Tech

Your four-digit PIN is probably just as secure as a longer one

Unless it's your birthday or the end of your phone number, that is.

Boonchai Wedmakawand / EyeEm/EyeEm/Getty Images

There's no reason to believe a six-digit PIN is substantially more secure than a four-digit PIN, according to a research paper on mobile phone passcodes. The reason? When asked to choose longer PINs, many of us choose poor ones that are inherently less secure than better, four-digit alternatives.

German-American engineers — Philipp Markert, Daniel Bailey, and Markus Dürmuth — from the Horst Görtz Institute for IT Security at Ruhr-Universität Bochum used Apple and Android's blacklist of PINs as the starting point for their research, and learned that four-digit PINs were actually as good as, if not better than, their six-digit counterparts.

A false sense of security — A four-digit PIN can create 10,000 combinations while a six-digit PIN yields about a million, which naturally makes the latter more secure, but as Markert discovered, creativity plummets when users are asked to create six-digit PINs. "Mathematically speaking, there is a huge difference, of course," Markert explains. "However, users prefer certain combinations; some PINs are used more frequently, for example, 123456 and 654321."

Dürmuth adds that it seems "users currently do not understand intuitively what it is that makes a six-digit PIN secure." How different operating systems react to multiple entries is also worth noting. For example, Apple will lock your phone down after 10 incorrect attempts at a PIN, while Android won't let you enter guesses in rapid succession. That limit on how many passcodes can be attempted means a short, more secure combination again beats an easily-guessable, longer one.

These are the combos to avoid — The study found that the most common and easily guessed four-digit PINs were 1234, 0000, 2580, 1111, 5555, 5683, 0852, 2222, 1212, and 1998. As for six-digit PINs, you should avoid 123456, 654321, 111111, 000000, 123123, 666666, 121212, 112233, 789456, and 159753. Similarly, don't use your birthday, your partner's, or your children's either, or any other date that can easily be connected to you via your online profiles.