At a time when password breaches like the one at LinkedIn are once more making the news, there's plenty of good advice around about how to select a strong password as opposed to the sort of stereotyped easy-to-remember-but-stupendously-easy-to-guess password that turns up again and again in dumped lists of hacked passwords. So if your favourite, much-used password (or something very like it) is in the following list, it might be a good idea to stop reading this now, go to the link on how to select a strong password and use it as a basis for changing all your passwords to something safer (then come back and think about the PINs you use). The list is abstracted from one compiled by Mark Burnett, representing the most-used passwords in a data set of around 6 million:
- password
- 123456
- 12345678
- 1234
- qwerty
- 12345
- dragon
- pussy
- baseball
- football
- letmein
- monkey
- 696969
- abc123
- mustang
- michael
- shadow
- master
- jennifer
- 111111
- 2000
- jordan
- superman
- harley
- 1234567
I've included the top 25 because it amused me to see my own name at number 24. I suspect, though, that has more to do with motorcycles than my own superstar status. ;-)
However, it's worth remembering that even the humble all-digit PIN (Personal Identification Number) has its issues with selecting a string of digits that isn't too easy to guess, Think about the number of times you might use a short PIN (four or even three digits) in your daily life:
- ATM/Cashpoint keypad
- Chip & PIN Scanner
- Digital locks with keypads
- Handheld authentication devices like an RSA or Digipass token, or a software implementation on a mobile device: authentication via laptops, netbooks tablets and smartphones
In some contexts, a thief would get very little chance to try guessing your PIN: for instance, some ATMs will actually decline to return your card after three incorrect PIN entries. In other contexts, however, the thief gets a lot more chances. I originally discussed a data set of common PINs compiled by Daniel Amitay in a Virus Bulletin article called Hearing a PIN drop, published last year. And at this year's EICAR conference I presented a paper on the strategies people use to choose and memorize PINs: PIN Holes: Passcode Selection Strategies, especially four-digit PINs. The Amitay data set is quite a lot smaller (204,508), but still large enough to give us a reasonable idea of the most commonly-used PINs, and to speculate about the ways in which they were chosen. Here's the top 25 from those data:
- 1234
- 0000
- 2580
- 1111
- 5555
- 5683
- 0852
- 2222
- 1212
- 1998
- 6969
- 1379
- 1997
- 2468
- 9999
- 7777
- 1996
- 2011
- 3333
- 1999
- 8888
- 1995
- 2525
- 1590
- 1235
You can probably make an educated guess already at the strategies behind many of these choices of PIN, and the paper makes some explicit suggestions. (I'll be coming back to that topic in an upcoming blog series.) But you might in any case want to check the list simply to see if your favourite PIN is in there. If it is, change it: it turns out that the top ten choices accounted for 15% of Amitay’s sample set, which means that if a thief has ten opportunities to guess the PIN for a stolen card or device, he has a pretty good chance of getting it right.
David Harley CITP FBCS CISSP
ESET Senior Research Fellow