Security Researchers Take a Deeper Look at PIN Security

Written by Bill Toulas
Last updated March 12, 2020

If you’ve found an iPhone and you would like to try your luck unlocking the device, you would be given ten attempts to guess the PIN before it’s locked down for good. On Android, the number of tries is a lot bigger, making it a bit easier to guess the owner’s identification code as long as there’s enough time to enter PINs. On average, it would take someone approximately eleven hours to test 100 number combinations, accounting for the timeouts that will be imposed after consecutive failed attempts.

While it sounds impossible to guess one out of thousands, or even millions of possible combinations of four or six-digit PINs, it may be a bit easier than what we would have liked, as researchers from the Horst Görtz Institute for IT Security at Ruhr-Universität Bochum, the George Washington University, and the Max Planck Institute for Security and Privacy have found. As they report, if one were to try the most popular four-digit PINs generally used, they would only have to pick randomly out of 274 combinations. This would unlock approximately four poorly protected iPhones for every 96 that would get irreversibly locked.

According to the study, the most popular four-digit PINs are the following:

As for the ten most popular six-digit PINs, these would be:

Six-digit PINs are generally considered safer than pattern locks, which are, in turn, safer than four-digit PINs. The safest of all, though, is using passwords. They are impossible to guess by humans within a realistic time frame.

From a mathematical standpoint, four-digit PINs can create 10,000 different combinations, while six-digit PINs take that number close to one million. By using “easily guessable” PINs like the ones presented via the above lists, users are reducing the wide range of possible combinations significantly. This is a human-induced problem and not a vulnerability in the PIN system, so it's a matter of (mal)practice. We have recently seen how vehicle manufacturers do something similar with car immobilizers, rendering an otherwise secure system easily hackable for the sake of convenience.

If you’re using a PIN to secure your device, avoid things like personal or children's birth dates, the end or beginning of phone numbers, or digits that come from your home address. Someone who knows any of those would give them a try first before diving into complete randomness.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: