When you don’t have the option to authenticate into your computer or smartphone with a biometric the backup option is a pin code. Why isn’t it a password? Surely the 8+ characters with some capital letters and mixed in exclamation marks used to log in to your email account is much more secure than the four to six digits that stand between an intruder and full access to your iPhone, laptop or iPad, right? Actually, that PIN is much more secure than your password, and knowing why it is more secure corrects a lot of the misunderstandings about authentication and security.
Location, Location, Location
A common trope in password security is that more complexity equals more security. You may have even seen this chart going around that showed how long it would take for a hacker to crack a password based on the complexity of said password. The intended take away was that if a password is sufficiently long and has enough special characters you don’t need to worry about a hacker figuring it out for at least a few hundred years. But people’s passwords are compromised all the time, even extremely complex ones. Entire services exist just for people to regularly check if any of their passwords are in the wrong hands. This is because the real vulnerability of passwords does not come from their lack of complexity, but rather where they are stored.
A password is stored on a server. Most stolen passwords come from these servers getting breached, not from a hacker spending hours or months trying different combinations of letters and numbers until they’ve figured out your Netflix login. A PIN is stored on the device and nowhere else. If Apple were to have a breach and a hacker accessed their servers the hacker would not find your PIN code, because it is not there.
Possession is Nine Tenths of the Law
Let’s assume someone gets your password, presumably from a breach. All they need is your username or email address which is usually publicly available and they can access your accounts from anywhere in the world.
On the other hand, let’s assume someone knows your PIN. The PIN code does not grant remote access, it is only useful to whomever is in possession of the device.
Look Ma, First Try!
For a four-digit pin code there are 10,000 combinations and for a six-digit pin code there are a million possible combinations. This may seem high but compare it to an 8-digit password with a mix of upper and lowercase letters, special characters, and numbers which will give you 457,163,239,653,376 possible combinations and you find it is quite trivial. So why don’t people use brute force attacks on PINs? Just use a software or hardware (imagine a robotic finger) that tries all combinations until it is cracked like they do to crack passwords? This plays into another myth about complexity being more secure. Password complexity actually prevents the use of security protocols used to protect PIN codes.
Aside from the fact that an attacker would have to have the phone in their physical possession to start trying combinations as we discussed earlier, PIN authentication has anti-hammering measures in place that prevent too many attempts. For an Android phone you get 10 attempts to enter the correct PIN or else you must perform a factory reset on the phone deleting all its contents. iPhones have a system in which the time you must wait between attempts increases after each incorrect PIN entry, to the point where it would take three hours to try 10 different pin combinations. They also have the option to wipe phone data after 10 incorrect attempts.
Why can’t passwords have this kind of security? Seems like it would eliminate the existence of brute force attacks all together. The answer is: passwords are harder to remember than PINs. It is assumed that everyone knows their PIN number, after all, it’s just four digits. Therefore the expectation that it is entered on the first (or second due to fat fingers) attempt correctly can dictate their protocols. On the other hand, passwords have added complexity intended to make them more secure, and also have reset requirements. These “features” make passwords much harder to remember (which is easier ‘5240’ or ‘[email protected]!0’) and therefore the authentication system has to be more lenient towards multiple attempts, sometimes even offer clues, or allow you to reset them via email. Combined, these things make the password more vulnerable to brute force or social engineering attacks.
In short, because pin codes are simpler they can actually have more stringent security surrounding them than something more complex like a password.
What About Those Codes for 2-Factor Authentication?
The four to six-digit code that is sent to your mobile device after entering a password as a second factor of authentication is wholly different from a PIN and not nearly as secure. The code, like a password, is stored outside of your device and has to be sent to your device over a network of some kind, making it vulnerable to breaches and interception.