Are 4 digit PINs safe at all?

The interesting case of PINs

PINs are one of the most common security methods of daily life. They're used to access hardware devices, widthraw money, and accept payments. They are quick, easy to remember and convenient. In fact, they're a little to convenient for comfort. With just 10.000 possibilities, 4 digit PINs in particular do not appear all that safe. This search space can be exhausted by a system in a tiny fractino of a second.

The reality is even worse than the math would have you believe. While in theory there are 10.000 possible PINs, in reality people tend to choose the same easy to remember PINs: 1111, 1234, or easily guessable ones like birthdates and anniversaries, repeated patterns or obvious combinations. This means attackers don't have to try all combinations incrementally, but can just try the few basic common PINs everyone uses.

So are PINs secure? If not, what is keeping PIN infrastructure alive?

Because of their low entropy and tiny search space, PINs are not safe by themselves. However, the systems and infrastructure surrounding PINs can make them a meaningful security addition. It would be truly terrible if attackers could easily automate all PIN checking, however PIN systems often have very strict rate limiting and quick lockouts that make cracking difficult to pull of.

Moreover, while passwords and longer security tokens are standalone security methods and can be used on online forms, or through an API, both of which can be easily scripted and automated, security PINs are usually only a part authentication. To access your phone, you don't just need a PIN, but also the phone itself. To access your bank account, you're going to need a card along with the corresponding PIN. The PINs themselves are commonly stored offline, which makes automated testing very difficult without physical access

So PINs can be secure as parts of a larger security system that restricts or penalizes guesses, requires more proof of identification and is not remotely accessible. The point of them is not to be the single point of defense, but to add enough friction to make attacking impractical.

That said, a 4 digit PIN as a sole security methodology, served online through an API that has not implemented proper rate limiting, is a compromise waiting to be happen.

So what should you do?

If you have the option of using a more complex 6 digit PIN or a password, absolutely opt for that. Unfortunately, PIN infrastructure is not trustless, and as a user you shouldn't be expected to verify the rate limiting implementation. If, however, you're stuck with 4 digit PINs, make sure you use our PIN checker to ensure you're not using an easily guessable PIN.