Choosing a secure PIN code
A PIN code is usually a four-digit number. That’s surprisingly insecure, considering the importance of the data it protects. A four-digit code and a plastic card is all that protects your money, for example. Another mere four numbers protect your phone’s SIM card. You don’t want either of them to fall into the wrong hands.
Four numbers don’t provide many options to secure your account, but you can still take some measures to make your PIN code harder to guess. PIN codes usually lock after three erroneous attempts. That doesn’t leave much room for a brute force attack (trying out one combination after another). This means your PIN has to be hard to guess and an uncommon combination.
Combinations you should never use as a PIN code
• Your date of birth. Your birthday is probably the first combination a potential attacker tries. It’s also the most common combination used as a PIN code. A hacker can most likely find anyone’s birthday in matter of minutes.
• Your birth year. That’s probably the second thing a potential attacker tries. You should also avoid the date/year you got married. It really shouldn’t be a date or year with any significance to you.
• Your child or spouse’s birthday or birth year. Using your family member’s info is almost as insecure as using your own. An attacker can easily find that information, or at least an acquaintance of yours can. You should never assume the attacker doesn’t know you.
• “0000”. 0000 is the default PIN code for almost all SIM cards and by far the most popular single-number combination. A PIN code should never be four matching numbers, and especially not 0000.
• 1234 and other sequential numbers. It’s very easy to understand if someone is typing in sequential numbers. Whoever is standing next to you can guess your PIN by observing just few of the numbers. It’s especially dangerous in stores with PIN terminals. The next person in line can see you typing your credit card’s PIN.
• Don’t reuse PIN codes. It might be easy to use the same PIN code for your credit card and mobile phone, but it puts both at risk. This will give someone who sees your phone’s PIN code access to your bank account.
• Any of the number combinations in the section “What are the most common PIN combinations”.
How to protect your PIN code
• Pick a combination with at least 3 different numbers.
• Never tell your PIN code to anyone. It sounds obvious, but sharing your PIN with anyone is a risk, even when that someone is a close relative or your spouse. You have learned your PIN by heart, but he or she will most likely write it down. A PIN that has been written down is easy to leak.
• If you really have to tell your PIN code to someone, change it once they are done with it. Don’t forget to keep in mind the combinations you shouldn’t use as a PIN code when choosing a new one!
• Never write down your PIN code. Ever. Anywhere. The worst thing you can do is write or scratch your PIN code on your credit card. That’s a sure way to get rid of all your money should the card get stolen or lost.
• Look around before typing in your PIN code. Make sure no one is eying the terminal or your phone as you type it in. That’s the most common form of theft. A thief will observe your PIN code and then pickpocket your wallet. He might also distract you so you’ll forget to take the card out of the ATM. He can then go on to empty your account. The only defense against this is to make sure no one sees your fingers moving on the keyboard.
• Cover your phone screen with your hand while typing in the pin. It’s also OK to turn your back to people for a second to type the PIN.
• You should choose the longest possible PIN code. The unlock code for Apple devices can either be a 4- or 6-number combination. If you have the choice, always go for the longest possible PIN. A longer PIN code is harder to guess and observe.
The most common PIN codes
The following is a list of the most common PIN codes. The list is compiled by analyzing various PIN code leaks. In case of a blind brute force attack, an attacker will try the following combinations first. That’s why you should never use any of them.
I’ve also written about choosing a secure and memorable passwords.