Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Pin Generation

I am looking to develop a system in which i need to assign every user a unique pin code for security. The user will only enter this pin code as a means of identifying himself. Thus i dont want the user to be able to guess another users pincode. Assuming the max users i will have is 100000, how long should this pin code be?

e.g. 1234 4532 3423

Should i generate this code via some sort of algorithm? Or should i randomly generate it?

Basically I dont want people to be able to guess other peoples pincode and it should support enough number of users.

Am sorry if my question sounds a bit confusing but would gladly clarify any doubts.

thank you very much.

UPDATE

After reading all the posts below, I would like to add some more detail.

  1. What i am trying to achieve is something very similar to a scratch card.
  2. A user is given a card, which he/she must scratch to find the pin code.
  3. Now using this pin code the user must be able to access my system.

I cannot add extra security (e.g. username and password), as then it will deter the user from using the scratch card. I want to make it as difficult as possible to guess the pincode within the limitations.

thankyou all for your amazing replies again.

like image 659
Alec Smart Avatar asked Jan 01 '09 10:01

Alec Smart


People also ask

What Is PIN generation?

Generate a Debit Card Pin Using an ATM Machine Carefully open the sealed envelope to obtain your 4-digit PIN provided by the bank along with your debit card. Insert your debit card into the ATM. Enter the debit card number and the ATM pin. You will then be prompted to create a new ATM pin. Enter your new ATM PIN.

Can I generate ATM PIN online?

Yes, you can easily create a new ATM PIN online.

How can I generate my ATM PIN Kotak Mahindra Bank?

On Mobile Banking:Go to Service Request -> Debit card requests. Select Regenerate PIN.


2 Answers

4 random digits should be plenty if you append it to unique known userid (could still be number) [as recommended by starblue]

Pseudo random number generator should also be fine. You can store these in the DB using reversable encryption (AES) or one-way hashing

The main concern you have is how many times a person can incorrectly input the pin before they are locked out. This should be low, say around three...This will stop people guessing other peoples numbers.

Any longer than 6 digits and people will be forgetting them, or worse, writing them on a post-it note on their monitor.

Assuming an account locks with 3 incorrect attempts, then having a 4 digit pin plus a user ID component UserId (999999) + Pin (1234) gives you a 3/10000 chance of someone guessing. Is this acceptable? If not make the pin length 5 and get 3/100000

like image 168
nick_alot Avatar answered Sep 18 '22 04:09

nick_alot


May I suggest an alternative approach? Take a look at Perfect Paper Passwords, and the derivatives it prompted .

You could use this "as is" to generate one-time PINs, or simply to generate a single PIN per user.

Bear in mind, too, that duplicate PINs are not of themselves an issue: any attack would then simply have to try multiple user-ids.

(Mileage warning: I am definitely not a security expert.)


Here's a second answer: from re-reading, I assume you don't want a user-id as such - you're just validating a set of issued scratch cards. I also assume you don't want to use alphabetic PINs.

You need to choose a PIN length such that the probability of guessing a valid PIN is less than 1/(The number of attempts you can protect against). So, for example, if you have 1 million valid PINs, and you want to protect against 10000 guesses, you'll need a 10-digit PIN.

If you use John Graham-Cumming's version of the Perfect Paper Passwords system, you can:

  1. Configure this for (say) 10-digit decimal pins
  2. Choose a secret IV/key phrase
  3. Generate (say) the first million passwords(/PINs)

I suspect this is a generic procedure that could, for example, be used to generate 25-alphanumeric product ids, too.

Sorry for doing it by successive approximation; I hope that comes a bit nearer to what you're looking for.

like image 23
Brent.Longborough Avatar answered Sep 20 '22 04:09

Brent.Longborough