Most common PIN codes (2012) (opens in new tab)

(datagenetics.com)

127 pointsdhotson1y ago88 comments

88 comments

Previous discussion:

Most to least common 4-digit PIN numbers from an analysis of 3.4M - https://news.ycombinator.com/item?id=40306374 - (56 points, 18 comments, 5 days ago)

dang1y ago

Thanks! Macroexpanded:

Most to least common 4-digit PIN numbers from an analysis of 3.4M - https://news.ycombinator.com/item?id=40306374 - May 2024 (19 comments)

Statistical Analysis of PIN Numbers (2012) - https://news.ycombinator.com/item?id=11365962 - March 2016 (1 comment)

The 20 most common PIN numbers - https://news.ycombinator.com/item?id=11230045 - March 2016 (1 comment)

PIN analysis (2012) - https://news.ycombinator.com/item?id=11228319 - March 2016 (1 comment)

Analysis of bank PIN numbers - https://news.ycombinator.com/item?id=4535417 - Sept 2012 (111 comments)

(https://news.ycombinator.com/item?id=40306374 didn't get any frontpage time so we won't treat current post as a dupe)

BLKNSLVR1y ago

Funny/stupid anecdote: a bunch of my kids' friends have the same phone unlock PIN as me because I set my son's new phone PIN the same as mine so he would also be able to unlock my phone if necessary.

When his friends started getting phones as well, they copied his. This has migrated through some of the friends' siblings as well.

xen2xen11y ago

One of my kids friends uses the same pin as I had when he was a kid. I would give him and my kid my debit card and they would go get pizza if they cleaned my office.

Osiris1y ago

Quick, we should all use the least common pin numbers.

I switched my passwords to correct-horse-battery-staple and now I'm super secure.

LastMuel1y ago

I'm using correct-horce-battery-staple to fool those pesky kids with dictionaries.

rufus_foreman1y ago

l337 converter gives: c0rr3c7-h0r53-b4773ry-574pl3.

1 more reply

qingcharles1y ago

I changed mine to Hunter2. LOL at least it HN strips out your password when you type it in a comment.

ChrisArchitect1y ago

[dupe]

Discussion: https://news.ycombinator.com/item?id=40306374

Some previous discussions on the 2012 source of the data (http://www.datagenetics.com/blog/september32012/index.html)

2018 https://news.ycombinator.com/item?id=17670173

2013 https://news.ycombinator.com/item?id=5124024

2012 https://news.ycombinator.com/item?id=4535417

esafak1y ago

1234!? That's the stupidest combination I've ever heard in my life! That's the kind of thing an idiot would have on his luggage!

ashleyn1y ago

1-2-3-4, that's amazing, I have the same combination on my luggage!

hi-v-rocknroll1y ago

(sigh) 1-2-3-4-5? That's the stupidest combination I've ever heard of in my life! That's the kinda thing an idiot would have on his luggage!

1 more reply

o11c1y ago

For serious though - one reason such utterly trivial codes are common are because the "lock" is just use as a fancy way of preventing the zipper from coming undone.

Likewise, on the internet, a lot of things prompt for passwords that really don't need them. People create throwaway accounts and use them as if they were temporary anonymous sessions.

Brajeshwar1y ago

Trust me, for the luggage this is a brilliant combination. Or something like 0000. Unless I work for a 3-letter institute, I leave all luggage to their default or the usual. If someone steals a luggage, that PIN is least of the problem but everyone else in the household will if you forgot your super-smart PIN.

Edit: The joke hit me a tad late. ;-)

eks3911y ago

I have a pin lock on a shared device, that friends use occassionally. Of the three friends I have given guest access to, all three asked for their pin to be 1234, to which I said no. One had the audacity to follow up with 123456

hi_hi1y ago

Thank you so much. This is the comment I was hoping for in this thread.

eqvinox1y ago

I moved to Switzerland, and, well, PIN codes for credit cards are 6 digits here by default.

And now I'm asking myself why noone else does this. I don't see hordes of Swiss people complaining about being unable to remember a 6-digit PIN at least.

toast01y ago

One of my credit unions gives out (randomized) five digit pins (although they say if you use an atm that only accepts four digit pins, the first four is enough). My other credit union only does four digits.

I think remembering one 6-digit PIN would be fine, but in the US, it's common to have many banking relationships. If I needed a pin for every credit card, I'd have to write them on the cards or set them all the same.

eqvinox1y ago

Not sure how this is handled in Switzerland, and I don't have good data on this, but I'd say a lot of people in Europe have at least a debit and a credit card with a PIN each.

Also nothing says you can't use the same PIN for multiple cards; they're essentially the same security domain anyway ("a piece of plastic in your wallet") — most people don't have "more" and "less" trustworthy cards…

2 more replies

andy991y ago

Is there any difference it materially changes security? Where would the extra two digits come into play?

shultays1y ago

Because (I imagine) you can't really brute force it. If you only have 3 or something tries, it doesn't really make that much of a difference.

And the person that stole your card would just try 123456 instead of 1234 etc and roughly would have a similar chance of success

eqvinox1y ago

Valid point.

That said, guessing the PIN isn't the only attack; longer PINs also means that you have to "spy" more digits, which can be significant if the "spying" method is not 100% reliable.

But yeah. I guess it doesn't matter as long as you have a lockout mechanism.

nytesky1y ago

You’ll need to be sure that all the places your cards will go accept the 6 digit pin. Granted this was 20 years ago, but we were in Europe and couldn’t use my wife’s ATM card because she had a 6 digit PIN and all the ATMs were encountered only allowed 4 digits.

Sounds like it may be the reverse with Europe going the 6 digit route, but I think 4 digits is still pretty universal — I think most interfaces provide a enter key to terminate the PIN?

skipkey1y ago

The very first ATM card I ever got, in the mid 80s in Texas, had a 6 digit PIN. When I got to choose it, it let me put 4 to 6 digits so I chose 6. A few years later they sent me my first debit card with a note that it had the same PIN. It did not. It had been truncated to 4 digits. Which made me unhappy because clearly it was sitting in plaintext in a database somewhere.

2 more replies

dzhiurgis1y ago

Majority don’t use PIN anymore - just tap card/phone.

davidw1y ago

Just needs an 'enter your PIN code to see how common it is!'.

quibono1y ago

I love DataGenetics, lots of interesting puzzles like that on there. There's a very unique style to all the visualizations and the solutions/analyses are always clear.

Sadly, there was a post by the author in June 2019 about being diagnosed with Stage IV cancer [0]. There have been no posts since July 2022. I sincerely hope that's just because Nick doesn't have the time to blog anymore.

[0] https://datagenetics.com/blog/june12019/index.html

rswerve1y ago

It is sad. He died in 2022. https://x.com/datagenetics/status/1579260057904353280?s=46

noizejoy1y ago

Sadly no more blog posts from him in this universe:

https://www.theguardian.com/science/2022/oct/17/can-you-solv...

posix861y ago

61 pins are used by 1/3rd of all people. So statistically, if I steal 61 debit cards, assuming I have 3 tries, and assuming people choose their own pin, I should be able to get cash off one in expectation.

aidenn01y ago

18% of people use the top 3 pins, so you would need 6 cards to expect to get 1. 56 cards would give you an expectation of 10.

qingcharles1y ago

Try this and report back!

andy991y ago

Honestly that sounds sufficiently secure for what it is.

NeoTar1y ago

I think the situation for actual PIN codes may be slightly better than suggested; sometimes (in the UK at least) your bank will assign you an initial PIN and I expect many people won’t change it, and by using a dump of passwords, you’ve probably captured some people who have created throwaway accounts and chosen the easiest possible password.

qingcharles1y ago

I used be lead dev for a big streaming site with >2m users and, well, no judgment here please, but the passwords were plaintext in the database.

So me and another dev ran a SQL script to see what the most common were.

  #1 was trustno1
  #2 was password
  #3 was 1234

We had no password rules either, so IIRC you could have a 1-char password.

shmuppet1y ago

I always like Brian Kernighan's password "/.,/.," [1]. If you're going for a stupid password anyway might as well make is easy to type. "password" is not particularly nice to type; I wonder why "asdf" is not generally more popular.

[1] https://arstechnica.com/information-technology/2019/10/forum...

qingcharles1y ago

asdf and qwerty were up there in the top 10 I think. This was just prior to the days of SQL injection and I'm 100% sure you could have erased our entire production DB with a really "strong" password.

g4zj1y ago

Before reaching the bottom of the article, I was wondering about 19xx codes, given that I've heard many people using years, or month/day pairings for garage door codes and such.

I was glad to see those plotted out. I was also initially surprised that not a single 19xx pin made the top 20, but I suppose it makes sense considering that there are 100 different combinations of this code.

fsckboy1y ago

I think most people who think of using a date would use MMDDYY or some equivalent format they're used to.

GoblinSlayer1y ago

2000 is #7, 2001 is #19. Guess what they mean. Oh wait, it was in 2012.

PawgerZ1y ago

Probably their child's birth year

PlunderBunny1y ago

If this site did have a field where you could enter a pin to see how common it was, you could make a really targeted phishing attack by sending the link to someone whose pin you want to know, then looking at what they click on or enter ("I'll just see how good my pin is...")

mixmastamyk1y ago

This piece reminds me of the four-digit lockbox that holds the key to get out onto our roof. Great views up there.

I knew that mathematically it would be pretty easy to brute force, and figured I could belt out a thousand combos per day and probably get it done within the week or so. "Well, no time like the present," I thought, "...better get crackin'." ((of knuckles))

Changed the combo to 0000, pulled the handle, and... click! Opened on the first try. :-D

dyingkneepad1y ago

TIL brute-forcing from 0000 to 9999 is a decent strategy.

shultays1y ago

In (game) Rust, the players can use 4 digit keylocks to secure their bases and brute forcing is indeed a strategy. The lock zaps and eventually kills you but even with that, a determined player can eventually get in.

dools1y ago

Not that many futurama fans in those data breaches ...

djbusby1y ago

1077

quectophoton1y ago

> Anderson: "So. What do I owe you?"

> Fry: "10.77. Same as my PIN number."

So many silly scenes like this. I want to re-watch Futurama because last time I watched it was as a teenager, so I'm sure I missed many of subtle jokes.

withinboredom1y ago

Seeing my pin as one of the least common ... guess I need to change my pin because they're about to be some of the most common...

hi-v-rocknroll1y ago

Repeats, sequences, dates, and those ending in 7.

Use a CSTRNG and as long of a PIN as possible to prevent rampant spending. ;@)

gullywhumper1y ago

If this analysis is from 2012, I wonder if the results would look much different using data since then? Would any patterns have changed that much? Other than more birth years in 20--, my initial guess would be no.

jakub_g1y ago

Side note: DataGenetics has been my favorite blog in mid-2010s. Lots of great posts:

http://www.datagenetics.com/blog.html

linsomniac1y ago

Whenever I'm asked for a 4 digit PIN: `echo $[RANDOM%10000]`

aidenn01y ago

You should probably use SRANDOM; less bias from the modulo (32 bits instead of 15) and uses arc4random or /dev/urandom if available.

linsomniac1y ago

TIL, thanks!

devnullbrain1y ago

I'll remember to prioritise 0000 to 2767 for your PINs, then.

shmuppet1y ago

Just so you can see the bias to early numbers in the distribution:

    for i in $(seq 1000000); do
        echo $[RANDOM%10000]; 
    done | sort -n | uniq -c | sort -rn | gnuplot -e "set terminal dumb; set xtics 1000; plot '< cat' using 0:1 with boxes"

1 more reply

LouisSayers1y ago

My sister had a key lock box at home that she didn't know the code for.

I had a look on YouTube and sure enough there was an easy way to pick the lock.

The resulting code - 01234

1 more reply

mmh00001y ago

I like that '1701' is lite up brightly in there... Please excuse me while I go and change my PIN.

technothrasher1y ago

I was disappointed that my typical PIN for low security things like the snack storage closet at work, 2112, isn't there. I figured there would be more Rush fans than there are I guess.

r00dY1y ago

If we start picking the least popular pin codes they'll stop being the least popular. What a tragedy

sys_647381y ago

I've change my PIN codes to use the least used ones now. Nobody can guess them so I am very secure.

jagged-chisel1y ago

Glad to know my choice of code is relatively unused I guess

bdangubic1y ago

not a single least common pin contains all prime number which is interesting

mulmen1y ago

I think the venn diagram of “people who find primes interesting” and “people who understand password security” is pretty close to a circle.

gmiller1234561y ago

3,5,7 line up on the diagonal, leaving 2 as the only other prime. So people using physical patters are likely to choose them. Not to mention any mathematically inclined person may also choose all primes.

alexanderscott1y ago

that’s amazing! I’ve got the same combination on my luggage!

hi-v-rocknroll1y ago

And change the combination on my luggage!

arp2421y ago

Actual article: http://www.datagenetics.com/blog/september32012/index.html

Should be changed to this, rather than screenshot + link blogspam.

dang1y ago

Ok, we've changed the url from https://informationisbeautiful.net/visualizations/most-commo... to that. Thanks!

karaterobot1y ago

Looks like my PIN code, 4968, is pretty secure. I recommend using that one if you aren't already.

Cerium1y ago

What is your pin code? All I see is ****.

thr0waway0011y ago

6969

iNic1y ago

I think the least common PIN codes are fascinating. I'm surprised by the number of 7s in these. They looks like numbers you would end up with if you asked someone to think of a random 4 digit number.

List transcribed by ChatGPT: 8557, 8438, 9539, 7063, 6827, 0859, 6793, 0738, 6835, 8093, 9047, 0439, 8196, 6693, 7394, 9480, 8398, 7637, 9629, 8068.

eks3911y ago

During tax season (in US), for security, you may optionally create a 5 digit pin. I wanted mine to be unaffiliated with any existing pin I have, and chose a 'random' number and wrote it down. A year later I repeated this (and had long since forgotten the previous pin), went to go write it in the same place, and saw that both 'random' numbers had the same first four digits. I now use a computer to choose random numbers because I no longer trust myself to be random.

toast01y ago

I thought the self selected PIN for filing a return was required for online filing, and that it was just an indicator of intent, like a signature.

Does it serve a security function? Am I supposed to remember what it is?

I know the IRS does have an identity protection PIN process, but that's separate.

1 more reply

j / k navigate · click thread line to collapse

88 comments

SushiHippie1y ago

Previous discussion:

Most to least common 4-digit PIN numbers from an analysis of 3.4M - https://news.ycombinator.com/item?id=40306374 - (56 points, 18 comments, 5 days ago)

dang1y ago

Thanks! Macroexpanded:

Most to least common 4-digit PIN numbers from an analysis of 3.4M - https://news.ycombinator.com/item?id=40306374 - May 2024 (19 comments)

Statistical Analysis of PIN Numbers (2012) - https://news.ycombinator.com/item?id=11365962 - March 2016 (1 comment)

The 20 most common PIN numbers - https://news.ycombinator.com/item?id=11230045 - March 2016 (1 comment)

PIN analysis (2012) - https://news.ycombinator.com/item?id=11228319 - March 2016 (1 comment)

Analysis of bank PIN numbers - https://news.ycombinator.com/item?id=4535417 - Sept 2012 (111 comments)

(https://news.ycombinator.com/item?id=40306374 didn't get any frontpage time so we won't treat current post as a dupe)

BLKNSLVR1y ago

Funny/stupid anecdote: a bunch of my kids' friends have the same phone unlock PIN as me because I set my son's new phone PIN the same as mine so he would also be able to unlock my phone if necessary.

When his friends started getting phones as well, they copied his. This has migrated through some of the friends' siblings as well.

xen2xen11y ago

One of my kids friends uses the same pin as I had when he was a kid. I would give him and my kid my debit card and they would go get pizza if they cleaned my office.

Osiris1y ago

Quick, we should all use the least common pin numbers.

I switched my passwords to correct-horse-battery-staple and now I'm super secure.

LastMuel1y ago

I'm using correct-horce-battery-staple to fool those pesky kids with dictionaries.

rufus_foreman1y ago

l337 converter gives: c0rr3c7-h0r53-b4773ry-574pl3.

1 more reply

qingcharles1y ago

I changed mine to Hunter2. LOL at least it HN strips out your password when you type it in a comment.

ChrisArchitect1y ago

[dupe]

Discussion: https://news.ycombinator.com/item?id=40306374

Some previous discussions on the 2012 source of the data (http://www.datagenetics.com/blog/september32012/index.html)

2018 https://news.ycombinator.com/item?id=17670173

2013 https://news.ycombinator.com/item?id=5124024

2012 https://news.ycombinator.com/item?id=4535417

esafak1y ago

1234!? That's the stupidest combination I've ever heard in my life! That's the kind of thing an idiot would have on his luggage!

ashleyn1y ago

1-2-3-4, that's amazing, I have the same combination on my luggage!

hi-v-rocknroll1y ago

(sigh) 1-2-3-4-5? That's the stupidest combination I've ever heard of in my life! That's the kinda thing an idiot would have on his luggage!

1 more reply

o11c1y ago

For serious though - one reason such utterly trivial codes are common are because the "lock" is just use as a fancy way of preventing the zipper from coming undone.

Likewise, on the internet, a lot of things prompt for passwords that really don't need them. People create throwaway accounts and use them as if they were temporary anonymous sessions.

Brajeshwar1y ago

Edit: The joke hit me a tad late. ;-)

eks3911y ago

hi_hi1y ago

Thank you so much. This is the comment I was hoping for in this thread.

eqvinox1y ago

I moved to Switzerland, and, well, PIN codes for credit cards are 6 digits here by default.

And now I'm asking myself why noone else does this. I don't see hordes of Swiss people complaining about being unable to remember a 6-digit PIN at least.

toast01y ago

eqvinox1y ago

Not sure how this is handled in Switzerland, and I don't have good data on this, but I'd say a lot of people in Europe have at least a debit and a credit card with a PIN each.

2 more replies

andy991y ago

Is there any difference it materially changes security? Where would the extra two digits come into play?

shultays1y ago

Because (I imagine) you can't really brute force it. If you only have 3 or something tries, it doesn't really make that much of a difference.

And the person that stole your card would just try 123456 instead of 1234 etc and roughly would have a similar chance of success

eqvinox1y ago

Valid point.

That said, guessing the PIN isn't the only attack; longer PINs also means that you have to "spy" more digits, which can be significant if the "spying" method is not 100% reliable.

But yeah. I guess it doesn't matter as long as you have a lockout mechanism.

nytesky1y ago

Sounds like it may be the reverse with Europe going the 6 digit route, but I think 4 digits is still pretty universal — I think most interfaces provide a enter key to terminate the PIN?

skipkey1y ago

2 more replies

dzhiurgis1y ago

Majority don’t use PIN anymore - just tap card/phone.

davidw1y ago

Just needs an 'enter your PIN code to see how common it is!'.

quibono1y ago

I love DataGenetics, lots of interesting puzzles like that on there. There's a very unique style to all the visualizations and the solutions/analyses are always clear.

[0] https://datagenetics.com/blog/june12019/index.html

rswerve1y ago

It is sad. He died in 2022. https://x.com/datagenetics/status/1579260057904353280?s=46

noizejoy1y ago

Sadly no more blog posts from him in this universe:

https://www.theguardian.com/science/2022/oct/17/can-you-solv...

posix861y ago

aidenn01y ago

18% of people use the top 3 pins, so you would need 6 cards to expect to get 1. 56 cards would give you an expectation of 10.

qingcharles1y ago

Try this and report back!

andy991y ago

Honestly that sounds sufficiently secure for what it is.

NeoTar1y ago

qingcharles1y ago

I used be lead dev for a big streaming site with >2m users and, well, no judgment here please, but the passwords were plaintext in the database.

So me and another dev ran a SQL script to see what the most common were.

  #1 was trustno1
  #2 was password
  #3 was 1234

We had no password rules either, so IIRC you could have a 1-char password.

shmuppet1y ago

[1] https://arstechnica.com/information-technology/2019/10/forum...

qingcharles1y ago

asdf and qwerty were up there in the top 10 I think. This was just prior to the days of SQL injection and I'm 100% sure you could have erased our entire production DB with a really "strong" password.

g4zj1y ago

Before reaching the bottom of the article, I was wondering about 19xx codes, given that I've heard many people using years, or month/day pairings for garage door codes and such.

fsckboy1y ago

I think most people who think of using a date would use MMDDYY or some equivalent format they're used to.

GoblinSlayer1y ago

2000 is #7, 2001 is #19. Guess what they mean. Oh wait, it was in 2012.

PawgerZ1y ago

Probably their child's birth year

PlunderBunny1y ago

mixmastamyk1y ago

This piece reminds me of the four-digit lockbox that holds the key to get out onto our roof. Great views up there.

Changed the combo to 0000, pulled the handle, and... click! Opened on the first try. :-D

dyingkneepad1y ago

TIL brute-forcing from 0000 to 9999 is a decent strategy.

shultays1y ago

dools1y ago

Not that many futurama fans in those data breaches ...

djbusby1y ago

1077

quectophoton1y ago

> Anderson: "So. What do I owe you?"

> Fry: "10.77. Same as my PIN number."

So many silly scenes like this. I want to re-watch Futurama because last time I watched it was as a teenager, so I'm sure I missed many of subtle jokes.

withinboredom1y ago

Seeing my pin as one of the least common ... guess I need to change my pin because they're about to be some of the most common...

hi-v-rocknroll1y ago

Repeats, sequences, dates, and those ending in 7.

Use a CSTRNG and as long of a PIN as possible to prevent rampant spending. ;@)

gullywhumper1y ago

jakub_g1y ago

Side note: DataGenetics has been my favorite blog in mid-2010s. Lots of great posts:

http://www.datagenetics.com/blog.html

linsomniac1y ago

Whenever I'm asked for a 4 digit PIN: `echo $[RANDOM%10000]`

aidenn01y ago

You should probably use SRANDOM; less bias from the modulo (32 bits instead of 15) and uses arc4random or /dev/urandom if available.

linsomniac1y ago

TIL, thanks!

devnullbrain1y ago

I'll remember to prioritise 0000 to 2767 for your PINs, then.

shmuppet1y ago

Just so you can see the bias to early numbers in the distribution:

    for i in $(seq 1000000); do
        echo $[RANDOM%10000]; 
    done | sort -n | uniq -c | sort -rn | gnuplot -e "set terminal dumb; set xtics 1000; plot '< cat' using 0:1 with boxes"

1 more reply

LouisSayers1y ago

My sister had a key lock box at home that she didn't know the code for.

I had a look on YouTube and sure enough there was an easy way to pick the lock.

The resulting code - 01234

1 more reply

mmh00001y ago

I like that '1701' is lite up brightly in there... Please excuse me while I go and change my PIN.

technothrasher1y ago

I was disappointed that my typical PIN for low security things like the snack storage closet at work, 2112, isn't there. I figured there would be more Rush fans than there are I guess.

r00dY1y ago

If we start picking the least popular pin codes they'll stop being the least popular. What a tragedy

sys_647381y ago

I've change my PIN codes to use the least used ones now. Nobody can guess them so I am very secure.

jagged-chisel1y ago

Glad to know my choice of code is relatively unused I guess

bdangubic1y ago

not a single least common pin contains all prime number which is interesting

mulmen1y ago

I think the venn diagram of “people who find primes interesting” and “people who understand password security” is pretty close to a circle.

gmiller1234561y ago

alexanderscott1y ago

that’s amazing! I’ve got the same combination on my luggage!

hi-v-rocknroll1y ago

And change the combination on my luggage!

arp2421y ago

Actual article: http://www.datagenetics.com/blog/september32012/index.html

Should be changed to this, rather than screenshot + link blogspam.

dang1y ago

Ok, we've changed the url from https://informationisbeautiful.net/visualizations/most-commo... to that. Thanks!

karaterobot1y ago

Looks like my PIN code, 4968, is pretty secure. I recommend using that one if you aren't already.

Cerium1y ago

What is your pin code? All I see is ****.

thr0waway0011y ago

6969

iNic1y ago

I think the least common PIN codes are fascinating. I'm surprised by the number of 7s in these. They looks like numbers you would end up with if you asked someone to think of a random 4 digit number.

List transcribed by ChatGPT: 8557, 8438, 9539, 7063, 6827, 0859, 6793, 0738, 6835, 8093, 9047, 0439, 8196, 6693, 7394, 9480, 8398, 7637, 9629, 8068.

eks3911y ago

toast01y ago

I thought the self selected PIN for filing a return was required for online filing, and that it was just an indicator of intent, like a signature.

Does it serve a security function? Am I supposed to remember what it is?

I know the IRS does have an identity protection PIN process, but that's separate.

1 more reply

j / k navigate · click thread line to collapse