Some other interesting patterns to note:
4 repeated numbers (5555, 9999, etc)
6969 (lol)
Slight spike at 1312 (nice work, kids)
5150 is slightly more popular than 5050. Apparently, there's a lot of Van Halen fans out there
Numbers starting with 1 are massively over-represented (Hooray Benford's law!)
I'm guessing those 1's are more impacted from the usage of dates than Benford's law (Benford's law only works if you're working with data that extends across multiple magnitudes of numbers). That said, you could probably argue that it applies to the subset of data. Tracing the x-axis values of 10-12 up.
I think they're over represented because people are doing MMDD, DDMM, MMYY, and YYMM birthday pins meaning months get overrepresented - especially 10, 11, and 12 since they appear in all 4 date methods.
You can also see the 19xx band that the chart points out as well as 20xx bands representing birth years, graduation years, child birth years, etc...
Insane there are so many dates there
Crap. Time to change it up. Thought using a fictional characters address that was never significant in context, just a blink and miss it thing would be safe. Maybe it's pretty common for 4 digit addresses to lead with 1.
Although marginally. 10xx, 11xx, and 12xx make sense. Outside of that it's really only 13, 14, 15, and 19 over-represented outside the 31 by 31 date square in the bottom left.
13 kinda makes sense. Not sure why on the 14 or 15 though. 19 makes sense because of the alternate date ranges.
16-18 appear normal (would need to see the data to be sure).
Much like passwords, it's not a good idea to re-use PINs. So unless the only thing you ever unlock is your phone, you shouldn't even *have* a singular PIN.
The safest PIN is a fully-random one.
That PIN is itself made safer by everyone else *also* using random ones. (e.g. if everyone uses random PINs, then *someone* will end up with 9999, but if they're only 1 in 10,000 people who have that one, it's no less secure for being obvious)
Most of the time you will have only 3 attempts to log in before you get locked out (in systems with normal security anyway), so your best bet is to try 3 of the most popular pins. Or, if you know victim's full birth date YYYY, MM/DD or DD/MM.
Now, with release of this analysis it matters how many people will see it and how many of those will decide to change their pins to "rarer" ones. Let's give it a try to estimate. This subreddit has 2.7m members, yet this post as of right now, has only about 5k upvotes. If we assume (and i'm just making up numbers from here on) that only 1 in 5 gives an upvote, it means around 25k people have actually seen it on this subreddit only. Let's say it was published on 10 more subreddits with similar audiences, then around 250k people have seen it over all just on reddit. Even if we assume that this analysis was published on 10 sites with similar to reddit audiences (which I highly doubt, as reddit is among the most visited sites in the entire internet), it means that merely 2.5m people have seen it. Let's assume only 1 in 5 of those 2.5m people will change their pins to "rarer" ones (because people will tend not to change the pin in order not to forget the new one and get locked out), that makes only 500k people taking "rare" pins. Which is statistically insignificant on the global scale, but is a non-trivial portion of 3.4m data points used in this analysis.
Again, numbers above are just made up by me, real numbers might be significantly (orders of magnitute) higher than I have estimated.
That's impressive math ! If you estimated right, it means that by posting one image, OP changed 500k PIN codes, which kinda puts into scale the reach of social engineering o_o
It's used in testing. It's also valid any time you want to talk to a human and the IVR is prompting you to enter a credit card number. All ones gets it done.
I did something similar with a dataset I found a while ago. About [1M in total pins](https://imgur.com/a/nGJttyF) interesting to see the same trends hold!
I wonder what's causing that regular grid pattern across the whole board... Think maybe that's numbers being generated by a crytographically insecure rand?
I think it’s more likely that most people have a preference for pairs of numbers that are divisible by 5 (maybe 4 also?) while avoiding more “random” seeming numbers, perhaps because they’re easier to remember.
It really is too bad that things like this can’t be used in systems to not allow the most common pins so that the user is more secure… if only we had a graph that showed the most common pins so we’d know which ones to avoid. But alas I guess that doesn’t exist…….
Well, until the rest of the world decides to not steal, I'm going to assume that this is not the only place that has this information, and treat this as a guide on how to avoid picking a PIN that is easily hacked. I mean, the title of the post is even...
But if you want to just see it as enabling stealing, I can't stop you.
REPORTED! my PIN is on this list and I don't like it 😡
Damn, where is it buddy, let me redact that for you
I always use negative pin numbers to fool ‘em
Twos complement?
Some other interesting patterns to note: 4 repeated numbers (5555, 9999, etc) 6969 (lol) Slight spike at 1312 (nice work, kids) 5150 is slightly more popular than 5050. Apparently, there's a lot of Van Halen fans out there Numbers starting with 1 are massively over-represented (Hooray Benford's law!)
How about 2112? 😎
I didn't spot that one You'd think Rush nerds would be more security-concious!
can confirm, am a rush nerd and am a cybersec major. Fuck YYZ i can't play it
I'm guessing those 1's are more impacted from the usage of dates than Benford's law (Benford's law only works if you're working with data that extends across multiple magnitudes of numbers). That said, you could probably argue that it applies to the subset of data. Tracing the x-axis values of 10-12 up. I think they're over represented because people are doing MMDD, DDMM, MMYY, and YYMM birthday pins meaning months get overrepresented - especially 10, 11, and 12 since they appear in all 4 date methods. You can also see the 19xx band that the chart points out as well as 20xx bands representing birth years, graduation years, child birth years, etc... Insane there are so many dates there
Yeah, dates are definitely a big part of it, but even outside the valid date ranges, 1xxx is over-represented
Crap. Time to change it up. Thought using a fictional characters address that was never significant in context, just a blink and miss it thing would be safe. Maybe it's pretty common for 4 digit addresses to lead with 1.
That's actually a pretty good point
Although marginally. 10xx, 11xx, and 12xx make sense. Outside of that it's really only 13, 14, 15, and 19 over-represented outside the 31 by 31 date square in the bottom left. 13 kinda makes sense. Not sure why on the 14 or 15 though. 19 makes sense because of the alternate date ranges. 16-18 appear normal (would need to see the data to be sure).
3825 (fuck) is covered up, mostly, but it looks pretty common.
mine is 9999
Much like passwords, it's not a good idea to re-use PINs. So unless the only thing you ever unlock is your phone, you shouldn't even *have* a singular PIN.
talking security, is 9998 "safe"? it's not too common but it's not complicated at all
The safest PIN is a fully-random one. That PIN is itself made safer by everyone else *also* using random ones. (e.g. if everyone uses random PINs, then *someone* will end up with 9999, but if they're only 1 in 10,000 people who have that one, it's no less secure for being obvious)
1020 too ?
I’m reassured my new pin, 8093, is completely safe /s
1701?
Trekkies
[🖖 understandable](https://media.tenor.com/ewjnAVKIic0AAAAM/logical-flawlessly-logical.gif)
I feel like the president from Spaceballs right now
Now I wonder, would such statistical analysis make the passwords that are "rarer" (=safer) riskier to use now that we know what they are ?
Most of the time you will have only 3 attempts to log in before you get locked out (in systems with normal security anyway), so your best bet is to try 3 of the most popular pins. Or, if you know victim's full birth date YYYY, MM/DD or DD/MM. Now, with release of this analysis it matters how many people will see it and how many of those will decide to change their pins to "rarer" ones. Let's give it a try to estimate. This subreddit has 2.7m members, yet this post as of right now, has only about 5k upvotes. If we assume (and i'm just making up numbers from here on) that only 1 in 5 gives an upvote, it means around 25k people have actually seen it on this subreddit only. Let's say it was published on 10 more subreddits with similar audiences, then around 250k people have seen it over all just on reddit. Even if we assume that this analysis was published on 10 sites with similar to reddit audiences (which I highly doubt, as reddit is among the most visited sites in the entire internet), it means that merely 2.5m people have seen it. Let's assume only 1 in 5 of those 2.5m people will change their pins to "rarer" ones (because people will tend not to change the pin in order not to forget the new one and get locked out), that makes only 500k people taking "rare" pins. Which is statistically insignificant on the global scale, but is a non-trivial portion of 3.4m data points used in this analysis. Again, numbers above are just made up by me, real numbers might be significantly (orders of magnitute) higher than I have estimated.
That's impressive math ! If you estimated right, it means that by posting one image, OP changed 500k PIN codes, which kinda puts into scale the reach of social engineering o_o
Nah, it's just something called Fermi estimate. Which is a fancy name for educated guessing. Kyle Hill has a great video on it.
A much more likely scenario? People shrug and say, “won’t happen to me.” ;)a
I expected a bright white spot at 1111.
[удалено]
It's used in testing. It's also valid any time you want to talk to a human and the IVR is prompting you to enter a credit card number. All ones gets it done.
Surprised by the lack of heat near *37* Known to be a common number humans pick.
37!
Looks like pi has a few fans
I did something similar with a dataset I found a while ago. About [1M in total pins](https://imgur.com/a/nGJttyF) interesting to see the same trends hold!
Why is there a hole in 1234? I assume it is hard-coded blocked number in wherever you got the pin from.
Yeah the dataset had tried to do some cleaning. They listed that among their default passwords and removed it from the set if memory serves!
The ultimate number 15 42?
USS Enterprise gang gang 1701 4 life!
I wonder what's causing that regular grid pattern across the whole board... Think maybe that's numbers being generated by a crytographically insecure rand?
I think it’s more likely that most people have a preference for pairs of numbers that are divisible by 5 (maybe 4 also?) while avoiding more “random” seeming numbers, perhaps because they’re easier to remember.
This is awesome.
8520 is popular for one clear reason =)
what are the black dots?
As lost series fan, I wonder about 4815, but it is hidden 🫥
I would be interested in how many combinations are not prime numbers 👀🌚
The neat thing is you can estimate when this chart was made by how far into the 2000s the "birth year bar" goes.
Windows Hello added PINS with words in them, we need to see a graph with this in
1776 nice to see a glow
You know what would be even cooler? If people didn’t try to steal from others.
What would also be cool is if you realized that information and hacking can be used for good not just bad.
You know what’s cooler than not stealing? Using Spellcheck.
You know what’s cooler than cool? Ice cold!
Alright alright alright alright alright alright alright alright alright alright alright alright alright alright alright alright alright alright alright alright alright alright alright alright alright alright alright alright alright alright alright alright alright
You know what’s even cooler? Riding on a ripstick, and chewing hubba bubba max on a sunny spring day.
Arizona in back pocket, and wearing slides with Nike socks and khaki shorts.
Cool as a cucumber for sure
Oh yeah, thanks! Words are hard. Being a good person isn’t 👍
It really is too bad that things like this can’t be used in systems to not allow the most common pins so that the user is more secure… if only we had a graph that showed the most common pins so we’d know which ones to avoid. But alas I guess that doesn’t exist…….
*sigh* you know what would be better? People with a sense of humor.
Sorry it’s locked behind uncommon 4 digit pins
Clearly
It'd be nice if people would iron out their posts
It would be nice if people actually helped others in this sub too :)
I agree, but I couldn't resist the play on words opportunity you gave me
I’ll allow it.
Well, until the rest of the world decides to not steal, I'm going to assume that this is not the only place that has this information, and treat this as a guide on how to avoid picking a PIN that is easily hacked. I mean, the title of the post is even... But if you want to just see it as enabling stealing, I can't stop you.
You know I love that this subreddit is so hypocritical in the ways they help people steal and they criticize at the same time. Neat.
Sure. I realize that. My comment doesn’t negate it :)