Odds are that I can guess your PIN in ten attempts.
It will be one of the following
- “1234” – I can’t be bothered to think about my password
- “0000” – I can’t even be bothered to count
- “2580” – I can go down the key pad
- “1111” – I can count to one!
- “5555” – I’m very clever and can count to 5
- “5683” – I do txt spk. (work it out)
- “0852” – I do stuff vertically up
- “2222” – I can’t be bothered to move my fingers when I press keys
- “1212” – Testing testing 12 12
- “1998” – Yeah, I’m about 13 years old
Now there are issues about the secret gathering of personal information but that’s a different post. Also bear in mind that this was for an iPhone app, not a banking app nor an ATM PIN. So the users might have chosen simple numbers because they didn’t feel the need to secure the app. But there probably is a grain of truth in the general trend for the top ten PINs as the author of the app tried to make his password screen look like the iPhone’s own password screen.
When you take into account that certain ranges of numbers occurred regularly in the top 50 you can easily build the impression that many people don’t think much about their PIN numbers. The most common range being 1990-1999, followed by 1980-1989 and 2010-2011, 1970-1979 and then 2000-2009. From this you can see that given the median age for iPhone users that they often use their birth year as their PIN number. If they are older surfers then they either use their children’s which explains the 2000-2011 range or their own.
So if you find a lost mobile phone, then given that the 15% of all PINs are represented by 10 different numbers you’ve got a 1 in 7 chance of breaking into the phone. No wonder it was so easy for certain private investigators hired by journalists to break into the voice mail accounts of certain celebs.
Now if you do use one of the above PINs don’t worry too much. So long as you don’t use the same PIN for every account, website, card then you’re not going to get your accounts cleared out.
Bear in mind that if you use the same password on Facebook and to log into your hobby forum and to access your work account, it won’t need much background info to work out your password. The advice here is to use a different password for different parts of your life; your financial part, your personal family part, your hobbies and other interests part, your work part, etc. For certain aspects of your online life use a unique password only used on that site. For instance your GMail password should be unique because the information in your emails would be a gold mine to someone who got in.
Create a complex password
To make a really hard password to guess, a suggestion would be to use the following guide.
Start with a sentence or two (about 10 words in total). Make it something meaningful to you. As a starter for ten, I’ll use the example “Long and complex passwords are safest. I keep mine safe.”
Turn the sentences into a row of letters using the first letter of each word. The phrase becomes “lacpasikms”. At this stage this password should be usable on many unimportant websites.
Add a bit of complexity by changing the case of some of the letters. Either make the letters A-J lower and the rest upper, or make odd letters (a,c,d, etc.) lower and the rest upper. Up to you. You can use this level of password on accounts like your work one.
Some sites insist on numbers and punctuation. Add the digits of a meaningful number and punctuation symbols to either end of the password or in the middle. Your password is now be “lACpAs56IKMs”. This should be secure enough for your banking apps.
One final word of advice. Keep your passwords on a piece of paper. Yep, that sounds counter productive, but so long as the passwords are encoded in your own secret way then you can keep track of the umpteen dozens of passwords modern life requires you to have.
Don’t give your password out to anyone, no bank will ever ask for it. If you forget your password and the website lets you ask for it, then if it doesn’t give you a new one don’t trust it because it means it’s stored your password “in the clear” rather than a one way code based on your password.
Finally recognise phishing attempts and learn to avoid them.