What are the most common PINs?

Matthew,

I worked extensively on two-factor authentication models for large banks like HSBC and others, and what we found was that the more you try and make a system secure, the less secure it becomes because due to memory load consumers find work arounds that are increasingly unsafe. 

To illustrate - you put two PINS on a card instead of one, and people will try to use the same PIN, or write down the second PIN on their card because of the memory load.

The solution is not more complex passwords or enforcing stricter rules, but as you've pointed out more sophisticated authentication methods that don't require memory load (i.e. Biometrics).

Brett King, BANK 3.0 

Customer selected PINs are a disaster. There exists better research, based on actual cracked PINs rather than passwords, where the results are different though similar. The most common PINs were 1234, 5555 and 3333, followed by birthdate and ZIP code related numbers. It was claimed that if a thief has your wallet or access to your pesonal data he needs on average 6 trials to get to 50% of the PINs.

Banks should use random or cryptographically generated PINs.

FYI for both my Swiss debit card and Swiss Visa card, my pin is 6 digits as opposed to the 4 I was used to in France/UK.  Not much more to remember, but more secure?

6 digit cardholder selected PINs would only be marginally more secure. One would, I guess, still get a preponderance of 123456, 555555, 333333, birthdays and zip codes related PINs.

Jonathan,

The problem with cryptographically generated PINs is memory load. We've got test after test of users who if they can't easily remember their PIN will write it down or store it in their phone.

With the memory load factor being a central hurdle to this problem the only solution is a simpler secure form, not more complex ones. Hence why biometrics are so core to a permanent solution to the Username/PWD/PIN connundrum. 

Brett King
BANK 3.0 

Thanks for the comments. From my perspective, technological advancements mean biometrics are well on the way as a viable way for banks to enhance security and improve the customer experience. This must be the right thing to do from both an industry and consumer perspective. But we need to tread carefully; biometrics may provide a route to a more secure service, especially for remote channels, but the industry must ensure that there are common user interfaces based on standards if we are to retain customer confidence. In a world where consumers maintain multiple financial services relationships, it is up to the industry to ensure that the added security enhances the customer interaction rather than detracts from it.