PINs and Passwords
When it comes to securing things that are important to us, sometimes we are asked to provide a Password and sometimes a PIN.
The latter are clearly to be preferred, as they are only 4 digits long and easy to remember. Most of us re-use the one PIN for everything. I don’t know about you, but I have two different ones I use in different contexts.
Passwords are a curse. On the Internet we seem to need more and more of them, and not only that, there is now an insistence that a password should have a minimal length of 8 characters and some of the characters should be Capitals and some should be numerals. Again I have no idea what others do, but I have three passwords I recycle in various forms. If one of them was previously “mongoose” I now would use “M0ng00se” to get past the security fascists. But of course such passwords are much harder to remember.
A common solution is to download a free “Safe” onto your computer and store all of your passwords in that, with the Safe itself protected by a single hyper-secure password. For example, see
But of course this is literally putting all of your eggs in one basket. Another nice idea is OpenID. See http://openid.net/. Here the one set of credentials (for example your Gmail or Facebook login) get you into a multitude of sites.
But why does a PIN work in one context, but a password is required in another? It depends on the kind of problem you are trying to set an attacker who is out to get you. Just because a PIN is shorter than a password does not mean that it must be less secure. For example your bank will allow you to withdraw up to 5000 euro a day based on possession of an easily copied ATM card and a PIN number.
Now a PIN or a password has a certain amount of “entropy”, or unguessability. A PIN has exactly 4 decimal digits worth of unguessibility. In the worst case it would take an attacker 10,000 guesses to find your PIN. A password on the other hand would be expected to have at least 16 decimal digits worth of unguessability, so it should take an attacker up to 10,000,000,000,000,000 guesses to crack it. These attacks are sometimes called brute force, or dictionary attacks. The attacker simply works though a list of all possible PINs or all possible passwords. The counter-measure is to make the dictionary simply too big to be attacked in this way. For a PIN it is, roughly speaking, sufficient that a dictionary attack should be hard for a human. For a password, a dictionary attack should be impossible even for a fast computer.
Which you need, PIN or password, depends on the context in which it is used, and how much it costs to make a guess. In short a PIN is used in a context where it is only exposed to “on-line “attacks, and a password is needed if it should be exposed to an “off-line” attack. A PIN can typically be used in the context where an attacker is forced to go on-line to some entity outside of his/her control in order to test a guess. And that entity can make it costly to make a guess, and can punish a wrong guess. The classic example would be if an attacker were to steal your ATM card. If they don’t know the PIN the only way to test a guess is by trying the card in an ATM machine. And after a few wrong guesses the attacker will be rumbled, and no further guesses allowed. So in practise it would be difficult to even make 100 guesses, never mind 10,000.
But if you are storing data in the cloud, it needs to be encrypted. And encrypted data is only really safe if it is protected by a key created from a suitably “high entropy” password. An attacker who gains access to the encrypted data (which must be assumed to be possible– otherwise why is it encrypted?) can, at their leisure, program a computer to try a multitude of guesses for the key at computer speeds and leave that program running overnight. Now a computer can attempt one hell of a lot of guesses in 24 hours! Hence the need to hide our needle in a haystack of at least 10,000,000,000,000,000 needles.
The problem here is that computers are getting faster and faster, and can search bigger and bigger dictionaries. And search algorithms can be perfectly parallelized, so 100 computers can complete the search 100 times faster. Which explains the recent insistence on more and more elaborate, and hence less and less easily memorisable, passwords. And the elephant in the room is the fact that 10,000,000,000,000,000 is actually not nearly enough, it really should be 10,000,000,000,000,000,000,000,000 which is reckoned to be the bare minimum for reasonable levels of security against a sophisticated and powerful attacker with massive parallel computing resources at his/her disposal. And to make matters worse the patterns that appear in memorisable text can be exploited to reduce this search space still further. So unless you are using a password like iUy78t^&aB1@ you really can’t be feeling 100% secure.
Conclusion: Wherever possible a PIN is obviously preferred to a password. Systems should clearly be designed so that an attacker must always be forced to go on-line to test a guess.
On a serious note, I would suggest that the whole Internet/Cloud Computing project is at risk until and unless this problem can be solved!