PINs can be up to 6 digits (at least here in the UK, but I doubt it's country specific), even though the ones they give you by default are only ever 4. So that's only a leak of 1% of them.
I'm from a country that has 6-digit PINs on most cards, and I've traveled to e.g. the United States where people are surprised that credit card PINs can be more than 4 digits, but in my experience, terminals accept them just fine. It seems like they are designed to suggest a PIN is only 4 digits but they will happily accept more. So while you're entering your PIN, the display looks something like:
For some reason, a lot of credit card processing APIs are still oriented around physical card machines, so they have a lot of fields devoted to self-declaration of the available features.
Some of the APIs allow the machine to say "I can accept a PIN up to 12 digits".
However, I don't know if anyone 1) actually delivered on it and 2) how you'd know in advance just poking random devices in stores.
That provides very valuable information: DO NOT TRUST this machine to be secure!
Similarly, any web site or app that can’t correctly handle a space character at the end of the password should never be trusted with anything of consequence.
My card doesn't even let me include repeating digits in its PIN. I suppose it can make a one-off guess more likely than one in a thousand to correctly guess my PIN.
Is it repeating in the whole PIN, or in digits next to each other? I'm trying to resist the nerd snipe of what the total number of possibilities would be in the latter case...
Which is honestly not a bad idea, given that somebody shoulder surfing or trying to read smudges on the PIN pad becomes much easier in the case of repeated numbers.
"1111" would just leave a fingerprint on a single key, for example, and only one possible PIN (or maybe 3, if the bank/card allows 6 digit PINs).
Haha, I have a file in my home directory that has every possible SSN because I wanted to be able to tell a friend “I have your SSN in a file on my computer.”
PINs can be up to 6 digits (at least here in the UK, but I doubt it's country specific), even though the ones they give you by default are only ever 4. So that's only a leak of 1% of them.
It helps, but only temporary. I wouldn't be surprised if all 6 digit PINs will be leaked within a few decades.
No with the rate of development of quantum computers that estimate is down to the next few years.
Not to worry. We'll just switch to 8 digit PINs and we'll be safe once and for all.
Does that not cause problems on some card machines? I've come across a few that definitely don't let you put in more than four digits.
Surprisingly, no, or at least it's not common.
I'm from a country that has 6-digit PINs on most cards, and I've traveled to e.g. the United States where people are surprised that credit card PINs can be more than 4 digits, but in my experience, terminals accept them just fine. It seems like they are designed to suggest a PIN is only 4 digits but they will happily accept more. So while you're entering your PIN, the display looks something like:
And then you hit OK and the PIN is accepted.
For some reason, a lot of credit card processing APIs are still oriented around physical card machines, so they have a lot of fields devoted to self-declaration of the available features.
Some of the APIs allow the machine to say "I can accept a PIN up to 12 digits".
However, I don't know if anyone 1) actually delivered on it and 2) how you'd know in advance just poking random devices in stores.
That provides very valuable information: DO NOT TRUST this machine to be secure!
Similarly, any web site or app that can’t correctly handle a space character at the end of the password should never be trusted with anything of consequence.
12 replies →
It most certainly does.
My card doesn't even let me include repeating digits in its PIN. I suppose it can make a one-off guess more likely than one in a thousand to correctly guess my PIN.
Is it repeating in the whole PIN, or in digits next to each other? I'm trying to resist the nerd snipe of what the total number of possibilities would be in the latter case...
1 reply →
Which is honestly not a bad idea, given that somebody shoulder surfing or trying to read smudges on the PIN pad becomes much easier in the case of repeated numbers.
"1111" would just leave a fingerprint on a single key, for example, and only one possible PIN (or maybe 3, if the bank/card allows 6 digit PINs).
Haha, I have a file in my home directory that has every possible SSN because I wanted to be able to tell a friend “I have your SSN in a file on my computer.”
Holy shit, my PIN is on there. How the hell did that get that?? I was told it was a 1/10,000 chance of someone guessing it.
Mine too.
Takes me back to when my password was leaked:
https://github.com/danielmiessler/SecLists/pull/155
could we fix this by adding '\n' to the password? then it wouldn't be guessed, the hackers would just think it was the end of the password
1 reply →
Don't worry, I already checked your account and there wasn't anything there to take.