Selecting a secure PIN for building accessWhat's the use of making users use digits, uppercase-lowercase combination password if the passwords are hashed?Touch Screen Password Guessing by Fingerprint TraceGlobal user override - UncomfortableCountermeasures for a family-member attack on a password reset procedureAuthenticating a user via SMSHow unsecure is entering personal information via the keypad when phone banking?Are encrypted files safe in Windows 10 when using PINs?How does using an app rather than code card to authenticate improve security?Recommendations for tamper resistance without reasonable access securityWhat is the right way to share the digital assets to the will executor and eventually detect the person's death?
Names of the Six Tastes
Is this strange Morse signal type common?
Can radiation block all wireless communications?
Using mean length and mean weight to calculate mean BMI?
Why is there a cap on 401k contributions?
Align a table column at a specific symbol
When was it publicly revealed that a KH-11 spy satellite took pictures of the first Shuttle flight?
Are wands in any sort of book going to be too much like Harry Potter?
What is the Ancient One's mistake?
Why is the episode called "The Last of the Starks"?
What happens when the drag force exceeds the weight of an object falling into earth?
How is it believable that Euron could so easily pull off this ambush?
History: Per Leviticus 19:27 would the apostles have had corner locks ala Hassidim today?
Why doesn't increasing the temperature of something like wood or paper set them on fire?
How to avoid making self and former employee look bad when reporting on fixing former employee's work?
Is it possible to do moon sighting in advance for 5 years with 100% accuracy?
Mindfulness of Watching Youtube
How can it be that ssh somename works, while nslookup somename does not?
logo selection for poster presentation
I want to write a blog post building upon someone else's paper, how can I properly cite/credit them?
While drilling into kitchen wall, hit a wire - any advice?
How do I minimise waste on a flight?
What is the oldest instrument ever?
Can a character shove an enemy who is already prone?
Selecting a secure PIN for building access
What's the use of making users use digits, uppercase-lowercase combination password if the passwords are hashed?Touch Screen Password Guessing by Fingerprint TraceGlobal user override - UncomfortableCountermeasures for a family-member attack on a password reset procedureAuthenticating a user via SMSHow unsecure is entering personal information via the keypad when phone banking?Are encrypted files safe in Windows 10 when using PINs?How does using an app rather than code card to authenticate improve security?Recommendations for tamper resistance without reasonable access securityWhat is the right way to share the digital assets to the will executor and eventually detect the person's death?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
What are the general criteria for rejecting an insecure PIN to access a building?
There has been a lot of discussion about password selection security. Minimum length requirements, mandatory classes of characters, etc. I have not found much concerning PIN selection security. Furthermore, there are several types of access that a PIN protects (phone, credit card, building). Each may have their own particular vulnerability characteristics.
I am in the loop on the installation of a new security system which allows personnel to enter a building by entering a PIN on a keypad by the door. Individuals are allowed to select their own PIN which is entered into the system under their name. I am aware of some insecure PINs, such as 12345 (or any consecutive digits sequence), the location's zip code or part of the company's phone number or address.
Anyone with a legitimate need may request access to the building. This includes everyone from executives to employees and and perhaps occasionally, guests. This particular building is a church, so there are no national secrets to protect. I would characterize the security requirements to be similar to a house. Interior offices are protected with physical keys.
Edit: I appreciate the information presented, however, they don't answer the question. I am looking for PIN patterns that attackers are known to use (because users have selected bad PINs).
passwords physical-access
|
show 4 more comments
What are the general criteria for rejecting an insecure PIN to access a building?
There has been a lot of discussion about password selection security. Minimum length requirements, mandatory classes of characters, etc. I have not found much concerning PIN selection security. Furthermore, there are several types of access that a PIN protects (phone, credit card, building). Each may have their own particular vulnerability characteristics.
I am in the loop on the installation of a new security system which allows personnel to enter a building by entering a PIN on a keypad by the door. Individuals are allowed to select their own PIN which is entered into the system under their name. I am aware of some insecure PINs, such as 12345 (or any consecutive digits sequence), the location's zip code or part of the company's phone number or address.
Anyone with a legitimate need may request access to the building. This includes everyone from executives to employees and and perhaps occasionally, guests. This particular building is a church, so there are no national secrets to protect. I would characterize the security requirements to be similar to a house. Interior offices are protected with physical keys.
Edit: I appreciate the information presented, however, they don't answer the question. I am looking for PIN patterns that attackers are known to use (because users have selected bad PINs).
passwords physical-access
2
We can make a lot of guesses about the risks that a church might face, but can you describe what you think the risks would be if someone got access to a PIN? Vandalism? Hate crime? Access to church records? Access to valuables? What is in the offices that are behind, likely, hollow core doors? Is it staffed or patrolled 24/7?
– schroeder♦
Apr 29 at 13:20
34
Aside: The entry code for one of my employers was 3141. The security auditors were a little unhappy at the repeated digit but let it slide. They completely missed that the company name was "Pi Research"!
– Martin Bonner
Apr 29 at 16:48
11
@MartinBonner May I ask why they would've/should've had issues with the repeated digit? I can see no reason as to why this would weaken the PIN. Limiting yourself to non-repeating digits decrease the entropy of the PIN (10*10*10*10 vs 10*9*8*7).
– BlueCacti
Apr 30 at 7:21
2
@Les lists of pin patterns will make for a very poor answer. Physical patterns and repeated numbers are the most common. My answer below of using a random generator instead of letting people choose their own PINs is the better way to go else you play whack-a-mole
– schroeder♦
Apr 30 at 10:16
2
@aCVn Since we're already nitpicking: No please don't remember that "5 rounds up" because that simplistic approach leads to a significant bias of the rounded numbers. There are many other rounding schemes than the one we learn in grade school, for good reason.
– Voo
Apr 30 at 12:19
|
show 4 more comments
What are the general criteria for rejecting an insecure PIN to access a building?
There has been a lot of discussion about password selection security. Minimum length requirements, mandatory classes of characters, etc. I have not found much concerning PIN selection security. Furthermore, there are several types of access that a PIN protects (phone, credit card, building). Each may have their own particular vulnerability characteristics.
I am in the loop on the installation of a new security system which allows personnel to enter a building by entering a PIN on a keypad by the door. Individuals are allowed to select their own PIN which is entered into the system under their name. I am aware of some insecure PINs, such as 12345 (or any consecutive digits sequence), the location's zip code or part of the company's phone number or address.
Anyone with a legitimate need may request access to the building. This includes everyone from executives to employees and and perhaps occasionally, guests. This particular building is a church, so there are no national secrets to protect. I would characterize the security requirements to be similar to a house. Interior offices are protected with physical keys.
Edit: I appreciate the information presented, however, they don't answer the question. I am looking for PIN patterns that attackers are known to use (because users have selected bad PINs).
passwords physical-access
What are the general criteria for rejecting an insecure PIN to access a building?
There has been a lot of discussion about password selection security. Minimum length requirements, mandatory classes of characters, etc. I have not found much concerning PIN selection security. Furthermore, there are several types of access that a PIN protects (phone, credit card, building). Each may have their own particular vulnerability characteristics.
I am in the loop on the installation of a new security system which allows personnel to enter a building by entering a PIN on a keypad by the door. Individuals are allowed to select their own PIN which is entered into the system under their name. I am aware of some insecure PINs, such as 12345 (or any consecutive digits sequence), the location's zip code or part of the company's phone number or address.
Anyone with a legitimate need may request access to the building. This includes everyone from executives to employees and and perhaps occasionally, guests. This particular building is a church, so there are no national secrets to protect. I would characterize the security requirements to be similar to a house. Interior offices are protected with physical keys.
Edit: I appreciate the information presented, however, they don't answer the question. I am looking for PIN patterns that attackers are known to use (because users have selected bad PINs).
passwords physical-access
passwords physical-access
edited Apr 29 at 16:49
Les
asked Apr 29 at 13:04
LesLes
25329
25329
2
We can make a lot of guesses about the risks that a church might face, but can you describe what you think the risks would be if someone got access to a PIN? Vandalism? Hate crime? Access to church records? Access to valuables? What is in the offices that are behind, likely, hollow core doors? Is it staffed or patrolled 24/7?
– schroeder♦
Apr 29 at 13:20
34
Aside: The entry code for one of my employers was 3141. The security auditors were a little unhappy at the repeated digit but let it slide. They completely missed that the company name was "Pi Research"!
– Martin Bonner
Apr 29 at 16:48
11
@MartinBonner May I ask why they would've/should've had issues with the repeated digit? I can see no reason as to why this would weaken the PIN. Limiting yourself to non-repeating digits decrease the entropy of the PIN (10*10*10*10 vs 10*9*8*7).
– BlueCacti
Apr 30 at 7:21
2
@Les lists of pin patterns will make for a very poor answer. Physical patterns and repeated numbers are the most common. My answer below of using a random generator instead of letting people choose their own PINs is the better way to go else you play whack-a-mole
– schroeder♦
Apr 30 at 10:16
2
@aCVn Since we're already nitpicking: No please don't remember that "5 rounds up" because that simplistic approach leads to a significant bias of the rounded numbers. There are many other rounding schemes than the one we learn in grade school, for good reason.
– Voo
Apr 30 at 12:19
|
show 4 more comments
2
We can make a lot of guesses about the risks that a church might face, but can you describe what you think the risks would be if someone got access to a PIN? Vandalism? Hate crime? Access to church records? Access to valuables? What is in the offices that are behind, likely, hollow core doors? Is it staffed or patrolled 24/7?
– schroeder♦
Apr 29 at 13:20
34
Aside: The entry code for one of my employers was 3141. The security auditors were a little unhappy at the repeated digit but let it slide. They completely missed that the company name was "Pi Research"!
– Martin Bonner
Apr 29 at 16:48
11
@MartinBonner May I ask why they would've/should've had issues with the repeated digit? I can see no reason as to why this would weaken the PIN. Limiting yourself to non-repeating digits decrease the entropy of the PIN (10*10*10*10 vs 10*9*8*7).
– BlueCacti
Apr 30 at 7:21
2
@Les lists of pin patterns will make for a very poor answer. Physical patterns and repeated numbers are the most common. My answer below of using a random generator instead of letting people choose their own PINs is the better way to go else you play whack-a-mole
– schroeder♦
Apr 30 at 10:16
2
@aCVn Since we're already nitpicking: No please don't remember that "5 rounds up" because that simplistic approach leads to a significant bias of the rounded numbers. There are many other rounding schemes than the one we learn in grade school, for good reason.
– Voo
Apr 30 at 12:19
2
2
We can make a lot of guesses about the risks that a church might face, but can you describe what you think the risks would be if someone got access to a PIN? Vandalism? Hate crime? Access to church records? Access to valuables? What is in the offices that are behind, likely, hollow core doors? Is it staffed or patrolled 24/7?
– schroeder♦
Apr 29 at 13:20
We can make a lot of guesses about the risks that a church might face, but can you describe what you think the risks would be if someone got access to a PIN? Vandalism? Hate crime? Access to church records? Access to valuables? What is in the offices that are behind, likely, hollow core doors? Is it staffed or patrolled 24/7?
– schroeder♦
Apr 29 at 13:20
34
34
Aside: The entry code for one of my employers was 3141. The security auditors were a little unhappy at the repeated digit but let it slide. They completely missed that the company name was "Pi Research"!
– Martin Bonner
Apr 29 at 16:48
Aside: The entry code for one of my employers was 3141. The security auditors were a little unhappy at the repeated digit but let it slide. They completely missed that the company name was "Pi Research"!
– Martin Bonner
Apr 29 at 16:48
11
11
@MartinBonner May I ask why they would've/should've had issues with the repeated digit? I can see no reason as to why this would weaken the PIN. Limiting yourself to non-repeating digits decrease the entropy of the PIN (10*10*10*10 vs 10*9*8*7).
– BlueCacti
Apr 30 at 7:21
@MartinBonner May I ask why they would've/should've had issues with the repeated digit? I can see no reason as to why this would weaken the PIN. Limiting yourself to non-repeating digits decrease the entropy of the PIN (10*10*10*10 vs 10*9*8*7).
– BlueCacti
Apr 30 at 7:21
2
2
@Les lists of pin patterns will make for a very poor answer. Physical patterns and repeated numbers are the most common. My answer below of using a random generator instead of letting people choose their own PINs is the better way to go else you play whack-a-mole
– schroeder♦
Apr 30 at 10:16
@Les lists of pin patterns will make for a very poor answer. Physical patterns and repeated numbers are the most common. My answer below of using a random generator instead of letting people choose their own PINs is the better way to go else you play whack-a-mole
– schroeder♦
Apr 30 at 10:16
2
2
@aCVn Since we're already nitpicking: No please don't remember that "5 rounds up" because that simplistic approach leads to a significant bias of the rounded numbers. There are many other rounding schemes than the one we learn in grade school, for good reason.
– Voo
Apr 30 at 12:19
@aCVn Since we're already nitpicking: No please don't remember that "5 rounds up" because that simplistic approach leads to a significant bias of the rounded numbers. There are many other rounding schemes than the one we learn in grade school, for good reason.
– Voo
Apr 30 at 12:19
|
show 4 more comments
5 Answers
5
active
oldest
votes
You're setting yourself up for an endless game of whack-a-mole. You listed a few ... No matter how many you think of, lazy users will come up with more guessable PINs. It's a church, so think of any Christian influenced PINs. The date of Christmas, the priest's favorite Bible verse, the patron saint's birth-date, maybe the Church's construction date... so on and so on. Consider patterns too if you want to go that far. For more possible PINs, here's a blogpost where the writer analyzed PINs leaked in various data breaches. May be helpful.
I know you're asking how to make your PINs more secure, but I feel the answer here is not to use standalone individual PINs. Consider that you're working with a small set of possible passwords already. Then you're reducing it by eliminating guessable ones. Then you're making multiple PINs work at once. Every step makes random guesses more and more likely to succeed.
1
That's a great point about Christian influenced pins. The first two I would most likely try would be John 3:16 related, 0316 and 4316 (4th book of the New Testament). Those are non-obvious bad pins from a pattern standpoint, but at a church would be the equivalent of 1234. If there are 50 people with access to the beginning, I'd bet the odds are pretty good that someone picks one of those pins.
– kuhl
May 1 at 3:35
1
Lots of good comments in other answers. I chose this one because the link to the blogpost has good info. While 2 factor would be much better, the cost was deemed too high. The code 12345 was used during the final stages of construction and has since been black listed. (One person requested that PIN - ugh.)
– Les
May 1 at 13:10
add a comment |
PINs are usually accompanied by some other authentication factor, like biometrics or a physical token. So, the PIN is not a lone factor in authentication.
But you appear to describe a situation where people can gain access to a secured building by punching in a code. Let me rephrase that: by using static, difficult-to-change sequence of numbers that can be easily copied and shared, the public gains access to the inside of your building.
The control against that threat is to make it very difficult to record and guess or use the physical appearance of the pin pad to deduce the code. That means making the PINs long and putting physical controls in place to make recording more difficult and to place layers of additional authentication protection on the inside of the building.
Because you are asking about the rejection process, my suggestion would be to use a random number generator instead of people choosing their own, and make it long. This bypasses people choosing PIN pad patterns or other pattern-based PINs which can be easy to guess or observe.
4
"additional authentication protection" examples could be welcome (RFID badge, classic key, etc.)
– A. Hersean
Apr 29 at 13:19
2
@A.Hersean or more strong physical barriers, cameras, manned security, etc.
– schroeder♦
Apr 29 at 13:20
1
Of course longer is better, but I don't think the PIN needs to be very long. I'd say it just doesn't have to be guessed, recorded, or abused. This means 12345 or 00000 would never be allowed, wrong PINs would trigger a notification or action of some sort, the pad should not be able to be viewed or recorded from a distance (it might face a wall), etc.
– reed
Apr 29 at 13:28
3
if you make it long, people will write it down rather than memorise it, creating another security risk.
– jwenting
Apr 30 at 9:59
2
@jwenting for something infrequently used, I suspect that it would be written down anyway.
– schroeder♦
Apr 30 at 10:13
|
show 2 more comments
There are only 100000 potential values if you have a 5 digit PIN. That means that a single PIN can be brute forced in a relatively small length of time, unless there is some form of secondary restriction against a person standing next to the door and trying each number. This gets worse if there are multiple people with distinct codes for access to the system - assuming each person selects a random code, an attacker entering a single code has a n/100000 chance to find a working code, where n is the number of people with access.
It would probably be reasonable to expect a dedicated attacker to manage 1000 tries per hour - it doesn't take very long to type a 5 digit number. That would give an upper bound of 100 hours, with a single code. That's 3 (pretty boring) weekends with some breaks for food, which, depending on what is in the building, may well be worth it. The system as described can't implement account lockout - the only way to determine which user is trying to access is through the code.
So, how to solve this?
- Use the PIN as a secondary factor - have an access card, and a PIN, for example. It is then possible to have account lockout after some failed PIN entries.
- Enforce limits on the PIN in other ways - have someone guarding the door who prevents too many tries, have a CCTV camera pointing at the door which is monitored for unusual activity (someone standing there trying each possible code)
- Have a much longer PIN, making it impractical to keep trying codes
You would also probably want to ensure that the codes being entered cannot be monitored in other ways - for example, by pointing a video camera at the key pad.
5
While it's true that the system can't implement account lockout of an individual account, you can implement broad protection against brute force attacks in a way that's still passive and cheaper than an onsite security guard or requiring someone to constantly check a camera. Have the system page an administrator or other responsible party if X incorrect entries are received within a given time frame. Or, have the PIN system shut itself off after X incorrect tries (forcing legitimate users to access the building with a physical key, which most PIN systems would have as a backup anyways).
– dwizum
Apr 29 at 14:23
7
There are lots of windows and glass doors (all visible from adjacent streets). So if someone really wanted to get in, smash and grab would be relatively easy. There are also cameras that record the video. So camping out and brute forcing would seem to be less likely.
– Les
Apr 29 at 14:49
4
I don't understand the 100000/n. For n=1 surely it only takes 50000 tries on average.
– Matt
Apr 29 at 22:29
7
@dwizum if my kids - 2 and 5 - have access to the keypad and there is a lockout, they are going to lock it out every single time. Children can not resist pressing buttons. Considering this is a church it is probably that children will have access to the keypad.
– emory
Apr 30 at 12:45
3
@emory - put the keypad 6 feet off the ground. :) To your point though, there's a keypad system to enter my daughter's school, it looks like a regular telephone dialpad. There's no obvious "enter" button. It only submits an attempt to the server after a user hits the star key, and then it only submits the 4 characters entered immediately prior to hitting star. Something like this can help protect against child random-button-mashers.
– dwizum
Apr 30 at 13:29
|
show 3 more comments
Full disclosure: I worked for several years as the software architect for a very large, Fortune 500 company that manufactures and programs these sort of electronic locks, including government and homeland security applications. Our biggest customer, though, was the National Association of Realtors. There is a very good chance you are using a product from my former company.
Our engineers had many discussions about PIN black listing, and they were all very fun while they lasted, but always ended the same way:
- We are way overthinking this.
- We just have to make it harder to guess the PIN than to throw a rock through a window. Physical security trumps all.
Also:
When there is a limited number of digits, it is safer to provide a single PIN to all users and rotate it frequently (once a month is typical). If you allow each user their own PIN, it reduces the search space dramatically. For example, if you have 100 users and there are only 1000 possible codes, with a single guess you have about a 1 in 10 chance of getting through that door. If everyone shared a single code it would be 1 in 1000.
All of our electronic products did ship with a blacklist of ten codes: all 1's, all 2's, all 3's, all 4's, etc. Any other code was selectable by the customer. The black list was configurable by the customer but honestly nobody ever did it.
You're right but it's more nuanced than "physical security ...". People will call the police for a broken window but won't bother about someone having a few goes on a keypad (provided they look like they might belong).
– pbhj
May 1 at 1:37
You get it @pbhj. The problem is much more organic and situational. With a web site, the security architecture is the customer's only protection; with physical security, we have to trust the customer much more to use the tool we give them in a manner that is sensible. Is the location secluded? Well lit? Under surveillance? Etc. We can't do all the thinking for them (unlike information security, where we assume we are much more aware than the user).
– John Wu
May 1 at 6:07
add a comment |
Check out the 20 most popular 4-digit pins:
Those are the combinations that the attacker will try first. These include:
- repeated digits / pairs
- incrementing/decrementing sequences
- geometrical patterns on the keypad
Excluding these (extrapolated to your 5-digit pins) will provide a tangible increase in security. I wouldn't bother going further than that (that is, excluding dates / zip codes / etc.), because an attacker which is determined enough to learn your coworker's birthday will be determined enough to get a valid pin through social engineering, or simply try enough pins to get in. Mind you that with 100000 combinations and 100 valid pins (assuming you have 100 coworkers), every 1000th pin will be valid even if the attacker goes for simple bruteforce.
If the fact that a pin can eventually be guessed sounds insecure in the environment where the lock will be used, you should choose a different kind of lock and/or additional security measures. Something as simple as a short alarm sound after 10 wrong pins will help a lot.
I think you have the math slightly wrong. Some coworkers will have duplicate PINs. If you enforce unique PINs by assigning PINs this would not be a problem. Otherwise, a user entitled to one day of access could suss out other user's PIN by simply repeatedly requesting PINs.
– emory
Apr 30 at 15:49
@emory True there will be less unique pins due to birthday paradox, but it won't make a significant difference to bruteforce complexity.
– Dmitry Grigoryev
Apr 30 at 15:52
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f209212%2fselecting-a-secure-pin-for-building-access%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
5 Answers
5
active
oldest
votes
5 Answers
5
active
oldest
votes
active
oldest
votes
active
oldest
votes
You're setting yourself up for an endless game of whack-a-mole. You listed a few ... No matter how many you think of, lazy users will come up with more guessable PINs. It's a church, so think of any Christian influenced PINs. The date of Christmas, the priest's favorite Bible verse, the patron saint's birth-date, maybe the Church's construction date... so on and so on. Consider patterns too if you want to go that far. For more possible PINs, here's a blogpost where the writer analyzed PINs leaked in various data breaches. May be helpful.
I know you're asking how to make your PINs more secure, but I feel the answer here is not to use standalone individual PINs. Consider that you're working with a small set of possible passwords already. Then you're reducing it by eliminating guessable ones. Then you're making multiple PINs work at once. Every step makes random guesses more and more likely to succeed.
1
That's a great point about Christian influenced pins. The first two I would most likely try would be John 3:16 related, 0316 and 4316 (4th book of the New Testament). Those are non-obvious bad pins from a pattern standpoint, but at a church would be the equivalent of 1234. If there are 50 people with access to the beginning, I'd bet the odds are pretty good that someone picks one of those pins.
– kuhl
May 1 at 3:35
1
Lots of good comments in other answers. I chose this one because the link to the blogpost has good info. While 2 factor would be much better, the cost was deemed too high. The code 12345 was used during the final stages of construction and has since been black listed. (One person requested that PIN - ugh.)
– Les
May 1 at 13:10
add a comment |
You're setting yourself up for an endless game of whack-a-mole. You listed a few ... No matter how many you think of, lazy users will come up with more guessable PINs. It's a church, so think of any Christian influenced PINs. The date of Christmas, the priest's favorite Bible verse, the patron saint's birth-date, maybe the Church's construction date... so on and so on. Consider patterns too if you want to go that far. For more possible PINs, here's a blogpost where the writer analyzed PINs leaked in various data breaches. May be helpful.
I know you're asking how to make your PINs more secure, but I feel the answer here is not to use standalone individual PINs. Consider that you're working with a small set of possible passwords already. Then you're reducing it by eliminating guessable ones. Then you're making multiple PINs work at once. Every step makes random guesses more and more likely to succeed.
1
That's a great point about Christian influenced pins. The first two I would most likely try would be John 3:16 related, 0316 and 4316 (4th book of the New Testament). Those are non-obvious bad pins from a pattern standpoint, but at a church would be the equivalent of 1234. If there are 50 people with access to the beginning, I'd bet the odds are pretty good that someone picks one of those pins.
– kuhl
May 1 at 3:35
1
Lots of good comments in other answers. I chose this one because the link to the blogpost has good info. While 2 factor would be much better, the cost was deemed too high. The code 12345 was used during the final stages of construction and has since been black listed. (One person requested that PIN - ugh.)
– Les
May 1 at 13:10
add a comment |
You're setting yourself up for an endless game of whack-a-mole. You listed a few ... No matter how many you think of, lazy users will come up with more guessable PINs. It's a church, so think of any Christian influenced PINs. The date of Christmas, the priest's favorite Bible verse, the patron saint's birth-date, maybe the Church's construction date... so on and so on. Consider patterns too if you want to go that far. For more possible PINs, here's a blogpost where the writer analyzed PINs leaked in various data breaches. May be helpful.
I know you're asking how to make your PINs more secure, but I feel the answer here is not to use standalone individual PINs. Consider that you're working with a small set of possible passwords already. Then you're reducing it by eliminating guessable ones. Then you're making multiple PINs work at once. Every step makes random guesses more and more likely to succeed.
You're setting yourself up for an endless game of whack-a-mole. You listed a few ... No matter how many you think of, lazy users will come up with more guessable PINs. It's a church, so think of any Christian influenced PINs. The date of Christmas, the priest's favorite Bible verse, the patron saint's birth-date, maybe the Church's construction date... so on and so on. Consider patterns too if you want to go that far. For more possible PINs, here's a blogpost where the writer analyzed PINs leaked in various data breaches. May be helpful.
I know you're asking how to make your PINs more secure, but I feel the answer here is not to use standalone individual PINs. Consider that you're working with a small set of possible passwords already. Then you're reducing it by eliminating guessable ones. Then you're making multiple PINs work at once. Every step makes random guesses more and more likely to succeed.
edited Apr 30 at 14:35
answered Apr 29 at 18:10
Kevin MirskyKevin Mirsky
3437
3437
1
That's a great point about Christian influenced pins. The first two I would most likely try would be John 3:16 related, 0316 and 4316 (4th book of the New Testament). Those are non-obvious bad pins from a pattern standpoint, but at a church would be the equivalent of 1234. If there are 50 people with access to the beginning, I'd bet the odds are pretty good that someone picks one of those pins.
– kuhl
May 1 at 3:35
1
Lots of good comments in other answers. I chose this one because the link to the blogpost has good info. While 2 factor would be much better, the cost was deemed too high. The code 12345 was used during the final stages of construction and has since been black listed. (One person requested that PIN - ugh.)
– Les
May 1 at 13:10
add a comment |
1
That's a great point about Christian influenced pins. The first two I would most likely try would be John 3:16 related, 0316 and 4316 (4th book of the New Testament). Those are non-obvious bad pins from a pattern standpoint, but at a church would be the equivalent of 1234. If there are 50 people with access to the beginning, I'd bet the odds are pretty good that someone picks one of those pins.
– kuhl
May 1 at 3:35
1
Lots of good comments in other answers. I chose this one because the link to the blogpost has good info. While 2 factor would be much better, the cost was deemed too high. The code 12345 was used during the final stages of construction and has since been black listed. (One person requested that PIN - ugh.)
– Les
May 1 at 13:10
1
1
That's a great point about Christian influenced pins. The first two I would most likely try would be John 3:16 related, 0316 and 4316 (4th book of the New Testament). Those are non-obvious bad pins from a pattern standpoint, but at a church would be the equivalent of 1234. If there are 50 people with access to the beginning, I'd bet the odds are pretty good that someone picks one of those pins.
– kuhl
May 1 at 3:35
That's a great point about Christian influenced pins. The first two I would most likely try would be John 3:16 related, 0316 and 4316 (4th book of the New Testament). Those are non-obvious bad pins from a pattern standpoint, but at a church would be the equivalent of 1234. If there are 50 people with access to the beginning, I'd bet the odds are pretty good that someone picks one of those pins.
– kuhl
May 1 at 3:35
1
1
Lots of good comments in other answers. I chose this one because the link to the blogpost has good info. While 2 factor would be much better, the cost was deemed too high. The code 12345 was used during the final stages of construction and has since been black listed. (One person requested that PIN - ugh.)
– Les
May 1 at 13:10
Lots of good comments in other answers. I chose this one because the link to the blogpost has good info. While 2 factor would be much better, the cost was deemed too high. The code 12345 was used during the final stages of construction and has since been black listed. (One person requested that PIN - ugh.)
– Les
May 1 at 13:10
add a comment |
PINs are usually accompanied by some other authentication factor, like biometrics or a physical token. So, the PIN is not a lone factor in authentication.
But you appear to describe a situation where people can gain access to a secured building by punching in a code. Let me rephrase that: by using static, difficult-to-change sequence of numbers that can be easily copied and shared, the public gains access to the inside of your building.
The control against that threat is to make it very difficult to record and guess or use the physical appearance of the pin pad to deduce the code. That means making the PINs long and putting physical controls in place to make recording more difficult and to place layers of additional authentication protection on the inside of the building.
Because you are asking about the rejection process, my suggestion would be to use a random number generator instead of people choosing their own, and make it long. This bypasses people choosing PIN pad patterns or other pattern-based PINs which can be easy to guess or observe.
4
"additional authentication protection" examples could be welcome (RFID badge, classic key, etc.)
– A. Hersean
Apr 29 at 13:19
2
@A.Hersean or more strong physical barriers, cameras, manned security, etc.
– schroeder♦
Apr 29 at 13:20
1
Of course longer is better, but I don't think the PIN needs to be very long. I'd say it just doesn't have to be guessed, recorded, or abused. This means 12345 or 00000 would never be allowed, wrong PINs would trigger a notification or action of some sort, the pad should not be able to be viewed or recorded from a distance (it might face a wall), etc.
– reed
Apr 29 at 13:28
3
if you make it long, people will write it down rather than memorise it, creating another security risk.
– jwenting
Apr 30 at 9:59
2
@jwenting for something infrequently used, I suspect that it would be written down anyway.
– schroeder♦
Apr 30 at 10:13
|
show 2 more comments
PINs are usually accompanied by some other authentication factor, like biometrics or a physical token. So, the PIN is not a lone factor in authentication.
But you appear to describe a situation where people can gain access to a secured building by punching in a code. Let me rephrase that: by using static, difficult-to-change sequence of numbers that can be easily copied and shared, the public gains access to the inside of your building.
The control against that threat is to make it very difficult to record and guess or use the physical appearance of the pin pad to deduce the code. That means making the PINs long and putting physical controls in place to make recording more difficult and to place layers of additional authentication protection on the inside of the building.
Because you are asking about the rejection process, my suggestion would be to use a random number generator instead of people choosing their own, and make it long. This bypasses people choosing PIN pad patterns or other pattern-based PINs which can be easy to guess or observe.
4
"additional authentication protection" examples could be welcome (RFID badge, classic key, etc.)
– A. Hersean
Apr 29 at 13:19
2
@A.Hersean or more strong physical barriers, cameras, manned security, etc.
– schroeder♦
Apr 29 at 13:20
1
Of course longer is better, but I don't think the PIN needs to be very long. I'd say it just doesn't have to be guessed, recorded, or abused. This means 12345 or 00000 would never be allowed, wrong PINs would trigger a notification or action of some sort, the pad should not be able to be viewed or recorded from a distance (it might face a wall), etc.
– reed
Apr 29 at 13:28
3
if you make it long, people will write it down rather than memorise it, creating another security risk.
– jwenting
Apr 30 at 9:59
2
@jwenting for something infrequently used, I suspect that it would be written down anyway.
– schroeder♦
Apr 30 at 10:13
|
show 2 more comments
PINs are usually accompanied by some other authentication factor, like biometrics or a physical token. So, the PIN is not a lone factor in authentication.
But you appear to describe a situation where people can gain access to a secured building by punching in a code. Let me rephrase that: by using static, difficult-to-change sequence of numbers that can be easily copied and shared, the public gains access to the inside of your building.
The control against that threat is to make it very difficult to record and guess or use the physical appearance of the pin pad to deduce the code. That means making the PINs long and putting physical controls in place to make recording more difficult and to place layers of additional authentication protection on the inside of the building.
Because you are asking about the rejection process, my suggestion would be to use a random number generator instead of people choosing their own, and make it long. This bypasses people choosing PIN pad patterns or other pattern-based PINs which can be easy to guess or observe.
PINs are usually accompanied by some other authentication factor, like biometrics or a physical token. So, the PIN is not a lone factor in authentication.
But you appear to describe a situation where people can gain access to a secured building by punching in a code. Let me rephrase that: by using static, difficult-to-change sequence of numbers that can be easily copied and shared, the public gains access to the inside of your building.
The control against that threat is to make it very difficult to record and guess or use the physical appearance of the pin pad to deduce the code. That means making the PINs long and putting physical controls in place to make recording more difficult and to place layers of additional authentication protection on the inside of the building.
Because you are asking about the rejection process, my suggestion would be to use a random number generator instead of people choosing their own, and make it long. This bypasses people choosing PIN pad patterns or other pattern-based PINs which can be easy to guess or observe.
edited Apr 29 at 14:51
answered Apr 29 at 13:16
schroeder♦schroeder
80.1k32178215
80.1k32178215
4
"additional authentication protection" examples could be welcome (RFID badge, classic key, etc.)
– A. Hersean
Apr 29 at 13:19
2
@A.Hersean or more strong physical barriers, cameras, manned security, etc.
– schroeder♦
Apr 29 at 13:20
1
Of course longer is better, but I don't think the PIN needs to be very long. I'd say it just doesn't have to be guessed, recorded, or abused. This means 12345 or 00000 would never be allowed, wrong PINs would trigger a notification or action of some sort, the pad should not be able to be viewed or recorded from a distance (it might face a wall), etc.
– reed
Apr 29 at 13:28
3
if you make it long, people will write it down rather than memorise it, creating another security risk.
– jwenting
Apr 30 at 9:59
2
@jwenting for something infrequently used, I suspect that it would be written down anyway.
– schroeder♦
Apr 30 at 10:13
|
show 2 more comments
4
"additional authentication protection" examples could be welcome (RFID badge, classic key, etc.)
– A. Hersean
Apr 29 at 13:19
2
@A.Hersean or more strong physical barriers, cameras, manned security, etc.
– schroeder♦
Apr 29 at 13:20
1
Of course longer is better, but I don't think the PIN needs to be very long. I'd say it just doesn't have to be guessed, recorded, or abused. This means 12345 or 00000 would never be allowed, wrong PINs would trigger a notification or action of some sort, the pad should not be able to be viewed or recorded from a distance (it might face a wall), etc.
– reed
Apr 29 at 13:28
3
if you make it long, people will write it down rather than memorise it, creating another security risk.
– jwenting
Apr 30 at 9:59
2
@jwenting for something infrequently used, I suspect that it would be written down anyway.
– schroeder♦
Apr 30 at 10:13
4
4
"additional authentication protection" examples could be welcome (RFID badge, classic key, etc.)
– A. Hersean
Apr 29 at 13:19
"additional authentication protection" examples could be welcome (RFID badge, classic key, etc.)
– A. Hersean
Apr 29 at 13:19
2
2
@A.Hersean or more strong physical barriers, cameras, manned security, etc.
– schroeder♦
Apr 29 at 13:20
@A.Hersean or more strong physical barriers, cameras, manned security, etc.
– schroeder♦
Apr 29 at 13:20
1
1
Of course longer is better, but I don't think the PIN needs to be very long. I'd say it just doesn't have to be guessed, recorded, or abused. This means 12345 or 00000 would never be allowed, wrong PINs would trigger a notification or action of some sort, the pad should not be able to be viewed or recorded from a distance (it might face a wall), etc.
– reed
Apr 29 at 13:28
Of course longer is better, but I don't think the PIN needs to be very long. I'd say it just doesn't have to be guessed, recorded, or abused. This means 12345 or 00000 would never be allowed, wrong PINs would trigger a notification or action of some sort, the pad should not be able to be viewed or recorded from a distance (it might face a wall), etc.
– reed
Apr 29 at 13:28
3
3
if you make it long, people will write it down rather than memorise it, creating another security risk.
– jwenting
Apr 30 at 9:59
if you make it long, people will write it down rather than memorise it, creating another security risk.
– jwenting
Apr 30 at 9:59
2
2
@jwenting for something infrequently used, I suspect that it would be written down anyway.
– schroeder♦
Apr 30 at 10:13
@jwenting for something infrequently used, I suspect that it would be written down anyway.
– schroeder♦
Apr 30 at 10:13
|
show 2 more comments
There are only 100000 potential values if you have a 5 digit PIN. That means that a single PIN can be brute forced in a relatively small length of time, unless there is some form of secondary restriction against a person standing next to the door and trying each number. This gets worse if there are multiple people with distinct codes for access to the system - assuming each person selects a random code, an attacker entering a single code has a n/100000 chance to find a working code, where n is the number of people with access.
It would probably be reasonable to expect a dedicated attacker to manage 1000 tries per hour - it doesn't take very long to type a 5 digit number. That would give an upper bound of 100 hours, with a single code. That's 3 (pretty boring) weekends with some breaks for food, which, depending on what is in the building, may well be worth it. The system as described can't implement account lockout - the only way to determine which user is trying to access is through the code.
So, how to solve this?
- Use the PIN as a secondary factor - have an access card, and a PIN, for example. It is then possible to have account lockout after some failed PIN entries.
- Enforce limits on the PIN in other ways - have someone guarding the door who prevents too many tries, have a CCTV camera pointing at the door which is monitored for unusual activity (someone standing there trying each possible code)
- Have a much longer PIN, making it impractical to keep trying codes
You would also probably want to ensure that the codes being entered cannot be monitored in other ways - for example, by pointing a video camera at the key pad.
5
While it's true that the system can't implement account lockout of an individual account, you can implement broad protection against brute force attacks in a way that's still passive and cheaper than an onsite security guard or requiring someone to constantly check a camera. Have the system page an administrator or other responsible party if X incorrect entries are received within a given time frame. Or, have the PIN system shut itself off after X incorrect tries (forcing legitimate users to access the building with a physical key, which most PIN systems would have as a backup anyways).
– dwizum
Apr 29 at 14:23
7
There are lots of windows and glass doors (all visible from adjacent streets). So if someone really wanted to get in, smash and grab would be relatively easy. There are also cameras that record the video. So camping out and brute forcing would seem to be less likely.
– Les
Apr 29 at 14:49
4
I don't understand the 100000/n. For n=1 surely it only takes 50000 tries on average.
– Matt
Apr 29 at 22:29
7
@dwizum if my kids - 2 and 5 - have access to the keypad and there is a lockout, they are going to lock it out every single time. Children can not resist pressing buttons. Considering this is a church it is probably that children will have access to the keypad.
– emory
Apr 30 at 12:45
3
@emory - put the keypad 6 feet off the ground. :) To your point though, there's a keypad system to enter my daughter's school, it looks like a regular telephone dialpad. There's no obvious "enter" button. It only submits an attempt to the server after a user hits the star key, and then it only submits the 4 characters entered immediately prior to hitting star. Something like this can help protect against child random-button-mashers.
– dwizum
Apr 30 at 13:29
|
show 3 more comments
There are only 100000 potential values if you have a 5 digit PIN. That means that a single PIN can be brute forced in a relatively small length of time, unless there is some form of secondary restriction against a person standing next to the door and trying each number. This gets worse if there are multiple people with distinct codes for access to the system - assuming each person selects a random code, an attacker entering a single code has a n/100000 chance to find a working code, where n is the number of people with access.
It would probably be reasonable to expect a dedicated attacker to manage 1000 tries per hour - it doesn't take very long to type a 5 digit number. That would give an upper bound of 100 hours, with a single code. That's 3 (pretty boring) weekends with some breaks for food, which, depending on what is in the building, may well be worth it. The system as described can't implement account lockout - the only way to determine which user is trying to access is through the code.
So, how to solve this?
- Use the PIN as a secondary factor - have an access card, and a PIN, for example. It is then possible to have account lockout after some failed PIN entries.
- Enforce limits on the PIN in other ways - have someone guarding the door who prevents too many tries, have a CCTV camera pointing at the door which is monitored for unusual activity (someone standing there trying each possible code)
- Have a much longer PIN, making it impractical to keep trying codes
You would also probably want to ensure that the codes being entered cannot be monitored in other ways - for example, by pointing a video camera at the key pad.
5
While it's true that the system can't implement account lockout of an individual account, you can implement broad protection against brute force attacks in a way that's still passive and cheaper than an onsite security guard or requiring someone to constantly check a camera. Have the system page an administrator or other responsible party if X incorrect entries are received within a given time frame. Or, have the PIN system shut itself off after X incorrect tries (forcing legitimate users to access the building with a physical key, which most PIN systems would have as a backup anyways).
– dwizum
Apr 29 at 14:23
7
There are lots of windows and glass doors (all visible from adjacent streets). So if someone really wanted to get in, smash and grab would be relatively easy. There are also cameras that record the video. So camping out and brute forcing would seem to be less likely.
– Les
Apr 29 at 14:49
4
I don't understand the 100000/n. For n=1 surely it only takes 50000 tries on average.
– Matt
Apr 29 at 22:29
7
@dwizum if my kids - 2 and 5 - have access to the keypad and there is a lockout, they are going to lock it out every single time. Children can not resist pressing buttons. Considering this is a church it is probably that children will have access to the keypad.
– emory
Apr 30 at 12:45
3
@emory - put the keypad 6 feet off the ground. :) To your point though, there's a keypad system to enter my daughter's school, it looks like a regular telephone dialpad. There's no obvious "enter" button. It only submits an attempt to the server after a user hits the star key, and then it only submits the 4 characters entered immediately prior to hitting star. Something like this can help protect against child random-button-mashers.
– dwizum
Apr 30 at 13:29
|
show 3 more comments
There are only 100000 potential values if you have a 5 digit PIN. That means that a single PIN can be brute forced in a relatively small length of time, unless there is some form of secondary restriction against a person standing next to the door and trying each number. This gets worse if there are multiple people with distinct codes for access to the system - assuming each person selects a random code, an attacker entering a single code has a n/100000 chance to find a working code, where n is the number of people with access.
It would probably be reasonable to expect a dedicated attacker to manage 1000 tries per hour - it doesn't take very long to type a 5 digit number. That would give an upper bound of 100 hours, with a single code. That's 3 (pretty boring) weekends with some breaks for food, which, depending on what is in the building, may well be worth it. The system as described can't implement account lockout - the only way to determine which user is trying to access is through the code.
So, how to solve this?
- Use the PIN as a secondary factor - have an access card, and a PIN, for example. It is then possible to have account lockout after some failed PIN entries.
- Enforce limits on the PIN in other ways - have someone guarding the door who prevents too many tries, have a CCTV camera pointing at the door which is monitored for unusual activity (someone standing there trying each possible code)
- Have a much longer PIN, making it impractical to keep trying codes
You would also probably want to ensure that the codes being entered cannot be monitored in other ways - for example, by pointing a video camera at the key pad.
There are only 100000 potential values if you have a 5 digit PIN. That means that a single PIN can be brute forced in a relatively small length of time, unless there is some form of secondary restriction against a person standing next to the door and trying each number. This gets worse if there are multiple people with distinct codes for access to the system - assuming each person selects a random code, an attacker entering a single code has a n/100000 chance to find a working code, where n is the number of people with access.
It would probably be reasonable to expect a dedicated attacker to manage 1000 tries per hour - it doesn't take very long to type a 5 digit number. That would give an upper bound of 100 hours, with a single code. That's 3 (pretty boring) weekends with some breaks for food, which, depending on what is in the building, may well be worth it. The system as described can't implement account lockout - the only way to determine which user is trying to access is through the code.
So, how to solve this?
- Use the PIN as a secondary factor - have an access card, and a PIN, for example. It is then possible to have account lockout after some failed PIN entries.
- Enforce limits on the PIN in other ways - have someone guarding the door who prevents too many tries, have a CCTV camera pointing at the door which is monitored for unusual activity (someone standing there trying each possible code)
- Have a much longer PIN, making it impractical to keep trying codes
You would also probably want to ensure that the codes being entered cannot be monitored in other ways - for example, by pointing a video camera at the key pad.
edited Apr 30 at 8:03
answered Apr 29 at 13:26
MatthewMatthew
25.9k78295
25.9k78295
5
While it's true that the system can't implement account lockout of an individual account, you can implement broad protection against brute force attacks in a way that's still passive and cheaper than an onsite security guard or requiring someone to constantly check a camera. Have the system page an administrator or other responsible party if X incorrect entries are received within a given time frame. Or, have the PIN system shut itself off after X incorrect tries (forcing legitimate users to access the building with a physical key, which most PIN systems would have as a backup anyways).
– dwizum
Apr 29 at 14:23
7
There are lots of windows and glass doors (all visible from adjacent streets). So if someone really wanted to get in, smash and grab would be relatively easy. There are also cameras that record the video. So camping out and brute forcing would seem to be less likely.
– Les
Apr 29 at 14:49
4
I don't understand the 100000/n. For n=1 surely it only takes 50000 tries on average.
– Matt
Apr 29 at 22:29
7
@dwizum if my kids - 2 and 5 - have access to the keypad and there is a lockout, they are going to lock it out every single time. Children can not resist pressing buttons. Considering this is a church it is probably that children will have access to the keypad.
– emory
Apr 30 at 12:45
3
@emory - put the keypad 6 feet off the ground. :) To your point though, there's a keypad system to enter my daughter's school, it looks like a regular telephone dialpad. There's no obvious "enter" button. It only submits an attempt to the server after a user hits the star key, and then it only submits the 4 characters entered immediately prior to hitting star. Something like this can help protect against child random-button-mashers.
– dwizum
Apr 30 at 13:29
|
show 3 more comments
5
While it's true that the system can't implement account lockout of an individual account, you can implement broad protection against brute force attacks in a way that's still passive and cheaper than an onsite security guard or requiring someone to constantly check a camera. Have the system page an administrator or other responsible party if X incorrect entries are received within a given time frame. Or, have the PIN system shut itself off after X incorrect tries (forcing legitimate users to access the building with a physical key, which most PIN systems would have as a backup anyways).
– dwizum
Apr 29 at 14:23
7
There are lots of windows and glass doors (all visible from adjacent streets). So if someone really wanted to get in, smash and grab would be relatively easy. There are also cameras that record the video. So camping out and brute forcing would seem to be less likely.
– Les
Apr 29 at 14:49
4
I don't understand the 100000/n. For n=1 surely it only takes 50000 tries on average.
– Matt
Apr 29 at 22:29
7
@dwizum if my kids - 2 and 5 - have access to the keypad and there is a lockout, they are going to lock it out every single time. Children can not resist pressing buttons. Considering this is a church it is probably that children will have access to the keypad.
– emory
Apr 30 at 12:45
3
@emory - put the keypad 6 feet off the ground. :) To your point though, there's a keypad system to enter my daughter's school, it looks like a regular telephone dialpad. There's no obvious "enter" button. It only submits an attempt to the server after a user hits the star key, and then it only submits the 4 characters entered immediately prior to hitting star. Something like this can help protect against child random-button-mashers.
– dwizum
Apr 30 at 13:29
5
5
While it's true that the system can't implement account lockout of an individual account, you can implement broad protection against brute force attacks in a way that's still passive and cheaper than an onsite security guard or requiring someone to constantly check a camera. Have the system page an administrator or other responsible party if X incorrect entries are received within a given time frame. Or, have the PIN system shut itself off after X incorrect tries (forcing legitimate users to access the building with a physical key, which most PIN systems would have as a backup anyways).
– dwizum
Apr 29 at 14:23
While it's true that the system can't implement account lockout of an individual account, you can implement broad protection against brute force attacks in a way that's still passive and cheaper than an onsite security guard or requiring someone to constantly check a camera. Have the system page an administrator or other responsible party if X incorrect entries are received within a given time frame. Or, have the PIN system shut itself off after X incorrect tries (forcing legitimate users to access the building with a physical key, which most PIN systems would have as a backup anyways).
– dwizum
Apr 29 at 14:23
7
7
There are lots of windows and glass doors (all visible from adjacent streets). So if someone really wanted to get in, smash and grab would be relatively easy. There are also cameras that record the video. So camping out and brute forcing would seem to be less likely.
– Les
Apr 29 at 14:49
There are lots of windows and glass doors (all visible from adjacent streets). So if someone really wanted to get in, smash and grab would be relatively easy. There are also cameras that record the video. So camping out and brute forcing would seem to be less likely.
– Les
Apr 29 at 14:49
4
4
I don't understand the 100000/n. For n=1 surely it only takes 50000 tries on average.
– Matt
Apr 29 at 22:29
I don't understand the 100000/n. For n=1 surely it only takes 50000 tries on average.
– Matt
Apr 29 at 22:29
7
7
@dwizum if my kids - 2 and 5 - have access to the keypad and there is a lockout, they are going to lock it out every single time. Children can not resist pressing buttons. Considering this is a church it is probably that children will have access to the keypad.
– emory
Apr 30 at 12:45
@dwizum if my kids - 2 and 5 - have access to the keypad and there is a lockout, they are going to lock it out every single time. Children can not resist pressing buttons. Considering this is a church it is probably that children will have access to the keypad.
– emory
Apr 30 at 12:45
3
3
@emory - put the keypad 6 feet off the ground. :) To your point though, there's a keypad system to enter my daughter's school, it looks like a regular telephone dialpad. There's no obvious "enter" button. It only submits an attempt to the server after a user hits the star key, and then it only submits the 4 characters entered immediately prior to hitting star. Something like this can help protect against child random-button-mashers.
– dwizum
Apr 30 at 13:29
@emory - put the keypad 6 feet off the ground. :) To your point though, there's a keypad system to enter my daughter's school, it looks like a regular telephone dialpad. There's no obvious "enter" button. It only submits an attempt to the server after a user hits the star key, and then it only submits the 4 characters entered immediately prior to hitting star. Something like this can help protect against child random-button-mashers.
– dwizum
Apr 30 at 13:29
|
show 3 more comments
Full disclosure: I worked for several years as the software architect for a very large, Fortune 500 company that manufactures and programs these sort of electronic locks, including government and homeland security applications. Our biggest customer, though, was the National Association of Realtors. There is a very good chance you are using a product from my former company.
Our engineers had many discussions about PIN black listing, and they were all very fun while they lasted, but always ended the same way:
- We are way overthinking this.
- We just have to make it harder to guess the PIN than to throw a rock through a window. Physical security trumps all.
Also:
When there is a limited number of digits, it is safer to provide a single PIN to all users and rotate it frequently (once a month is typical). If you allow each user their own PIN, it reduces the search space dramatically. For example, if you have 100 users and there are only 1000 possible codes, with a single guess you have about a 1 in 10 chance of getting through that door. If everyone shared a single code it would be 1 in 1000.
All of our electronic products did ship with a blacklist of ten codes: all 1's, all 2's, all 3's, all 4's, etc. Any other code was selectable by the customer. The black list was configurable by the customer but honestly nobody ever did it.
You're right but it's more nuanced than "physical security ...". People will call the police for a broken window but won't bother about someone having a few goes on a keypad (provided they look like they might belong).
– pbhj
May 1 at 1:37
You get it @pbhj. The problem is much more organic and situational. With a web site, the security architecture is the customer's only protection; with physical security, we have to trust the customer much more to use the tool we give them in a manner that is sensible. Is the location secluded? Well lit? Under surveillance? Etc. We can't do all the thinking for them (unlike information security, where we assume we are much more aware than the user).
– John Wu
May 1 at 6:07
add a comment |
Full disclosure: I worked for several years as the software architect for a very large, Fortune 500 company that manufactures and programs these sort of electronic locks, including government and homeland security applications. Our biggest customer, though, was the National Association of Realtors. There is a very good chance you are using a product from my former company.
Our engineers had many discussions about PIN black listing, and they were all very fun while they lasted, but always ended the same way:
- We are way overthinking this.
- We just have to make it harder to guess the PIN than to throw a rock through a window. Physical security trumps all.
Also:
When there is a limited number of digits, it is safer to provide a single PIN to all users and rotate it frequently (once a month is typical). If you allow each user their own PIN, it reduces the search space dramatically. For example, if you have 100 users and there are only 1000 possible codes, with a single guess you have about a 1 in 10 chance of getting through that door. If everyone shared a single code it would be 1 in 1000.
All of our electronic products did ship with a blacklist of ten codes: all 1's, all 2's, all 3's, all 4's, etc. Any other code was selectable by the customer. The black list was configurable by the customer but honestly nobody ever did it.
You're right but it's more nuanced than "physical security ...". People will call the police for a broken window but won't bother about someone having a few goes on a keypad (provided they look like they might belong).
– pbhj
May 1 at 1:37
You get it @pbhj. The problem is much more organic and situational. With a web site, the security architecture is the customer's only protection; with physical security, we have to trust the customer much more to use the tool we give them in a manner that is sensible. Is the location secluded? Well lit? Under surveillance? Etc. We can't do all the thinking for them (unlike information security, where we assume we are much more aware than the user).
– John Wu
May 1 at 6:07
add a comment |
Full disclosure: I worked for several years as the software architect for a very large, Fortune 500 company that manufactures and programs these sort of electronic locks, including government and homeland security applications. Our biggest customer, though, was the National Association of Realtors. There is a very good chance you are using a product from my former company.
Our engineers had many discussions about PIN black listing, and they were all very fun while they lasted, but always ended the same way:
- We are way overthinking this.
- We just have to make it harder to guess the PIN than to throw a rock through a window. Physical security trumps all.
Also:
When there is a limited number of digits, it is safer to provide a single PIN to all users and rotate it frequently (once a month is typical). If you allow each user their own PIN, it reduces the search space dramatically. For example, if you have 100 users and there are only 1000 possible codes, with a single guess you have about a 1 in 10 chance of getting through that door. If everyone shared a single code it would be 1 in 1000.
All of our electronic products did ship with a blacklist of ten codes: all 1's, all 2's, all 3's, all 4's, etc. Any other code was selectable by the customer. The black list was configurable by the customer but honestly nobody ever did it.
Full disclosure: I worked for several years as the software architect for a very large, Fortune 500 company that manufactures and programs these sort of electronic locks, including government and homeland security applications. Our biggest customer, though, was the National Association of Realtors. There is a very good chance you are using a product from my former company.
Our engineers had many discussions about PIN black listing, and they were all very fun while they lasted, but always ended the same way:
- We are way overthinking this.
- We just have to make it harder to guess the PIN than to throw a rock through a window. Physical security trumps all.
Also:
When there is a limited number of digits, it is safer to provide a single PIN to all users and rotate it frequently (once a month is typical). If you allow each user their own PIN, it reduces the search space dramatically. For example, if you have 100 users and there are only 1000 possible codes, with a single guess you have about a 1 in 10 chance of getting through that door. If everyone shared a single code it would be 1 in 1000.
All of our electronic products did ship with a blacklist of ten codes: all 1's, all 2's, all 3's, all 4's, etc. Any other code was selectable by the customer. The black list was configurable by the customer but honestly nobody ever did it.
edited Apr 30 at 22:27
answered Apr 30 at 22:09
John WuJohn Wu
7,64211731
7,64211731
You're right but it's more nuanced than "physical security ...". People will call the police for a broken window but won't bother about someone having a few goes on a keypad (provided they look like they might belong).
– pbhj
May 1 at 1:37
You get it @pbhj. The problem is much more organic and situational. With a web site, the security architecture is the customer's only protection; with physical security, we have to trust the customer much more to use the tool we give them in a manner that is sensible. Is the location secluded? Well lit? Under surveillance? Etc. We can't do all the thinking for them (unlike information security, where we assume we are much more aware than the user).
– John Wu
May 1 at 6:07
add a comment |
You're right but it's more nuanced than "physical security ...". People will call the police for a broken window but won't bother about someone having a few goes on a keypad (provided they look like they might belong).
– pbhj
May 1 at 1:37
You get it @pbhj. The problem is much more organic and situational. With a web site, the security architecture is the customer's only protection; with physical security, we have to trust the customer much more to use the tool we give them in a manner that is sensible. Is the location secluded? Well lit? Under surveillance? Etc. We can't do all the thinking for them (unlike information security, where we assume we are much more aware than the user).
– John Wu
May 1 at 6:07
You're right but it's more nuanced than "physical security ...". People will call the police for a broken window but won't bother about someone having a few goes on a keypad (provided they look like they might belong).
– pbhj
May 1 at 1:37
You're right but it's more nuanced than "physical security ...". People will call the police for a broken window but won't bother about someone having a few goes on a keypad (provided they look like they might belong).
– pbhj
May 1 at 1:37
You get it @pbhj. The problem is much more organic and situational. With a web site, the security architecture is the customer's only protection; with physical security, we have to trust the customer much more to use the tool we give them in a manner that is sensible. Is the location secluded? Well lit? Under surveillance? Etc. We can't do all the thinking for them (unlike information security, where we assume we are much more aware than the user).
– John Wu
May 1 at 6:07
You get it @pbhj. The problem is much more organic and situational. With a web site, the security architecture is the customer's only protection; with physical security, we have to trust the customer much more to use the tool we give them in a manner that is sensible. Is the location secluded? Well lit? Under surveillance? Etc. We can't do all the thinking for them (unlike information security, where we assume we are much more aware than the user).
– John Wu
May 1 at 6:07
add a comment |
Check out the 20 most popular 4-digit pins:
Those are the combinations that the attacker will try first. These include:
- repeated digits / pairs
- incrementing/decrementing sequences
- geometrical patterns on the keypad
Excluding these (extrapolated to your 5-digit pins) will provide a tangible increase in security. I wouldn't bother going further than that (that is, excluding dates / zip codes / etc.), because an attacker which is determined enough to learn your coworker's birthday will be determined enough to get a valid pin through social engineering, or simply try enough pins to get in. Mind you that with 100000 combinations and 100 valid pins (assuming you have 100 coworkers), every 1000th pin will be valid even if the attacker goes for simple bruteforce.
If the fact that a pin can eventually be guessed sounds insecure in the environment where the lock will be used, you should choose a different kind of lock and/or additional security measures. Something as simple as a short alarm sound after 10 wrong pins will help a lot.
I think you have the math slightly wrong. Some coworkers will have duplicate PINs. If you enforce unique PINs by assigning PINs this would not be a problem. Otherwise, a user entitled to one day of access could suss out other user's PIN by simply repeatedly requesting PINs.
– emory
Apr 30 at 15:49
@emory True there will be less unique pins due to birthday paradox, but it won't make a significant difference to bruteforce complexity.
– Dmitry Grigoryev
Apr 30 at 15:52
add a comment |
Check out the 20 most popular 4-digit pins:
Those are the combinations that the attacker will try first. These include:
- repeated digits / pairs
- incrementing/decrementing sequences
- geometrical patterns on the keypad
Excluding these (extrapolated to your 5-digit pins) will provide a tangible increase in security. I wouldn't bother going further than that (that is, excluding dates / zip codes / etc.), because an attacker which is determined enough to learn your coworker's birthday will be determined enough to get a valid pin through social engineering, or simply try enough pins to get in. Mind you that with 100000 combinations and 100 valid pins (assuming you have 100 coworkers), every 1000th pin will be valid even if the attacker goes for simple bruteforce.
If the fact that a pin can eventually be guessed sounds insecure in the environment where the lock will be used, you should choose a different kind of lock and/or additional security measures. Something as simple as a short alarm sound after 10 wrong pins will help a lot.
I think you have the math slightly wrong. Some coworkers will have duplicate PINs. If you enforce unique PINs by assigning PINs this would not be a problem. Otherwise, a user entitled to one day of access could suss out other user's PIN by simply repeatedly requesting PINs.
– emory
Apr 30 at 15:49
@emory True there will be less unique pins due to birthday paradox, but it won't make a significant difference to bruteforce complexity.
– Dmitry Grigoryev
Apr 30 at 15:52
add a comment |
Check out the 20 most popular 4-digit pins:
Those are the combinations that the attacker will try first. These include:
- repeated digits / pairs
- incrementing/decrementing sequences
- geometrical patterns on the keypad
Excluding these (extrapolated to your 5-digit pins) will provide a tangible increase in security. I wouldn't bother going further than that (that is, excluding dates / zip codes / etc.), because an attacker which is determined enough to learn your coworker's birthday will be determined enough to get a valid pin through social engineering, or simply try enough pins to get in. Mind you that with 100000 combinations and 100 valid pins (assuming you have 100 coworkers), every 1000th pin will be valid even if the attacker goes for simple bruteforce.
If the fact that a pin can eventually be guessed sounds insecure in the environment where the lock will be used, you should choose a different kind of lock and/or additional security measures. Something as simple as a short alarm sound after 10 wrong pins will help a lot.
Check out the 20 most popular 4-digit pins:
Those are the combinations that the attacker will try first. These include:
- repeated digits / pairs
- incrementing/decrementing sequences
- geometrical patterns on the keypad
Excluding these (extrapolated to your 5-digit pins) will provide a tangible increase in security. I wouldn't bother going further than that (that is, excluding dates / zip codes / etc.), because an attacker which is determined enough to learn your coworker's birthday will be determined enough to get a valid pin through social engineering, or simply try enough pins to get in. Mind you that with 100000 combinations and 100 valid pins (assuming you have 100 coworkers), every 1000th pin will be valid even if the attacker goes for simple bruteforce.
If the fact that a pin can eventually be guessed sounds insecure in the environment where the lock will be used, you should choose a different kind of lock and/or additional security measures. Something as simple as a short alarm sound after 10 wrong pins will help a lot.
edited Apr 30 at 15:50
answered Apr 30 at 15:10
Dmitry GrigoryevDmitry Grigoryev
7,9432245
7,9432245
I think you have the math slightly wrong. Some coworkers will have duplicate PINs. If you enforce unique PINs by assigning PINs this would not be a problem. Otherwise, a user entitled to one day of access could suss out other user's PIN by simply repeatedly requesting PINs.
– emory
Apr 30 at 15:49
@emory True there will be less unique pins due to birthday paradox, but it won't make a significant difference to bruteforce complexity.
– Dmitry Grigoryev
Apr 30 at 15:52
add a comment |
I think you have the math slightly wrong. Some coworkers will have duplicate PINs. If you enforce unique PINs by assigning PINs this would not be a problem. Otherwise, a user entitled to one day of access could suss out other user's PIN by simply repeatedly requesting PINs.
– emory
Apr 30 at 15:49
@emory True there will be less unique pins due to birthday paradox, but it won't make a significant difference to bruteforce complexity.
– Dmitry Grigoryev
Apr 30 at 15:52
I think you have the math slightly wrong. Some coworkers will have duplicate PINs. If you enforce unique PINs by assigning PINs this would not be a problem. Otherwise, a user entitled to one day of access could suss out other user's PIN by simply repeatedly requesting PINs.
– emory
Apr 30 at 15:49
I think you have the math slightly wrong. Some coworkers will have duplicate PINs. If you enforce unique PINs by assigning PINs this would not be a problem. Otherwise, a user entitled to one day of access could suss out other user's PIN by simply repeatedly requesting PINs.
– emory
Apr 30 at 15:49
@emory True there will be less unique pins due to birthday paradox, but it won't make a significant difference to bruteforce complexity.
– Dmitry Grigoryev
Apr 30 at 15:52
@emory True there will be less unique pins due to birthday paradox, but it won't make a significant difference to bruteforce complexity.
– Dmitry Grigoryev
Apr 30 at 15:52
add a comment |
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f209212%2fselecting-a-secure-pin-for-building-access%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
2
We can make a lot of guesses about the risks that a church might face, but can you describe what you think the risks would be if someone got access to a PIN? Vandalism? Hate crime? Access to church records? Access to valuables? What is in the offices that are behind, likely, hollow core doors? Is it staffed or patrolled 24/7?
– schroeder♦
Apr 29 at 13:20
34
Aside: The entry code for one of my employers was 3141. The security auditors were a little unhappy at the repeated digit but let it slide. They completely missed that the company name was "Pi Research"!
– Martin Bonner
Apr 29 at 16:48
11
@MartinBonner May I ask why they would've/should've had issues with the repeated digit? I can see no reason as to why this would weaken the PIN. Limiting yourself to non-repeating digits decrease the entropy of the PIN (10*10*10*10 vs 10*9*8*7).
– BlueCacti
Apr 30 at 7:21
2
@Les lists of pin patterns will make for a very poor answer. Physical patterns and repeated numbers are the most common. My answer below of using a random generator instead of letting people choose their own PINs is the better way to go else you play whack-a-mole
– schroeder♦
Apr 30 at 10:16
2
@aCVn Since we're already nitpicking: No please don't remember that "5 rounds up" because that simplistic approach leads to a significant bias of the rounded numbers. There are many other rounding schemes than the one we learn in grade school, for good reason.
– Voo
Apr 30 at 12:19