Is 5-digit PIN better than most passwords?

Question

This is something that's been bugging me for many years: why most online services highly value the entropy of a password, citing it as a security measure, and enforcing it when users select a password?

I decided to come out with this question after reading the paper "Do Strong Web Passwords Accomplish Anything?" (and, of course, classic Dilbert cartoon).

The typical policy of an online site is to require at least 6 or 8-digit upper+lowercase+numeric password. This length is somewhat relevant for the difficulty of brute-force attack to e.g. recover a password from hash. But the typical way guessing happens online is that somebody tries to log in into the server, which is free to refuse after a couple of attempts.

Let's imagine, for example, that we are protecting some medium-sized service with an all-digit PIN. One immediately thinks about 4-digit or 6-digit pins, but that might be not a good idea as too many people will be tempted to enter their children's birthdays, which are essentially a public knowledge.

So, here's my 5-digit PIN suggestion. I keep for each user a "possible attack" flag.

1. User logs in correctly -> OK
2. Otherwise, keep the https session and allow 2 more tries
3. User logs in -> OK
4. Otherwise, allow 2 more tries with a 5-minute break before them
5. User logs in -> OK
6. User breaks session -> set the flag
7. User breaks session but logs in normally later: present user with the dialog and allow to clear the flag
8. User exhausts the tries above: send email with the link; allow to clear the flag
9. If there are more than 100 flags overall during the month, set the global "possible attack" flag which requires that people who don't have a cookie answer security questions
10. Automatically clear the user flag in some cases (e.g. user finally logged in from the same computer)

Let's assume that the user names are somehow known (note this won't be true for most sites). A brute-force attack against one user is hopeless -- you're locked out after 5 attempts, so you have a 1/200000 chance. If you try to guess password more than 200 times in a month, the flag goes off and you get nothing. If you try <200 users per month, after a year you have < 1% chance of breaking one user; you're much better off with phishing, viruses, social engineering or anything else.

The size of the site is relevant only in the sense of not getting false positives, that is users who genuinely forget their password (let's say 1% per month), recover it, but don't clear the flag (let's say 1% of those), and when you can't clear the flag automatically (say, 10% of those). This makes for 10 expected false positive flags per month per 10⁶ users --- which means that a medium-sized site has a reasonably low probability of entering "panic" mode, which anyway isn't that bad.

I believe that this scheme is very practical. Here are some obvious first facts about it (updates):

• benefit: The PIN is easier to remember. I believe this is a big benefit since it's now possible to require that user remembers the password you generated. I believe most people are much better remembering 5 random digits than any other type of random password.
• tradeoff: Hashing will not help much if your attacker knows both the hashed PIN and the salt. This is possible if somebody broke into your database and learns what's your salting process. However, I believe the standard password entropy doesn't help in that case either.
• benefit: people are much happier remembering random 5 digits than random alphanumeric passwords; therefore it's much easier to also require that we generate the password, not the user. This eliminates dictionary/personal data attacks.

My questions are:

1. What are the other tradeoffs/benefits of my scheme compared to the one I described as typical?
2. Won't be most medium-sized sites and organizations better with my password scheme?
3. What are the reasons they select the scheme they have?

Note: I don't advocate always having short passwords. My own web passwords are usually randomly generated and encrypted by a password manager (1Password) with 12-character high entropy password. But I think that often the scheme above would be better than what we have in practice.

Answer 1

No, you're mistaken. Brute force attacks are one thing, but the real danger is Rainbow Tables that, from a hash value, gives you the plaintext password.

First you never ever store anything as plaintext. If someone breach your security (or even if an employee has malicious intent) you don't want to expose users' password. So you will use a properly salted hash.

Then, with a 5-digit PIN, it's way too short to protect with hash. There are rainbow tables (or even Google searches) that would allow someone to get the password back if they get the hash.

Answer 2

Keep in mind that a malicious user with 3.000 attempts can successfully block 1.000 accounts within minutes. Another thing is that he can change the odds of one successful login by trying thousands of different accounts a day. Is OpenID not an option?

Update

Just had a little inspiration about the 5 digit thing. If 5 digits (10^5=100.000) are really easy to remember and safe at the same time what about these cases:

4 letters all lowercase (26^4 = 456.976) => abcd
3 letters with mixed cases (52^3 = 140.608) => aBc
3 letters lowercase + numbers (36^3 = 46.656) => ab1

Answer 3

Beware of session-handling

I don't know too much about session handling, but as much I know, it is most of the time made using cookies. When you have a scheme like yours, it is necessary to write false attempts into the database or into special files on your server, since you can't rely on the session handling (in your description it sounds a little, as you just can "hold the session" to have all the truth...) -- since sessions over the internet are very vulnerable. It is just a construct of cookies (which can be deleted) and/or page names (those also can be tainted). The only thing you can rely on, is that the user still holds the session -- you can't really identify wheter some (seamingly) new connection is not your old user ...

Specially, it makes no sence to differenciate between "User has still session" and "User breaks session" (your item 7) this is just a neglectible difference and can also become a security hole.

Remembering is not really easier

You also say, that remembering 5 digits are more easier. That might be right for your credit-card or bank-card (in Germany, we have 4 digit PINs) security number, but for websites, you always have the problem, that those many websites have passwords. To remember dozens of 5 digit numbers is as difficult as plenty of passwords.

Answer 4

I still don't understand why people limit password lengths at all. Wouldn't it be easier for me to remember a sentence or phrase? For example, I might want my password to be "this is my stackoverflow password". I would have some serious memory issues if I forgot that. It's length is 34 characters and only uses an alphabet of 27 characters, but still would be essentially impossible to reverse the hash (4.6 x 10⁴⁸ possible permutations).

Combined with your ideas regarding the "attack flag" and proper salting/hashing techniques, this would be an ideal solution in my opinion.

Answer 5

Passwords with salted hashes are best. The Salt prevents most rainbow attacks and a password is much more difficult to brute force. Even with a dictionary attack you would be more likly to get faster hits on a 5 digit pin then on a similar length password.

Answer 6

I have suggested a scheme similar to yours in the past because I have seen plenty of cases where users simply write out the passwords on a sticky note next the their monitor citing the complicity is too difficult to remember. I argued that passwords don't matter too much because a hacker is more likely to find other holes in the system, be them via the application or simply by a little social engineering.

I think some people, especially technical managers who don't fully grasp what you are saying like a the sense of security. A big complicated password feels strong. Kind of like a guarantee on a box, it makes you feel good. Kind of like the tooth fairy

"Tommy: How do you know the tooth fairy isn't some crazy glue-sniffer. 'Buildin' model air planes,' he tells them. Well I'm not buying it. He sneaks into your house once, thats all it takes. Next thing you know you got money missing off your dresser drawer and your daughter's knocked up."

Ultimately though a simple password like a pin is likely to be cracked or guessed with common combinations, and it doesn't feel safe. A pin in combination with an RSA SecurId is what we were all able to agree upon.

Answer 7

I think it'd be easier to remember "passphrases beat PINs any day!", which will hold up to a brute force attack for something like 400 trillion years.

Answer 8

By that logic, if 5 digits are easier to remember than 8 characters, yet contain sufficient entropy, then one digit and three case-insensitive letters should be easier still!

10**5 = 100,000
26**3 * 10 = 175,760

Now just four little characters, yet they convey more entropy!

Perhaps I'll just use my initials followed by the digit 1 . . .

I'm not what's proved by this except that there's a big ambiguous gray area between reductio ad absurdum and sarcasm.

Answer 9

The real problem? People.

I know a school district with 4 passwords: 1111, 2222, 3333, and 4444. Why? The users got together and agreed to do this so they could always get in when staff was home sick. Too much of a pain to get into a locked lunch money computer when the lunch worker was sick.

Oh yeah, I saw the lunch computer unattended many times. And, yes, you can ask to have your balance turned into cash at any time.

Users are insane.

Answer 10

As such relying on lockout for security is a bad user experience and would lead to attacker locking out several accounts leading to inconvenience to the real users. Instead use stronger passwords with salted hash which are harder to break using brute force and are not susceptible to Rainbow table attacks if the choice is between PIN and Password. If the choice is among Passphrase, Password and PIN. My recommendation is to go with Password followed by Passphrase and then PIN in the descending order of preference. Passphrase (>10 characters) is normally more secure than a password(of 6 to 8 characters) but doesn't provide great experience as the user needs to type in the Passphrase (>10 characters) each time !! Make the choice based on how sensitive the data is and how good a user experience you want to provide. Wait a minute.. Explore the new emerging area of password less authentication using a mobile device as authenticator.