0

Correct me if I'm wrong, but it seems PIN is merely a password but only allowing numbers (and short max length on some services). That sounds very insecure to me, but many services are using it. Chrome Remote Desktop is one example.

My questions are:

  • Why PIN exists when we can use a password?
  • Is PIN insecure?
  • If any, when is PIN a better alternative?
user2652379
  • 103
  • 3
  • 4
    PINs are used in a variety of contexts and the security depends on the context. This question here is not specific to a context though, which makes it too broad. There are several more focused questions here on this topic though, like [How secure are pins on credit / bank cards?](https://security.stackexchange.com/questions/134777), [What is the recommended length for a phone PIN?](https://security.stackexchange.com/questions/150413/) and [many more](https://www.google.com/search?q=site%3Asecurity.stackexchange.com+security+of+PIN). – Steffen Ullrich Sep 23 '20 at 07:04

2 Answers2

1

The term PIN is commonly used when only a numberpad is available for the user (SIM card, credit card, ...).
Today the term seems to be extended to every kind of password of digits only.

PIN can be considered as secure when the following conditions are enforced:

  • the authentication is blocked after 3 failed attempts
  • all PINs are equally likely
  • the PIN is used on a physical device

In this scheme, even with only 4 numbers, the attacker needs to obtain physical access before any attack attempt (not trivial).
There is a 3/10000 odds of success.
The combination of these two efforts is very high to overcome.

Depending on whether or not the user chooses the PIN, it could be necessary to forbid some values like (0000, 1234, birthdate, ...).

If the authentication does not occur on a physical device (like a bank login interface), an attacker with a sufficient amount of valid usernames (which are not considered as a secret in the Kerckhoffs's principle), let's say 333 valid accounts for a 4 digit PIN, can probably overtake an account.
But this case doesn't let the attacker select a victim. He knows that he will find one, but he cannot choose which one.

Despite the fact that the username is not supposed to be a secret, companies who use PIN online commonly make it difficult to guess (e.g bank login are often a digit suite instead of the name of the client).

For online authentication, the best practice remains to use passwords not limited in length and charsets.
Furthermore, PIN are more difficult to remember than words and not more difficult to hack. So avoid it when you can.

PIN should be reserved for the use case when only a numberpad is available.

schroeder
  • 125,553
  • 55
  • 289
  • 326
Sibwara
  • 1,338
  • 8
  • 21
  • username is not a secret in the Kerckhoffs's principle. What I wanted to say is that companies who are using PIN online tend to make it unpredictable and very difficult to find to effectively increase the security even if there is no improvement in theory (I will reformulate) – Sibwara Sep 24 '20 at 10:52
  • Chrome Remote Desktop calls it a PIN. So does Android for their long unlock codes. Whether the term "PIN" is accurate or not in the context of history doesn't really matter if the biggest players in the market are using the term to mean an "all-number password". – schroeder Sep 24 '20 at 12:53
1

I would consider PIN's in terms of usable security for the end user where there are additional contextual security controls in place to protect access. Some examples could be where an account has been authenticated and authorised and a PIN is used to regain access to the service within a time limited period for the same device.

PIN's are typically used in conjunction with other factors so that there is a tradeoff between usability and security. As has been mentioned in the other comments context is key here in considering the other protections and controls that are in place to consider the security that a PIN provides.

If you consider in the common use cases of a bank card there are compensating controls to limit the likelihood of compromise of a 4 digit PIN.

  • PIN's are set by the user on use and initial PIN is not a standard PIN
  • There is a maximum of 3 consecutive incorrect attempts to protect against brute forcing
  • The Card must be presented in addition to the PIN so this combines something you have with something you know.

For the card issuer there is a balance between usable security that minimises potential losses whilst making an acceptable tradeoff on usable security.

In your example of a user choosing an insecure PIN there could be additional controls to block choosing a PIN of 0000, however by doing this it can reduce the overall key space too.

Greg
  • 81
  • 2