42
60
v1v2v3 (latest)

This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs

Abstract

In this paper, we provide the first comprehensive study of user-chosen 4- and 6-digit PINs (n=1220) collected on smartphones with participants being explicitly primed for device unlocking. We find that against a throttled attacker (with 10, 30, or 100 guesses, matching the smartphone unlock setting), using 6-digit PINs instead of 4-digit PINs provides little to no increase in security, and surprisingly may even decrease security. We also study the effects of blocklists, where a set of "easy to guess" PINs is disallowed during selection. Two such blocklists are in use today by iOS, for 4-digits (274 PINs) as well as 6-digits (2910 PINs). We extracted both blocklists compared them with four other blocklists, including a small 4-digit (27 PINs), a large 4-digit (2740 PINs), and two placebo blocklists for 4- and 6-digit PINs that always excluded the first-choice PIN. We find that relatively small blocklists in use today by iOS offer little or no benefit against a throttled guessing attack. Security gains are only observed when the blocklists are much larger, which in turn comes at the cost of increased user frustration. Our analysis suggests that a blocklist at about 10% of the PIN space may provide the best balance between usability and security.

View on arXiv
Comments on this paper

We use cookies and other tracking technologies to improve your browsing experience on our website, to show you personalized content and targeted ads, to analyze our website traffic, and to understand where our visitors are coming from. See our policy.