In the digital age, passwords have become a common form of cyber protection. Now, the use of personal identification numbers (PINs) have been increasing in our day-to-day lives as cash becomes less accepted during the pandemic.
With so many assets now requiring PINs, how effective are they against threats? It depends on our PIN code habits, according to one professor at the University of Guelph who studied this topic.
“The average number of PINs a person uses is four," says Hassan Khan, a professor at U of G’s computer science program, "The minimum is one, and the maximum is 15."
Khan and a team of researchers, including colleague Rozita Dara and Adam Aviv from George Washington University, spoke with 35 participants about how they came up with PINs, the first study of its kind to look at PIN use across many platforms.
They found that more people chose a PIN that was easy to remember over how effective it could ward off threats.
“Memorability seems to be trumping everything,” says Khan about this choice, “People don’t like it when they forget PINs.”
He explains that muscle memory can also affect our ability to change PINs.
“When we use the same PIN for so many years, it gets into our muscle memory,” he says, “Some people change the PIN, but then they change back because they entered the wrong PIN so many times.”
In certain social situations, research found that an easy PIN was beneficial to participants.
“People reported they were standing in shopping lines...and when they go to the checkout counter, they choose easy PINs rather than standing there, trying to remember what the PIN is,” says Khan.
Another reason people choose an easy PIN to remember was due to the amount of items that require a passcode. Everything from garage doors, entry doors, bike locks, smart phones and more, requires a PIN.
“One of the challenges is that if you forget the PIN to your door, resetting it is not as easy as resetting a password,” says Khan.
In particular situations, Khan says people kept a PIN because they didn’t know how to change it.
With people generally using the same PIN for more than one asset, Khan says this creates a security risk if the PIN becomes compromised.
A compromised PIN can happen in a number of ways, including when a PIN is shared with other people or when someone looks over another person’s shoulder while typing in a passcode.
“So when we get down to re-using behaviours,” says Khan, “People seem to be reusing PINs without seriously considering who else these people have shared these PINs with.”
When PINs are compromised, Khan says their research found that only 45 per cent of participants changed their passcode afterwards.
“We found that a lot of people still reported they were lazy,” he recalls, “We’ve found out that people watched them enter a PIN, or someone guessed their PIN, and despite that they did not do anything.”
“A surprising majority of people did not do anything and that was scary.”
While this research points out concerning gaps in PIN security, Khan mentions that our attitudes toward PINs may be tied to where we live, but the study is too limited to determine that.
“This (study) was done in Canada where the crime rate is really low and people tend to trust, and these things are not an issue,” Khan explains, “But at the same time in other places, it would be interesting to see if other people exhibited the same risky behaviours.”
So how can we improve our PIN habits? Khan suggests to start by coming up with PINs that can’t be guessed and to be careful of who you share PINs with.
“If someone stumbles across you entering your PIN, then it is very wise to change it and update it as soon as you can,” he says.
Read the full study here.
