Date: Tue, 8 Mar 2016 15:13:50 +0100 From: Per Thorsheim <per@...rsheim.net> To: passwords@...ts.openwall.com Subject: Re: Article on pin numbers randomness Den 08.03.2016 13.21, skrev Martin Rublik: > On 08.03.2016 13:04, Daniel Cussen wrote: >> http://datagenetics.com/blog/september32012/index.html >> First of all: thank you Daniel for officially bringing the mailing list to life! :-) Second: fascinating to see that old blog post suddenly come to life again all over Twitter during the past week or so. -- 1. Daniel Amitay / Big Brother iOS app US-based Web developer Daniel Amitay was the one who really kicked pin code research into the spotlight in 2010-2011. You can still read his blog post with story & stats here: http://danielamitay.com/blog/2011/6/13/most-common-iphone-passcodes Media did stories based on that *everywhere* 2. Howard Smith / Oracle / PasswordsCon Our first speaker at our first PasswordsCon in December 2010 was Howard Smith, head of internal penetration testing at Oracle (UK). His topic: user selected PIN numbers. You can watch the recorded talk here: https://www.youtube.com/playlist?list=PLdIqs92nsIzSid9mKFW1vAcIfxyyNWBxk 3. Joseph Bonneau / Cambridge Joe authored the paper "A birthday present every eleven wallets? the security of customer-chosen banking PINs" in 2012. You can find the PDF and related data at his site: http://jbonneau.com/publications.html TL;DR: Steal eleven credit cards. The only things you know are a) 4-digit pin, b) selected by the user. Statistically you'll guess the correct pin on every eleventh card, 3 attempts per card. That's pretty good odds! Oh, and if you ask Joe nicely, he may share his code for generating the PIN plots. 4. PIN plotting A friend of mine (@kluzz) made a browser/client-side version for doing the same thing. It is still available here: http://radical.org/pinmap Some of this is already already on my "free research ideas for everyone" list here: https://godpraksis.no/ideas/, and I realize again that I need to update that page with many new ideas. 5. Amir Nickel, University of South Wales, UK I am currently a co-supervisor to Amir, B.Sc. student at UoSW, and his ongoing work is about PIN reuse, based on ideas from me. You can learn more about his work, do his survey and check out his "easy to remember PIN" generator at https://amirnickel.com Feedback very welcome of course! Martin: > Well, as I said earlier, the trouble here is that we don't know how > well does the password sample align with actual PIN distribution. Daniel Amitay collected 200K+ user selected pins, but we do not know if all those were originally selected by the user, or if it could be a pin they have already received & memorized from others (sim card, bank, work access card etc.) ...Which is why Joe also used data from other sources as well. I have also done some work that I haven't fully made available online, will try do that during the next week or two. > I'd say that I could use a password 1234 for a site I don't care at > all but I won't certainly use it as a PIN to protect the ATM card. I know some banks have implemented blacklists, but I don't know if those blacklists are based on guesswork or real statistics. But 1234 is extremely popular, no doubt. > On the other hand the article is interesting and I'd say that If we > strip the marginal/obvious results that it can reflect the reality > well. Indeed. Best regards, Per Thorsheim Founder of PasswordsCon
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.