If your iPhone or Android smartphone PIN starts with 1234, 0000, 2580, 123456 or 654321, you are in a soup as these PINs are most prone to hacking as your device can be unlocked easily by others. According to the study, the 10 most popular four-digit PINs are: 1234, 0000, 2580, 1111, 5555, 5683, 0852, 2222, 1212, 1998. The most popular six-digit PINs are and 123456, 654321, 111111, 000000, 123123, 666666, 121212, 112233, 789456,159753.
Researchers at Ruhr University in Germany showed that the blacklist used by Apple to prevent particularly frequent PINs could be optimised and that it would make even greater sense to implement one on Android devices. It emerged that six-digit PINs do not provide more security than four-digit ones.
"Mathematically speaking, there is a huge difference, of course. A four-digit PIN can be used to create 10,000 different combinations, while a six-digit PIN can be used to create one million," said study researcher Philipp Markert from Horst Gortz Institute for IT Security in Ruhr University.
"However, users prefer certain combinations; some PINs are used more frequently, for example, 123456 and 654321, this means users do not take advantage of the full potential of the six-digit code," Markert added.
According to the researchers, it seems that users currently do not understand intuitively what it is that makes a six-digit PIN secure.
For the findings, the research team investigated how users choose the PIN for their mobile phones and how they can be convinced to use a more secure number combination. The team asked Apple and Android users set either four or six-digit PINs and later analysed how easy they were to guess.
In the process, they assumed that the attacker did not know the victim and did not care whose mobile phone is unlocked. Accordingly, the best attack strategy would be to try the most likely PINs first.
Some of the participants were free to choose their PIN at random. Others could only choose PINs that were not included in a blacklist. If they tried to use one of the blacklisted PINs, they received a warning that this combination of digits was easy to guess.
In the experiment, the IT security experts used various blacklists, including the real one from Apple, which they obtained by having a computer test all possible PIN combinations on an iPhone. Moreover, they also created their own more or less comprehensive blacklists.
A prudently chosen four-digit PIN is secure enough, mainly because manufacturers limit the number of attempts to enter a PIN. Apple locks the device completely after ten incorrect entries, the researcher said.
On an Android smartphone, different codes cannot be entered one after the other in quick succession. "In eleven hours, 100 number combinations can be tested," Markert said. The researchers also found 274 number combinations on Apple's blacklist for four-digit PINs.
"Since users only have 10 attempts to guess the PIN on the iPhone anyway, the blacklist does not make it any more secure," said study researcher Maximilian Golla.
According to the researchers, the blacklist would make more sense on Android devices, as attackers can try out more PINs there. The research has shown that the ideal blacklist for four-digit PINs would have to contain about 1,000 entries and differ slightly from the list currently used by Apple