• Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.

PIN analysis

Collapse
X
  •  
  • Filter
  • Time
  • Show
Clear All
new posts

    PIN analysis

    This guy has analysed a database of plain text passwords to infer peoples behaviour in selecting a 4-digit PIN. Excellent narrative and presentation, IMHO.

    Actually I think the results are far more relevant for voicemail PIN selection than for ATM cards - there doesn't seem to be any limit on the number of guesses you get with voicemail.

    PIN number analysis

    I marked up the heat map he generated. The grid makes it easier to pick off certain values, like spotting your own PIN.



    Also managed to script something to extract the base results from that image into a csv file and hence to a spreadsheet. Hopefully I will be off the bench by next week so will have less time for this stuff!
    Last edited by Contreras; 14 March 2013, 11:43.

    #2
    Cool - mine's 9997 on the list of popular numbers!

    Who'd have thought I could pick one so rare?
    Best Forum Advisor 2014
    Work in the public sector? You can read my FAQ here
    Click here to get 15% off your first year's IPSE membership

    Comment


      #3
      That is a great article. Should forward this to Nick for Monday links. Really interest read and good piece of work by the author.
      Nice find.

      Be interesting to know how many hits he has to that page from Romania
      'CUK forum personality of 2011 - Winner - Yes really!!!!

      Comment


        #4
        Originally posted by TheFaQQer View Post
        Cool - mine's 9997 on the list of popular numbers!

        Who'd have thought I could pick one so rare?
        From the article:

        Warning Now that we’ve learned that, historically, 8068 is (was?) the least commonly used password 4-digit PIN, please don’t go out and change yours to this! Hackers can read too! They will also be promoting 8068 up their attempt trees in order to catch people who read this (or similar) articles.
        Change yours before you attend any CUK bashes, 'cos the bad guys might attend too.

        Just sayin' like.

        Seeing 8196 in that list made me think of a cross between 4096 and 8192. It might be interesting to run an analysis against the PINs known geeks use...
        Last edited by Sysman; 14 March 2013, 14:41.
        Behold the warranty -- the bold print giveth and the fine print taketh away.

        Comment


          #5
          Originally posted by Contreras View Post
          I marked up the heat map he generated. The grid makes it easier to pick off certain values, like spotting your own PIN.

          Also managed to script something to extract the base results from that image into a csv file and hence to a spreadsheet. Hopefully I will be off the bench by next week so will have less time for this stuff!
          Out of idle curiosity how did you do that? Graphics tools or using some other data input?
          Behold the warranty -- the bold print giveth and the fine print taketh away.

          Comment


            #6
            Originally posted by Sysman View Post
            Seeing 8196 in that list made me think of a cross between 4096 and 8192. It might be interesting to run an analysis against the PINs known geeks use...
            Please don't!
            Originally posted by MaryPoppins
            I'd still not breastfeed a nazi
            Originally posted by vetran
            Urine is quite nourishing

            Comment


              #7
              Originally posted by Sysman View Post
              Out of idle curiosity how did you do that? Graphics tools or using some other data input?
              Interesting read.

              In terms of the plot,.... easily done in R, Matlab, etc.

              Comment


                #8
                So I need to change all my card PIN's from something other than 1111?
                Me, me, me...

                Comment


                  #9
                  Originally posted by Cliphead View Post
                  So I need to change all my card PIN's from something other than 1111?
                  Can you wait a few hours? It'll take a while to get to 55°51'N, 04°12'W.

                  Comment


                    #10
                    Originally posted by Sysman View Post
                    Out of idle curiosity how did you do that? Graphics tools or using some other data input?
                    Nah, did it with a shell script. Python would have probably been quicker/easier - if I knew how.
                    Code:
                    #! /bin/bash
                    
                    set -e
                    
                    url="http://www.datagenetics.com/blog/september32012/grid.png"
                    
                    output_file="pins.csv"
                    
                    #wget "${url}" -O - | pngtopnm -plain | \
                    wget "${url}" -O - | pngtopnm | pnmtoplainpnm | \
                    (
                        read magic
                        read max_x max_y
                        read max_c
                    
                        if [[ "${magic}" != "P3" || "${max_x}" != "700" || "${max_y}" != "700" || "${max_c}" != "255" ]]
                        then
                            echo "Oops!" >&2
                            exit 1
                        fi
                    
                        echo "PIN,Red,Green,Blue,Sum"
                    
                        x=0; y=$((max_y - 1))
                    
                        while read -a line
                        do
                            set -- "${line[@]}"
                    
                            while (( $# >= 3 ))
                            do
                                red=$1; green=$2; blue=$3; shift 3
                    
                                if (( ( (x % 7) == 3 ) && ( (y % 7) == 3 ) ))
                                then
                                    printf "'%02d%02d,%d,%d,%d,%d\n" $((x/7)) $((y/7)) "${red}" "${green}" "${blue}" $((red+green+blue))
                                fi
                    
                                if (( ++x == max_x ))
                                then
                                    x=0; let y--
                                fi
                            done
                    
                        done | sort --field-separator=, --reverse --numeric-sort --key=4
                    
                    ) > "${output_file}"
                    Code:
                    ~/tmp$ head pins.csv
                    PIN,Red,Green,Blue,Sum
                    '1234,255,255,255,765
                    '1111,255,255,223,733
                    '0000,255,255,153,663
                    '1212,255,255,126,636
                    '7777,255,255,98,608
                    '2000,255,255,86,596
                    '1004,255,255,86,596
                    '4444,255,255,77,587
                    '2222,255,255,76,586
                    
                    ~/tmp$ tail pins.csv
                    '9480,144,0,0,144
                    '8957,144,0,0,144
                    '6793,138,0,0,138
                    '8398,132,0,0,132
                    '0738,132,0,0,132
                    '9629,125,0,0,125
                    '7637,125,0,0,125
                    '6835,125,0,0,125
                    '8093,108,0,0,108
                    '8068,0,0,0,0
                    Still waiting for contract edits to be agreed...
                    Last edited by Contreras; 15 March 2013, 20:38. Reason: code cleanup for TF, i just knew someone would try and break it :p

                    Comment

                    Working...
                    X