# PIN Security Scheme

Wednesday, May 11th, 02022 at 11:11 UTC

PINs (Personal Identification Numbers) are usually 4-6 characters in length. We wanted to look at the mathematics behind a not-so-obvious trick in an attempt to guess a PIN.

During some TV cartoon crime capture, the bad guys use a number pad to type in their PIN to open the doors. Quickly behind them the hero uses some fingerprint powder to see what buttons were pressed.

Let’s look at the odds before and after and how they change.

If you have no prior knowledge and there are 10 buttons (0-9) and the PIN is four digits long, there are 10,000 possible permutations! 10 possible digits for your first choice, 10 again for your second, 10 for the third and 10 for the fourth. That’s 10×10×10×10 = 10,000.

In Combinatorics this is represented by: PR(n,r) = PR(10,4) = 104 = 10,000. This is permutations with replacement, because we can reuse each number over and over. For example, your PIN could be 1234 or 1111.

10,000 is a lot of choices, so how does our chances increase if we reduce the list of possible digits down from 10 choices to just the 4 buttons that had fingerprints on them.

This is a permutations calculation without replacement, nCr. The general equation is:

P(n,r) = n!/(n-r)!

Our number of items n, and samples r, is: n factorial divided by (n-r) factorial. When we plug in our values of 4 numbers and 4 samples we get 4!/(4-4)! or just (4×3×2×1) which is 24.

By knowing the buttons pressed we reduced the number of possible PINs from 10,000 to just 24!

Now let’s get sneaky. What if we know the PIN is 4 digits in length, but we reused one of the numbers. When our hero dusts for fingerprints they only see 3 buttons pressed. Which one was pressed twice? Since there is replacement (one button pressed twice) we need to use a new formula.

First we need to pretend that all 4 key presses are unique, that gets us our previous formula of 4! (4×3×2×1), but since two of the digits are the same, we need then divide by 2! (2×1). 4!/2! = 12.

That means if you have the sequence 1,1,2,3 there are 12 unique PINs.

1. 1123
2. 1213
3. 1231
4. 1132
5. 1312
6. 1321
7. 2113
8. 2131
9. 2311
10. 3211
11. 3121
12. 3112

But we don’t have 1,1,2,3 we have 1,2,3,x. If x is 1, then we have 12 unique ways, but x could be 1, 2 or 3, so we need to multiple 12×3 which gives us 36 possible PINs.

4 unique digits has 24 possible combinations versus 3 unique digits, but one is reused, with 36 possible combinations. It is a bit counter intuitive, but reusing a digit actually makes this particular attack on PIN combinations harder.

In reality a computer could try 10,000 combinations instantaneously, we are at the mercy of the security system to throttle the PINs if you continue to get them wrong.

Continuing with this logic, what if we reused two digits in our PIN? Then the hero only knows 2 of the possible 4 digits. Does that create even more permutations? No. If you know two digits and had to arrange them to make four digits, we first need to chunk them into pairs. We create the pairs 11, 12, 21, 22. We need two sets of these. That gets us 4×4 or 16 possibilities. The problem is that two of the permutations will be 1111 and 2222 which we know can’t exists, because two different buttons were pressed. The equation then becomes (4×4)-2 or only 14 possible combinations.

This makes sense because if we reduce it once again to the hero knowing only one key was pressed, there is only one possible combination 1111.

Going the other direction, if the PIN were five digits in length, that would give us a possible 10×10×10×10×10 = 100,000 possibilities. If we knew which 5 buttons were pressed that reduced the possibilities to 5! (5×4×3×2×1) = 120. If we know the combination is 5 digits in length but we can only tell 4 buttons were pressed that gives us: 5!/2! = 120/2 = 60 unique combinations, but remember we have 1,2,3,4,x where x could be any of four digits. That’s now (5!/2!)×4 or 240 possible combinations.

## Notes

After doing all the calculations, we searched around to confirm our process, method and results. We found this article from 02012 from Schneier on Security which points to a 02011 article also about PIN security schemes. They are both worth skimming. They come to the same conclusions, but some of the comments are also useful.

## Conclusion

PINs are hard to get right and are subject to brute-force attacks. Devices like your phone and cash machines do their best to throttle attempts. A 4 or 6 digit PIN is (at the moment) doing its best to strike a balance between easy-of-use and security. It isn’t perfect, and in the wrong hands, even 6! (10×10×10×10×10×10) = 1,000,000 possible combinations isn’t a hurdle. There are ways to improve this, like shuffling the location of the numbers on keypad everytime, but these introduce barriers and possible errors for the customers.

There are ways to improve your PIN security by choosing longer PINs, but being being vigilant is best. The odds of someone checking for fingerprints after use is probably much, much lower than ‘card skimmers‘ or ‘keyloggers‘. There are plenty of other attack vectors which having a PIN with more permutations does not protect against.

Remember: Locks just keep honest people honest.