← Back to context

Comment by quietbritishjim

1 year ago

PINs can be up to 6 digits (at least here in the UK, but I doubt it's country specific), even though the ones they give you by default are only ever 4. So that's only a leak of 1% of them.

24 comments

quietbritishjim

Reply
tomtomtom777  1 year ago

It helps, but only temporary. I wouldn't be surprised if all 6 digit PINs will be leaked within a few decades.

  • sltkr  1 year ago

    Not to worry. We'll just switch to 8 digit PINs and we'll be safe once and for all.

extraduder_ire  1 year ago

Does that not cause problems on some card machines? I've come across a few that definitely don't let you put in more than four digits.

  • sltkr  1 year ago

    Surprisingly, no, or at least it's not common.

    I'm from a country that has 6-digit PINs on most cards, and I've traveled to e.g. the United States where people are surprised that credit card PINs can be more than 4 digits, but in my experience, terminals accept them just fine. It seems like they are designed to suggest a PIN is only 4 digits but they will happily accept more. So while you're entering your PIN, the display looks something like:

        [....]
    
    [*...]
    
    [**..]
    
    [***.]
    
    [****]
    
    [*****]
    
    [******]

    And then you hit OK and the PIN is accepted.

  • hakfoo  1 year ago

    For some reason, a lot of credit card processing APIs are still oriented around physical card machines, so they have a lot of fields devoted to self-declaration of the available features.

    Some of the APIs allow the machine to say "I can accept a PIN up to 12 digits".

    However, I don't know if anyone 1) actually delivered on it and 2) how you'd know in advance just poking random devices in stores.

  • jiggawatts  1 year ago

    That provides very valuable information: DO NOT TRUST this machine to be secure!

    Similarly, any web site or app that can’t correctly handle a space character at the end of the password should never be trusted with anything of consequence.

    • lxgr  1 year ago

      Why? PINs are limited to 4 digits in many markets, so it's not exactly extreme for a developer to not consider the (to them) edge case of 6 digit PINs on foreign cards.

      Conversely, it seems very possible to support 6 digit PINs and yet still make a ton of horrible implementation mistakes, security and otherwise.

    • lobsterthief  1 year ago

      Why is the space thing inherently insecure? I’m thinking bad form validation could trip it up and be considered “not handled” vs concerns suggesting plaintext storage

    • quietbritishjim  1 year ago

      Are you really worried that a card machine is going to leak your PIN? That doesn't seem to be a common attack vector compared to a third-party skimmer being attached or someone just mugging you and demanding your PIN under threat of physical violence.

      To answer the actual question: I don't know because I left my PIN at 4 digits, despite knowing I could use more, precisely because I didn't think it would really make my life any more secure.

      9 replies →

bookstore-romeo  1 year ago

My card doesn't even let me include repeating digits in its PIN. I suppose it can make a one-off guess more likely than one in a thousand to correctly guess my PIN.

  • lenocinor  1 year ago

    Is it repeating in the whole PIN, or in digits next to each other? I'm trying to resist the nerd snipe of what the total number of possibilities would be in the latter case...

    • squarehead11  1 year ago

      I believe it would be 7290, or more generalized, S(N) = 10 * 9 ^(N-1) with N being the length of the code and S being the number of combinations (assuming that a decimal system is used)

      And from there, with variable lengths ranging from L to H, S(L, H) = 5/4 * 9 ^(L-1) * (9^(U-L+1) - 1)

      So if the bank allows combinations from 4 - 6 digits, there would be a total of 663390 combinations to choose from.

      Now, of course, the bank may decide to go from decimal to hexadecimal in the future - or maybe, there systems allow only duodecimal. In any case, the formula can be generalized further to account for all number systems - with B being the base of the system:

      S(L, H, B) = (B/(B-2)) * (B-1) ^(L-1) * ((B-1)^(U-L+1) - 1)

      This is only defined for B > 2 - in binary system, there's only ever two combinations which fit the constraint

  • lxgr  1 year ago

    Which is honestly not a bad idea, given that somebody shoulder surfing or trying to read smudges on the PIN pad becomes much easier in the case of repeated numbers.

    "1111" would just leave a fingerprint on a single key, for example, and only one possible PIN (or maybe 3, if the bank/card allows 6 digit PINs).