasonable idea of the most commonly-used PINs, and to speculate about the ways in which they were chosen. Here's the top 25 from those data:

  1. 1234
  2. 0000
  3. 2580
  4. 1111
  5. 5555
  6. 5683
  7. 0852
  8. 2222
  9. 1212
  10. 1998
  11. 6969
  12. 1379
  13. 1997
  14. 2468
  15. 9999
  16. 7777
  17. 1996
  18. 2011
  19. 3333
  20. 1999
  21. 8888
  22. 1995
  23. 2525
  24. 1590
  25. 1235

 You can probably make an educated guess already at the strategies behind many of these choices of PIN, and the paper makes some explicit suggestions. (I'll be coming back to that topic in an upcoming blog series.) But you might in any case want to check the list simply to see if your favourite PIN is in there. If it is, change it:  it turns out that the top ten choices accounted for 15% of Amitay’s sample set, which means that if a thief has ten opportunities to guess the PIN for a stolen card or device, he has a pretty good chance of getting it right.

ESET Senior Research Fellow

Author David Harley, ESET

  • Stephen

    Number 25 caught my eye. For I have a few friends that think using mathmatical gimmicks, such as Fibonachi numbers. These “clever” password generators are not always so clever. I use certain physics formulas, however, the numbers representing the solving of the formula have their own system. One site it might be the square root of the combbined value of the diagnal size of my 2 monitors, then, maybe the grade in school during which I first gained interest in the subject of the site. I use 5 main formulas and a memorized system for filling in the formulas entries. Then that number is run through some of the top cyphers ever used. Then I have a password which will not be guessed. Sometimes I use just certain cyphers based on some information from the site.

    I promise, once you take passwords & PINs seriously you can find a system for you. It need not be as complex as some of my methods, but, taking it all as serious as it is, you can avoid a lot of worry or loss.

    Finally, despite the urge to reuse passwords seems to make sense, do your best to avoid the temptation to do so. Soon, much worry which is present or should exist about this issue will not keep you worried at every news story about passwords. Lastly, stay informed.

    • David Harley

      Thanks, Stephen.

      Actually, I looked briefly at the Fibonacci sequence in the PIN paper. 4-digit Fibonacci numbers generally score quite low in the Amitay data, but: if they’re used untransformed, the available quantity of numbers is pretty low for passcodes of four digits or less: if someone has reason to think that an individual is likely to use a Fibonacci strategy, an untransformed number could be surprisingly unsafe. A transformative strategy of the type you suggest is likely to be much more effective. As long as the output doesn’t coincide with a number that might be very commonly chosen for other reasons, of course.

      • Alicia Webley

        i like to spell a word or a name by using the letters on a phone keypad.
        its simple. and numbers for words like 4 for and b be 2 to or too c see and make up a phrase i would remember.

        • Well,that;s pretty much what the letters are there for. However, if the word or phrase is a common one (LOVE for 5683 is a common, simple example) it increases the risk that it’s one of the passphrases an attacker will try.

  • ForeverSPb

    my favorite stratagy is to use parts of phone numbers as pins. all I have to do is to memorize who's number I used for what site.

  • Synfluent

    What scares me most is: how you know this?

  • Reed Crawford

    I write all my passwords down so that they can be remembered easily. But in a different way. For example:
    If I used my name as a password (never use your name)
    Reed     – is four letters long. the letter R = 18 E = 5 and D = 4. My system sees this as 18104 because each extra letter gets multiplied (5×2 for 2 comes from the E's). Then 18104 is multiplied by 4 from the original word length to get 72416. This is then appended as a suffix to the word and thus generates the complete password. This isn't a complete example however. Other rules apply for my own personal use. And if someone were to use this method, I recommend incorporating other transformations to make it as unique to you as possible. 

    As far as PINs go, ATM's only use a four digit PIN. Thus there are only 10,000 possible combinations of numbers that could be correct. Most theives will not get this many attempts to guess, but under the right circumstances or with the right tools, it could be guessed using such a straight forward approach as guessing 0000 – 9999. Being that they are four digits long for the reason of simplicity and therefore easy to memorize it seems like it would be better if a person had to use their social security number in conjuction with a pin. Unless you had your social caught in a fishing scam or some other highly compromising scheme, it would be almost impossible to guess a 13 digit random number that only you should know.

  • Garry

    How 'bout a thumb scanner or eyeball scanner?

    • David Harley

      Garry, 15 years ago I was talking about password strategies, and people were telling me that biometrics had rendered them obsolete. Well, biometric devices are much more in use now, often as a component of multi-factor authentication, but passwords and passcodes haven’t disappeared. And much of the reason for that is economic. A poor technology (by itself, at any rate), but cheap to implement.

  • David Harley
  • michael smith

    My password strategy is this;
    My late wife was from another country so I use words from her native language as my passwords. I am not fluent by any means in her native tongue but I know enough to be able to use words that even if the word itself is hacked the spelling of that word is not what an English speaking person would normally be able to discerne

  • David Harley

    @Michael, while your strategy may work against someone sitting there trying to guess your password and entering it manually, it won't necessarily work against an automated attack: dictionary attacks don't only run through English words. They also use dictionaries from other languages and common transforms such as words where numbers are substituted for letters. If your wife's native language was something really unusual rather than (say) Spanish, that may be less relevant, though.

  • Henry

    I use a string of two or more words (and sometimes numbers) from my profession, and write down a coded version of them in my wallet, etc. The codes I use sometimes look like common terms or company names, so I would guess that makes them even stronger. If a password gets old, I abandon it, and reach even farther into my profession for new compound passwords.

    • David Harley

      @Henry, I agree that passphrases can be better than passwords, depending on how well-known they are and what additional transformative strategies are used. That applies not only as regards storing a hardcopy version of the passphrase, but also as regards the exact form and format of the passphrase itself.

  • Pallab

    My security strategy is simple: Let Lastpass generate a password for me.

    • David Harley

      @Pallab, I’m not familiar enough with Lastpass to recommend it personally, but password management/generation software in general is certainly an option that may help some people. Obviously, some are better and safer than others.

  • Michael

    I think the most worrying thing about this list in the damning indictment it represents of how the vast majority of men are such simpletons. Pussy, baseball and football being topped only by dragons (assumingly because everyone is watching Game of Thrones). There really is no hope for us as a species…

  • Jen

    Thanks, I will now try these to hack into my husbands computer

  • Avinash Sawant

    @David Harley, I agree with you on this. Passphrases combined with special characters / Uppercase, Lowercase characters / numbers makes a good string which makes it tough to crack! Also newer options like an OTP (One Time Password) and hard tokens which are used as a second layer of security makes good sense!

  • teenygozer

    My husband and I like to use a combination of character names from old, obscure shows we used to watch as kids… sadly, every time they reboot one of our fav old shows and launch it into pop culture popularity, we have to change all our passwords.

  • Thank god my password do not belong to them.

  • Jocelyn Baker

    They need to add 8675309 to the common list.

    • Ah, the Jenny number. That still is quite a high scorer according to some lists..

Follow us

Copyright © 2017 ESET, All Rights Reserved.