23

Why is it that some security advisers recommend using an 8 character password with upper, lower, digits, and symbols while banks only use a 4 digit number pin for debit and 3 digit pin for credit card?

Isn't it a risk for security using a short non-random password like that?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Esteru
  • 331
  • 1
  • 2
  • 3
  • The pin which is only 4 digit is only for further security. For ex. Bank of America needs all the things i.e. your password, card details plus your pin if you want to add an account. So I dont think there is no issue of risk. – Aditya Peshave Jun 24 '14 at 18:33
  • 1
    Do you mean a short PIN to use the card, or to access your account online? – schroeder Jun 24 '14 at 18:36
  • 1
    Also, to slightly undermine one of your assumptions: Bank of America will allow you to use up to a 12 digit PIN number. – Kyle Hale Jun 24 '14 at 19:28
  • 2
    @KyleHale I had a 5 digit pin at a bank I once had an account at. Later I went to a new bank, entered a 5 digit pin on that device the teller gives you, and then next time I went to the ATM found it wouldn't accept my pin. After a lengthly back and forth trying to figure out the problem, it turned out the bank only accepted 4 digit pins, but didn't detect when you had entered 5 to warn you. – Michael Jun 24 '14 at 22:46
  • 1
    @Michael I have the same problem with long passwords on some sites. If you're going to build in a limitation, and especially if you're not going to declare it up front, you should at least bother to build in a mechanism to prevent users from going over it or warn them when they do. – Iszi Jun 26 '14 at 06:09
  • @Bladimir By the way, 8 characters is by far outdated now. Most security standards recommend 12, while professionals will readily suggest 15, 20, or more if you can manage it. – Iszi Jun 26 '14 at 06:10

5 Answers5

29

You're not comparing apples to apples in your comparison of password strength to your bank PIN.

Most traditional passwords strength theologies are predicated on the fact that your username and password is all that stands between you and your precious secure data. These are merely two objects that you know and as such it's in your best interest to have a longer password with seemingly random patterns to prevent password guessing and brute force attacks etc.

Your bank card is based off what is known as two-factor authentication - something you have (your bank card) and something you know (your PIN). This extra element of having something you have (which, as you recall you don't have in the first scenario) arguably drastically increases the security when the item you have is handled with great care. With that in mind, you can usually get away with having a 4 digit code because the likelihood that someone will guess your PIN after randomly finding your card without alerting your financial institution is quite low.

It should go without saying that two-factor authentication is not without its flaws (someone could copy your magnetic strip on a non-chip'ed card and steal your PIN), however its additional security benefits allow you to have shorter password lengths without increasing the risk to the holder.

DKNUCKLES
  • 9,237
  • 2
  • 37
  • 47
  • 8
    Banks also use a lot of back-end processing to protect you (e.g. comparing your behavior to past activities) and they have an elaborate system for rolling back fraudulent transactions (if they are caught in time). The banks want you to use your bank card, and have purposefully decided trade off security for usability, knowing that they have safe-guards on the backend. – Ari Trachtenberg Jun 24 '14 at 18:31
  • Also I know no bank that allows customers to choose their own PIN. You get one assigned at random and that makes 0000 or 1234 just as likely as 9346 and any other combination. Coupled with the fact that you have only three tries before the ATM keeps the card I say it's very secure despite the short PIN. – Joey Jun 24 '14 at 23:26
  • 7
    @Joey That might vary by location. I'm in New Zealand, and most banks I've used allow you to choose. – Wossname Jun 25 '14 at 00:04
  • 2
    I don't know if this is common practise, but in the Netherlands you get 3 tries, after that you have to go to the bank to unblock your account. Good like trying getting all 4 digits right in 3 tries. – Martijn Jun 25 '14 at 09:30
  • 9
    I got to chose PIN in Canada, the UK, and the US. – Almo Jun 25 '14 at 13:30
  • 1
    This is not the main reason a 4-digit PIN is ok. The main reason is that PIN attempts are always online, and the card is blocked after 3 attempts. This is different from the common password threat model where the password hash is leaked. – Gilles 'SO- stop being evil' Jun 26 '14 at 09:02
  • @AriTrachtenberg, The bank isn't protecting you but protecting themselves. They need to return you the money back, so it's their money they're saving – Pacerier Dec 10 '14 at 03:05
8

Originally it's to do with the difficulty of a brute force attack on the password.

Most websites are concerned about the possibility that some attacker might get hold of a file containing everyone's hashed passwords, and conduct an offline brute force attack using that. A properly set up attacker might be able to make millions of guesses per second (exact rate depending on whether the passwords are hashed using a suitable algorithm, and just how much silicon the attacker can bring to bear on the problem). So even 8 characters arguably is not sufficient.

Banks (for various reasons to do with their different security models) don't think they're likely to lose files containing PINs or their hashes without noticing, or anyway they're no more concerned than they are with losing millions in any other form of bank robbery. If you want to make a brute force attack on someone's PIN then (leaving aside home Chip and PIN readers), you have to put their card in an ATM or other device connected to the banking system, and type in a number. It's slow, and the machine eats the card after 3 wrong guesses.

Some websites use a similar lock-out to prevent online password-guessing attacks, but the main concern driving the need for password strength is the loss of password hashes. The main concern driving the (lack of) need for PIN strength is use of the physical card (or a clone of it, when using magnetic stripe technology).

Note that there is a still a non-trivial flaw in the simple version of the model I've described. If you steal 10,000 credit cards and make 3 guesses at each 4 digit PIN then you'll expect to get 3 right. Naturally though, a single ATM will notice that something is amiss if it has to eat 100 cards in a row, so I suspect/hope the cops would be on their way before then. Guessing card PINs is risky for the attacker.

In general, banks also pay closer attention to suspect card transactions than websites do to suspect logins. Some websites will try to notice and take extra security steps if they notice a login from a suspect location, adding extra security behind the password. But all card payment systems try to do this. Not that they always succeed.

I don't know what effect home Chip and PIN readers have on this. I just used mine to confirm that my PIN is correct, without any communication to the bank. It might be as simple as the Chip being smart enough to lock itself down after sufficient incorrect guesses. This would still be subject to the 10,000 stolen cards attack. You'd burn 99.97% of the chips, but those could still be used for card not present fraud and the other 0.03% would be good for fraud requiring the PIN. Naturally I'm not about to test that theory with my own card ;-)

Attackers with the ability to steal physical cards on that scale probably aren't messing about guessing PINs anyway. It's simply not the most efficient way to extract money from stolen or cloned cards.

In short, yes there is some risk in using short passwords that they might be guessed. But compared to websites guessing is much harder for attackers, banks defend in depth against card fraud, and they also have higher costs associated with someone forgetting a PIN than websites do with passwords. So they choose a different trade-off.

Steve Jessop
  • 2,008
  • 10
  • 14
3
  1. It is only part of the authentication, with the physical presence of the card also being part of the proof.
  2. You get locked out after a sequence of failed attempts, so with a 4-digit only PIN the total chance of someone guessing the PIN is generally 0.03%, or 0.003% and 0.0003% for 5- and 6-digit PINs and less than 0.00025% when you have the option of 4-, 5- or 6-digits. (In reality an attacker can increase the odds by picking popular numbers, but they still don't get the 1000–1210000 attempts necessary to guarantee success by brute-force).

It's worth noting that part of this comes from the fact that DOS by bogus log-in is not a risk. If, for example, this website had a similar total (rather than perhaps blocking one IP only) lock-out after a set number of attempts then one could be a nuisance by making attempts to guess the password for different users (whether targeted or just hitting all the users from the published list), until they get locked out. This could in fact be more of a problem than successfully guessing a password; such an attack could render the site useless, while successfully breaking a password would allow for more limited vandalism that would have to be subtle (which takes effort) or else would soon be blocked by moderation.

With an ATM or chip-and-PIN card, the difference in what is protected makes lock-out more useful, while the necessity of having the card itself (or a clone of it) means that someone can only maliciously lock us out if they have the card, in which case we have lost part of our security and want to be locked out.

Jon Hanna
  • 269
  • 1
  • 5
2

The requirements for passwords which contain digits, symbols and mixtures of upper-and-lower case letters are predicated on the idea that the attacker has a copy of the hashed password. Since the attacker has a copy of the hashed password, the attacker can run millions and millions of guesses against it, based on probing innumerable dictionary entries, plus variations, such as adding small integers prefixes and suffixes to every word, substituting 0 for O and so on. The attacker controls this cracking software, which will not lock him out after five failed attempts.

PINS are predicated on the idea that the storage which holds the PIN is secure in some sense. That in itself doesn't justify a mere four digit pin: another factor is that you possess the card which goes with the PIN. You cannot obtain cash from a bank machine if all you have is a user ID and PIN, but no card. If you have the card, but not the PIN, so that you're reduced to guessing, you will be locked out after a number of unsuccessful re-tries. Note that online banking, which doesn't require your card (only your card number) does not use your PIN for logging in.

Regarding the first point again, in fact is not a reasonable assumption that the attacker has a copy of the hashed password. Or, rather, that assumption is not acceptable to me, the end user. When a site makes us choose some obtusely difficult password, they are in fact telling us: "we are not making any effort to safe-guard your personal information from attackers --- such as your password hash". The problem with this is that unless I'm re-using the same password for multiple service providers (poor security practice), the password is probably the least important piece of personal information. Ideally, it contains no personal information at all, in fact. If an attacker has access to my hashed password, it means that the attacker has access to my entire user record, and that's the problem, not the password.

Ironically, many systems with this type of policy severely restrict the password length, and reject some characters such as spaces, so that users are denied the reasonable alternative of being able to use a long password phrase, which is easier to remember and type. This shows that the people who are implementing this password check do not really understand the issues, and are more concerned about being held blameless by copying whatever everyone else is doing.

Kaz
  • 2,303
  • 16
  • 17
  • Few things annoy me as much as the systems that limit the length of your passphrase, or that forbid certain characters. – Floris Jun 25 '14 at 23:46
0

EC Cards (very used in Germany) require 6 digits, compared to the 4 usually required for ViSA and MasterCard. So of course it is a bit more secure, dividing by 100 the chance to find your PIN code by pure chance, 3 wrong attempts meaning blocking the card of course.

  • 2
    You could block an ATM card after three unsuccessful attempts for 30 mins and it wouldn't matter if you used 4 or 6 numbers. Seeing as ATMs usually have cameras, it will capture the ID of the person attempting to steal money. Using a PIN is really the last thing on a crooks mind, many will just buy store gift cards and discard the ATM card. Lack of traceability that way – Engineer2021 Jun 24 '14 at 20:22
  • 1
    I have multiple german EC Cards, and none of them has a 6 digit pin (4 for all) – Flo Jun 25 '14 at 09:21
  • 1
    I have also many EC Cards, and not only does none of them (and also none of my coworker ones *require* 6 digits) some of them even do not support more than 4. – PlasmaHH Jun 25 '14 at 10:00