Memory-only selection of dictionary PINs

Let $N=10^{n}$ be the size of an PIN space, for PIN length $n$. Let $X$ be a random variable over the set $\{0,1,\dots,9\}^{n}$. Let $p_{i}$ denotes the probability of choosing a particular PIN $x_{i}$. Without loss of generality we assume that PINs are sorted in the descending order of their probabilities, i.e. $p_{1}\geq p_{2}\geq\ldots\geq p_{N}$.

Various measures for the PIN choices were proposed and studied, for details, discussions and relations among these metrics see [3, 4, 16]. The most important ones are defined in the following list.

• $-$

  Shannon entropy, expressed in bits, measures the uncertainty in a random variable:

  $$H_{1}(X)=-\sum_{i=1}^{N}p_{i}\log_{2}p_{i}.$$

• $-$

  The guesswork measures the expected number of guesses needed to find a PIN, trying in descending order according their probability:

  $$G(X)=\sum_{i=1}^{N}i\cdot p_{i}.$$

• $-$

  The marginal guesswork measures the expected number of guesses needed to increase the success probability of finding the PIN to at least $\alpha$ (usually $\alpha=0.5$):

  $$\mu_{\alpha}(X)=\min\{1\leq k\leq N\mid{\textstyle\sum\nolimits_{i=1}^{k}p_{i}}\geq\alpha\}.$$

• $-$

  The marginal success rate measures the probability of guessing the PIN given $\beta$ attempts ($\beta$ is usually $3$ or $6$):

  $$\lambda_{\beta}=\sum_{i=1}^{\beta}p_{i}.$$

Since the guesswork and the marginal guesswork are not directly comparable to Shannon entropy, the values of $G(X)$ and $\mu_{\alpha}(X)$ are converted into bits using the following formulas [3]: $\tilde{G}(X)=\log_{2}(2G(X)-1)$, $\tilde{\mu}_{\alpha}(X)=\log_{2}(\mu_{\alpha}(X)/\lambda_{\mu_{\alpha}})$.

Since the standard mapping does not cover digits 0 and 1, the ideal security metrics have the following values for dictionary PINs (assuming uniform distribution of PINs) :

• $-$

  PIN length 4: $H_{1}(X)=\tilde{G}(X)=\tilde{\mu}_{0.5}=12.00$ bits, $\lambda_{6}(X)=0.15\%$,

• $-$

  PIN length 5: $H_{1}(X)=\tilde{G}(X)=\tilde{\mu}_{0.5}=15.00$ bits, $\lambda_{6}(X)=0.02\%$.

We compare the metrics for straightforward translation of words to PINs using the standard mapping, see Figure 1, with results obtained in [12]. We consider only the words with the length equal to the PIN length $n$. The translation starts with stripping the diacritical marks, if they are present. Then, the word is mapped to PIN using the standard mapping, e.g. “love” and “hate” yield 5683 and 4283, respectively. The frequency of particular word contributes to the probability of resulting PIN.

The results for the PIN lengths 4 and 5 are shown in Table 1. The columns labeled “uniform” contain results for PINs derived from a large (spell-checker) English dictionary assuming uniform frequencies of words [12]. The columns labeled “RockYou” contains results for PINs derived from RockYou password database where frequencies of words (passwords) were taken into account. It is easy to notice a striking difference between scenarios that consider the frequencies of words and those that do not.

A closer look at the most frequent dictionary PINs from SUBTLEXus and opensub reveals the following observations:

• $-$

  PIN length 4: Top 7 PINs share the same spots in SUBTLEXus and opensub scenarios (the last three spots in top 10 are just permuted, i.e. the top 10 contains exactly the same set of PINs in both scenarios). The high marginal success rates are caused by the frequencies of the following PINs: 8428 (probability $6.65\%$ based on SUBTLEXus, e.g. produced from the word “that”), 9428 ($4.64\%$, “what”), 8447 ($3.76\%$, “this”), 4283 ($3.14\%$, “have”), 9687 ($3.04\%$, “your”), and 5669 ($2.70\%$, “know”).

• $-$

  PIN length 5: The sets of top 10 PINs differ in just two PINs, while the first 5 spots are exactly the same in SUBTLEXus and opensub scenarios. For SUBTLEXus scenario the most frequent PINs are: 84373 ($5.12\%$, e.g. produced from the word “there”), 74448 ($3.95\%$, “right”), 22688 ($3.54\%$, “about”), 84465 ($2.62\%$, “think”), 46464 ($2.07\%$, “going”), and 46662 ($1.94\%$, “gonna”).

We can conclude that considering uniform frequencies of dictionary words is inadequate for estimating the security of memory-only selection of dictionary PIN. The results show the deficiency of such PINs clearly – the marginal success rates are unacceptable. Moreover, it seems that this strategy is worse (in average) than strategies currently employed by users. In order to compare memory-only dictionary PINs with “common” PIN selection strategies, we present estimates of PIN metrics based on RockYou password database and iPhone unlock codes [4] in Table 2. On the other hand, the lack of digits 0 and 1 in the standard mapping ensures that these digits do not appear in the resulting PIN. Therefore the PINs that are often blacklisted, e.g. 0000, 1111 or 1234, or those the users are warned not to use, e.g. birthday or anniversary years, cannot be selected this way.

We explore few possibilities for improving memory-only dictionary PINs in the following sections.

Blacklisting is a common method for improving the security of user-selected PINs. Even if not strictly enforced (by forbidding the selection of some PINs), at least there are recommendations what PINs a user should not choose, e.g. see [15]:

“Select a PIN that cannot be easily guessed (i.e., do not use birth date, partial account numbers, sequential numbers like 1234, or repeated values such as 1111).”

There are two possibilities for blacklisting in dictionary PIN scenario: first, blacklisting the most frequent words; and second, blacklisting the most frequent PINs. The PIN blacklisting is easier to enforce in practice, and the values of security metrics are comparable for both approaches. Figure 2 shows the entropy and the marginal success rate ($\lambda_{6}$) for PIN blacklisting (based on SUBTLELXus) ranging from $0$ to $100$ blacklisted PINs. The results show only a moderate improvement in security metrics, therefore blacklisting alone is not a satisfactory method for improving memory-only dictionary PINs.

In order to improve the security metrics of resulting PIN, some natural modifications to basic translation of dictionary word to PIN were proposed in [12]. We evaluate these modifications when applied to our “frequency-aware” experiments:

• $-$

  Stretched mapping – in order to cover digits $0$ and $1$, we can stretch the standard mapping. Our estimates for this modification use the following mapping: a, b $\mapsto 1$; c, d $\mapsto 2$; e, f $\mapsto 3$; g, h, i $\mapsto 4$; j, k, l $\mapsto 5$; m, n $\mapsto 6$; o, p, q $\mapsto 7$; r, s, t $\mapsto 8$; u, v, w $\mapsto 9$; x, y, z $\mapsto 0$.

• $-$

  Prefix – instead of taking just words with the desired PIN length, i.e. $n$, we use any word with the length greater or equal to $n$ and we use its prefix for translation to PIN.

• $-$

  Morphing – the standard word to PIN translation is enriched by random change of one character. Assuming that user can choose a random position in a word/PIN and a random digit, the resulting PIN is formed by replacing this position by the chosen digit. For example “this” can be translated to “t1is”/8147, “0his”/0447, “thi9”/8449, etc. Certainly, this method is more demanding than the straightforward use of dictionary words. Our estimates assume uniform distribution of positions and digits for this method.

The results for all above methods are presented in Table 3. The stretched mapping yields no improvement at all – the most frequent PINs changed their values, but their frequencies remained almost unchanged. The prefix method offers a moderate improvement in security metrics. Obviously, the morphing is the most successful approach by a wide margin.

Comparing these results with the estimates from Table 2, we can notice that the prefix method for dictionary PINs offers slightly better marginal success rate but worse entropy, guesswork and marginal guesswork. An interesting observation is that the morphing offers much better marginal success rate while keeping other security metrics comparable to real-word estimates from Table 2.

Interestingly, the prefix method and the morphing yield better results than the estimates of PIN entropy by NIST [9]: 9 and 10 bits for PIN lengths 4 and 5, respectively. On the other hand, plain memory-only dictionary PINs offer less entropy than these estimates.

We expect that blacklisting of the most frequent PINs can further improve the security metrics of promising methods from the previous section (i.e. prefix and morphing methods). Indeed, our experiments confirm this expectation. Table 4 shows the values of the entropy and the marginal success rate for various sizes of the blacklist ($0$, $10$, and $20$).

The blacklisting substantially improves the marginal success rate, but offers only a moderate improvement of the entropy. A disadvantage of the blacklisting is that it complicates the implementation of authentication.

Many people know more than one language. In such case, it is easy to adopt a strategy where a user randomly choses a language and then (s)he selects a word for PIN construction. We expect obviously an improvement in security metrics values. In order to assess the improvement we use English and Dutch frequency dictionaries SUBTLEXus and SUBTLEXnl [14]. We use words with frequency above 1 in both dictionaries, and we assume that the user selects the dictionary with probability $1/2$. The results for this two-dictionary scenario are shown in Table 5, where “basic” denotes the construction using words with the length $n$, “prefix” denotes the prefix method, and “prefix (BL)” denotes the combination of the prefix method with the blacklist of the length $10$.

As expected, the results are better than results for corresponding single-dictionary scenario methods. However, even with the blacklisting the results cannot match the morphing method results for single dictionary.

The author acknowledges support by VEGA 1/0259/13.