Selecting a secure PIN for building accessWhat's the use of making users use digits, uppercase-lowercase combination password if the passwords are hashed?Touch Screen Password Guessing by Fingerprint TraceGlobal user override - UncomfortableCountermeasures for a family-member attack on a password reset procedureAuthenticating a user via SMSHow unsecure is entering personal information via the keypad when phone banking?Are encrypted files safe in Windows 10 when using PINs?How does using an app rather than code card to authenticate improve security?Recommendations for tamper resistance without reasonable access securityWhat is the right way to share the digital assets to the will executor and eventually detect the person's death?

Names of the Six Tastes

Is this strange Morse signal type common?

Can radiation block all wireless communications?

Using mean length and mean weight to calculate mean BMI?

Why is there a cap on 401k contributions?

Align a table column at a specific symbol

When was it publicly revealed that a KH-11 spy satellite took pictures of the first Shuttle flight?

Are wands in any sort of book going to be too much like Harry Potter?

What is the Ancient One's mistake?

Why is the episode called "The Last of the Starks"?

What happens when the drag force exceeds the weight of an object falling into earth?

How is it believable that Euron could so easily pull off this ambush?

History: Per Leviticus 19:27 would the apostles have had corner locks ala Hassidim today?

Why doesn't increasing the temperature of something like wood or paper set them on fire?

How to avoid making self and former employee look bad when reporting on fixing former employee's work?

Is it possible to do moon sighting in advance for 5 years with 100% accuracy?

Mindfulness of Watching Youtube

How can it be that ssh somename works, while nslookup somename does not?

logo selection for poster presentation

I want to write a blog post building upon someone else's paper, how can I properly cite/credit them?

While drilling into kitchen wall, hit a wire - any advice?

How do I minimise waste on a flight?

What is the oldest instrument ever?

Can a character shove an enemy who is already prone?



Selecting a secure PIN for building access


What's the use of making users use digits, uppercase-lowercase combination password if the passwords are hashed?Touch Screen Password Guessing by Fingerprint TraceGlobal user override - UncomfortableCountermeasures for a family-member attack on a password reset procedureAuthenticating a user via SMSHow unsecure is entering personal information via the keypad when phone banking?Are encrypted files safe in Windows 10 when using PINs?How does using an app rather than code card to authenticate improve security?Recommendations for tamper resistance without reasonable access securityWhat is the right way to share the digital assets to the will executor and eventually detect the person's death?






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








22















What are the general criteria for rejecting an insecure PIN to access a building?



There has been a lot of discussion about password selection security. Minimum length requirements, mandatory classes of characters, etc. I have not found much concerning PIN selection security. Furthermore, there are several types of access that a PIN protects (phone, credit card, building). Each may have their own particular vulnerability characteristics.



I am in the loop on the installation of a new security system which allows personnel to enter a building by entering a PIN on a keypad by the door. Individuals are allowed to select their own PIN which is entered into the system under their name. I am aware of some insecure PINs, such as 12345 (or any consecutive digits sequence), the location's zip code or part of the company's phone number or address.



Anyone with a legitimate need may request access to the building. This includes everyone from executives to employees and and perhaps occasionally, guests. This particular building is a church, so there are no national secrets to protect. I would characterize the security requirements to be similar to a house. Interior offices are protected with physical keys.



Edit: I appreciate the information presented, however, they don't answer the question. I am looking for PIN patterns that attackers are known to use (because users have selected bad PINs).










share|improve this question



















  • 2





    We can make a lot of guesses about the risks that a church might face, but can you describe what you think the risks would be if someone got access to a PIN? Vandalism? Hate crime? Access to church records? Access to valuables? What is in the offices that are behind, likely, hollow core doors? Is it staffed or patrolled 24/7?

    – schroeder
    Apr 29 at 13:20







  • 34





    Aside: The entry code for one of my employers was 3141. The security auditors were a little unhappy at the repeated digit but let it slide. They completely missed that the company name was "Pi Research"!

    – Martin Bonner
    Apr 29 at 16:48






  • 11





    @MartinBonner May I ask why they would've/should've had issues with the repeated digit? I can see no reason as to why this would weaken the PIN. Limiting yourself to non-repeating digits decrease the entropy of the PIN (10*10*10*10 vs 10*9*8*7).

    – BlueCacti
    Apr 30 at 7:21







  • 2





    @Les lists of pin patterns will make for a very poor answer. Physical patterns and repeated numbers are the most common. My answer below of using a random generator instead of letting people choose their own PINs is the better way to go else you play whack-a-mole

    – schroeder
    Apr 30 at 10:16






  • 2





    @aCVn Since we're already nitpicking: No please don't remember that "5 rounds up" because that simplistic approach leads to a significant bias of the rounded numbers. There are many other rounding schemes than the one we learn in grade school, for good reason.

    – Voo
    Apr 30 at 12:19


















22















What are the general criteria for rejecting an insecure PIN to access a building?



There has been a lot of discussion about password selection security. Minimum length requirements, mandatory classes of characters, etc. I have not found much concerning PIN selection security. Furthermore, there are several types of access that a PIN protects (phone, credit card, building). Each may have their own particular vulnerability characteristics.



I am in the loop on the installation of a new security system which allows personnel to enter a building by entering a PIN on a keypad by the door. Individuals are allowed to select their own PIN which is entered into the system under their name. I am aware of some insecure PINs, such as 12345 (or any consecutive digits sequence), the location's zip code or part of the company's phone number or address.



Anyone with a legitimate need may request access to the building. This includes everyone from executives to employees and and perhaps occasionally, guests. This particular building is a church, so there are no national secrets to protect. I would characterize the security requirements to be similar to a house. Interior offices are protected with physical keys.



Edit: I appreciate the information presented, however, they don't answer the question. I am looking for PIN patterns that attackers are known to use (because users have selected bad PINs).










share|improve this question



















  • 2





    We can make a lot of guesses about the risks that a church might face, but can you describe what you think the risks would be if someone got access to a PIN? Vandalism? Hate crime? Access to church records? Access to valuables? What is in the offices that are behind, likely, hollow core doors? Is it staffed or patrolled 24/7?

    – schroeder
    Apr 29 at 13:20







  • 34





    Aside: The entry code for one of my employers was 3141. The security auditors were a little unhappy at the repeated digit but let it slide. They completely missed that the company name was "Pi Research"!

    – Martin Bonner
    Apr 29 at 16:48






  • 11





    @MartinBonner May I ask why they would've/should've had issues with the repeated digit? I can see no reason as to why this would weaken the PIN. Limiting yourself to non-repeating digits decrease the entropy of the PIN (10*10*10*10 vs 10*9*8*7).

    – BlueCacti
    Apr 30 at 7:21







  • 2





    @Les lists of pin patterns will make for a very poor answer. Physical patterns and repeated numbers are the most common. My answer below of using a random generator instead of letting people choose their own PINs is the better way to go else you play whack-a-mole

    – schroeder
    Apr 30 at 10:16






  • 2





    @aCVn Since we're already nitpicking: No please don't remember that "5 rounds up" because that simplistic approach leads to a significant bias of the rounded numbers. There are many other rounding schemes than the one we learn in grade school, for good reason.

    – Voo
    Apr 30 at 12:19














22












22








22


3






What are the general criteria for rejecting an insecure PIN to access a building?



There has been a lot of discussion about password selection security. Minimum length requirements, mandatory classes of characters, etc. I have not found much concerning PIN selection security. Furthermore, there are several types of access that a PIN protects (phone, credit card, building). Each may have their own particular vulnerability characteristics.



I am in the loop on the installation of a new security system which allows personnel to enter a building by entering a PIN on a keypad by the door. Individuals are allowed to select their own PIN which is entered into the system under their name. I am aware of some insecure PINs, such as 12345 (or any consecutive digits sequence), the location's zip code or part of the company's phone number or address.



Anyone with a legitimate need may request access to the building. This includes everyone from executives to employees and and perhaps occasionally, guests. This particular building is a church, so there are no national secrets to protect. I would characterize the security requirements to be similar to a house. Interior offices are protected with physical keys.



Edit: I appreciate the information presented, however, they don't answer the question. I am looking for PIN patterns that attackers are known to use (because users have selected bad PINs).










share|improve this question
















What are the general criteria for rejecting an insecure PIN to access a building?



There has been a lot of discussion about password selection security. Minimum length requirements, mandatory classes of characters, etc. I have not found much concerning PIN selection security. Furthermore, there are several types of access that a PIN protects (phone, credit card, building). Each may have their own particular vulnerability characteristics.



I am in the loop on the installation of a new security system which allows personnel to enter a building by entering a PIN on a keypad by the door. Individuals are allowed to select their own PIN which is entered into the system under their name. I am aware of some insecure PINs, such as 12345 (or any consecutive digits sequence), the location's zip code or part of the company's phone number or address.



Anyone with a legitimate need may request access to the building. This includes everyone from executives to employees and and perhaps occasionally, guests. This particular building is a church, so there are no national secrets to protect. I would characterize the security requirements to be similar to a house. Interior offices are protected with physical keys.



Edit: I appreciate the information presented, however, they don't answer the question. I am looking for PIN patterns that attackers are known to use (because users have selected bad PINs).







passwords physical-access






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Apr 29 at 16:49







Les

















asked Apr 29 at 13:04









LesLes

25329




25329







  • 2





    We can make a lot of guesses about the risks that a church might face, but can you describe what you think the risks would be if someone got access to a PIN? Vandalism? Hate crime? Access to church records? Access to valuables? What is in the offices that are behind, likely, hollow core doors? Is it staffed or patrolled 24/7?

    – schroeder
    Apr 29 at 13:20







  • 34





    Aside: The entry code for one of my employers was 3141. The security auditors were a little unhappy at the repeated digit but let it slide. They completely missed that the company name was "Pi Research"!

    – Martin Bonner
    Apr 29 at 16:48






  • 11





    @MartinBonner May I ask why they would've/should've had issues with the repeated digit? I can see no reason as to why this would weaken the PIN. Limiting yourself to non-repeating digits decrease the entropy of the PIN (10*10*10*10 vs 10*9*8*7).

    – BlueCacti
    Apr 30 at 7:21







  • 2





    @Les lists of pin patterns will make for a very poor answer. Physical patterns and repeated numbers are the most common. My answer below of using a random generator instead of letting people choose their own PINs is the better way to go else you play whack-a-mole

    – schroeder
    Apr 30 at 10:16






  • 2





    @aCVn Since we're already nitpicking: No please don't remember that "5 rounds up" because that simplistic approach leads to a significant bias of the rounded numbers. There are many other rounding schemes than the one we learn in grade school, for good reason.

    – Voo
    Apr 30 at 12:19













  • 2





    We can make a lot of guesses about the risks that a church might face, but can you describe what you think the risks would be if someone got access to a PIN? Vandalism? Hate crime? Access to church records? Access to valuables? What is in the offices that are behind, likely, hollow core doors? Is it staffed or patrolled 24/7?

    – schroeder
    Apr 29 at 13:20







  • 34





    Aside: The entry code for one of my employers was 3141. The security auditors were a little unhappy at the repeated digit but let it slide. They completely missed that the company name was "Pi Research"!

    – Martin Bonner
    Apr 29 at 16:48






  • 11





    @MartinBonner May I ask why they would've/should've had issues with the repeated digit? I can see no reason as to why this would weaken the PIN. Limiting yourself to non-repeating digits decrease the entropy of the PIN (10*10*10*10 vs 10*9*8*7).

    – BlueCacti
    Apr 30 at 7:21







  • 2





    @Les lists of pin patterns will make for a very poor answer. Physical patterns and repeated numbers are the most common. My answer below of using a random generator instead of letting people choose their own PINs is the better way to go else you play whack-a-mole

    – schroeder
    Apr 30 at 10:16






  • 2





    @aCVn Since we're already nitpicking: No please don't remember that "5 rounds up" because that simplistic approach leads to a significant bias of the rounded numbers. There are many other rounding schemes than the one we learn in grade school, for good reason.

    – Voo
    Apr 30 at 12:19








2




2





We can make a lot of guesses about the risks that a church might face, but can you describe what you think the risks would be if someone got access to a PIN? Vandalism? Hate crime? Access to church records? Access to valuables? What is in the offices that are behind, likely, hollow core doors? Is it staffed or patrolled 24/7?

– schroeder
Apr 29 at 13:20






We can make a lot of guesses about the risks that a church might face, but can you describe what you think the risks would be if someone got access to a PIN? Vandalism? Hate crime? Access to church records? Access to valuables? What is in the offices that are behind, likely, hollow core doors? Is it staffed or patrolled 24/7?

– schroeder
Apr 29 at 13:20





34




34





Aside: The entry code for one of my employers was 3141. The security auditors were a little unhappy at the repeated digit but let it slide. They completely missed that the company name was "Pi Research"!

– Martin Bonner
Apr 29 at 16:48





Aside: The entry code for one of my employers was 3141. The security auditors were a little unhappy at the repeated digit but let it slide. They completely missed that the company name was "Pi Research"!

– Martin Bonner
Apr 29 at 16:48




11




11





@MartinBonner May I ask why they would've/should've had issues with the repeated digit? I can see no reason as to why this would weaken the PIN. Limiting yourself to non-repeating digits decrease the entropy of the PIN (10*10*10*10 vs 10*9*8*7).

– BlueCacti
Apr 30 at 7:21






@MartinBonner May I ask why they would've/should've had issues with the repeated digit? I can see no reason as to why this would weaken the PIN. Limiting yourself to non-repeating digits decrease the entropy of the PIN (10*10*10*10 vs 10*9*8*7).

– BlueCacti
Apr 30 at 7:21





2




2





@Les lists of pin patterns will make for a very poor answer. Physical patterns and repeated numbers are the most common. My answer below of using a random generator instead of letting people choose their own PINs is the better way to go else you play whack-a-mole

– schroeder
Apr 30 at 10:16





@Les lists of pin patterns will make for a very poor answer. Physical patterns and repeated numbers are the most common. My answer below of using a random generator instead of letting people choose their own PINs is the better way to go else you play whack-a-mole

– schroeder
Apr 30 at 10:16




2




2





@aCVn Since we're already nitpicking: No please don't remember that "5 rounds up" because that simplistic approach leads to a significant bias of the rounded numbers. There are many other rounding schemes than the one we learn in grade school, for good reason.

– Voo
Apr 30 at 12:19






@aCVn Since we're already nitpicking: No please don't remember that "5 rounds up" because that simplistic approach leads to a significant bias of the rounded numbers. There are many other rounding schemes than the one we learn in grade school, for good reason.

– Voo
Apr 30 at 12:19











5 Answers
5






active

oldest

votes


















15














You're setting yourself up for an endless game of whack-a-mole. You listed a few ... No matter how many you think of, lazy users will come up with more guessable PINs. It's a church, so think of any Christian influenced PINs. The date of Christmas, the priest's favorite Bible verse, the patron saint's birth-date, maybe the Church's construction date... so on and so on. Consider patterns too if you want to go that far. For more possible PINs, here's a blogpost where the writer analyzed PINs leaked in various data breaches. May be helpful.



I know you're asking how to make your PINs more secure, but I feel the answer here is not to use standalone individual PINs. Consider that you're working with a small set of possible passwords already. Then you're reducing it by eliminating guessable ones. Then you're making multiple PINs work at once. Every step makes random guesses more and more likely to succeed.






share|improve this answer




















  • 1





    That's a great point about Christian influenced pins. The first two I would most likely try would be John 3:16 related, 0316 and 4316 (4th book of the New Testament). Those are non-obvious bad pins from a pattern standpoint, but at a church would be the equivalent of 1234. If there are 50 people with access to the beginning, I'd bet the odds are pretty good that someone picks one of those pins.

    – kuhl
    May 1 at 3:35






  • 1





    Lots of good comments in other answers. I chose this one because the link to the blogpost has good info. While 2 factor would be much better, the cost was deemed too high. The code 12345 was used during the final stages of construction and has since been black listed. (One person requested that PIN - ugh.)

    – Les
    May 1 at 13:10


















26














PINs are usually accompanied by some other authentication factor, like biometrics or a physical token. So, the PIN is not a lone factor in authentication.



But you appear to describe a situation where people can gain access to a secured building by punching in a code. Let me rephrase that: by using static, difficult-to-change sequence of numbers that can be easily copied and shared, the public gains access to the inside of your building.



The control against that threat is to make it very difficult to record and guess or use the physical appearance of the pin pad to deduce the code. That means making the PINs long and putting physical controls in place to make recording more difficult and to place layers of additional authentication protection on the inside of the building.



Because you are asking about the rejection process, my suggestion would be to use a random number generator instead of people choosing their own, and make it long. This bypasses people choosing PIN pad patterns or other pattern-based PINs which can be easy to guess or observe.






share|improve this answer




















  • 4





    "additional authentication protection" examples could be welcome (RFID badge, classic key, etc.)

    – A. Hersean
    Apr 29 at 13:19






  • 2





    @A.Hersean or more strong physical barriers, cameras, manned security, etc.

    – schroeder
    Apr 29 at 13:20






  • 1





    Of course longer is better, but I don't think the PIN needs to be very long. I'd say it just doesn't have to be guessed, recorded, or abused. This means 12345 or 00000 would never be allowed, wrong PINs would trigger a notification or action of some sort, the pad should not be able to be viewed or recorded from a distance (it might face a wall), etc.

    – reed
    Apr 29 at 13:28






  • 3





    if you make it long, people will write it down rather than memorise it, creating another security risk.

    – jwenting
    Apr 30 at 9:59






  • 2





    @jwenting for something infrequently used, I suspect that it would be written down anyway.

    – schroeder
    Apr 30 at 10:13


















12














There are only 100000 potential values if you have a 5 digit PIN. That means that a single PIN can be brute forced in a relatively small length of time, unless there is some form of secondary restriction against a person standing next to the door and trying each number. This gets worse if there are multiple people with distinct codes for access to the system - assuming each person selects a random code, an attacker entering a single code has a n/100000 chance to find a working code, where n is the number of people with access.



It would probably be reasonable to expect a dedicated attacker to manage 1000 tries per hour - it doesn't take very long to type a 5 digit number. That would give an upper bound of 100 hours, with a single code. That's 3 (pretty boring) weekends with some breaks for food, which, depending on what is in the building, may well be worth it. The system as described can't implement account lockout - the only way to determine which user is trying to access is through the code.



So, how to solve this?



  1. Use the PIN as a secondary factor - have an access card, and a PIN, for example. It is then possible to have account lockout after some failed PIN entries.

  2. Enforce limits on the PIN in other ways - have someone guarding the door who prevents too many tries, have a CCTV camera pointing at the door which is monitored for unusual activity (someone standing there trying each possible code)

  3. Have a much longer PIN, making it impractical to keep trying codes

You would also probably want to ensure that the codes being entered cannot be monitored in other ways - for example, by pointing a video camera at the key pad.






share|improve this answer




















  • 5





    While it's true that the system can't implement account lockout of an individual account, you can implement broad protection against brute force attacks in a way that's still passive and cheaper than an onsite security guard or requiring someone to constantly check a camera. Have the system page an administrator or other responsible party if X incorrect entries are received within a given time frame. Or, have the PIN system shut itself off after X incorrect tries (forcing legitimate users to access the building with a physical key, which most PIN systems would have as a backup anyways).

    – dwizum
    Apr 29 at 14:23






  • 7





    There are lots of windows and glass doors (all visible from adjacent streets). So if someone really wanted to get in, smash and grab would be relatively easy. There are also cameras that record the video. So camping out and brute forcing would seem to be less likely.

    – Les
    Apr 29 at 14:49







  • 4





    I don't understand the 100000/n. For n=1 surely it only takes 50000 tries on average.

    – Matt
    Apr 29 at 22:29






  • 7





    @dwizum if my kids - 2 and 5 - have access to the keypad and there is a lockout, they are going to lock it out every single time. Children can not resist pressing buttons. Considering this is a church it is probably that children will have access to the keypad.

    – emory
    Apr 30 at 12:45






  • 3





    @emory - put the keypad 6 feet off the ground. :) To your point though, there's a keypad system to enter my daughter's school, it looks like a regular telephone dialpad. There's no obvious "enter" button. It only submits an attempt to the server after a user hits the star key, and then it only submits the 4 characters entered immediately prior to hitting star. Something like this can help protect against child random-button-mashers.

    – dwizum
    Apr 30 at 13:29


















5














Full disclosure: I worked for several years as the software architect for a very large, Fortune 500 company that manufactures and programs these sort of electronic locks, including government and homeland security applications. Our biggest customer, though, was the National Association of Realtors. There is a very good chance you are using a product from my former company.



Our engineers had many discussions about PIN black listing, and they were all very fun while they lasted, but always ended the same way:



  1. We are way overthinking this.

  2. We just have to make it harder to guess the PIN than to throw a rock through a window. Physical security trumps all.

Also:



  1. When there is a limited number of digits, it is safer to provide a single PIN to all users and rotate it frequently (once a month is typical). If you allow each user their own PIN, it reduces the search space dramatically. For example, if you have 100 users and there are only 1000 possible codes, with a single guess you have about a 1 in 10 chance of getting through that door. If everyone shared a single code it would be 1 in 1000.


  2. All of our electronic products did ship with a blacklist of ten codes: all 1's, all 2's, all 3's, all 4's, etc. Any other code was selectable by the customer. The black list was configurable by the customer but honestly nobody ever did it.






share|improve this answer

























  • You're right but it's more nuanced than "physical security ...". People will call the police for a broken window but won't bother about someone having a few goes on a keypad (provided they look like they might belong).

    – pbhj
    May 1 at 1:37











  • You get it @pbhj. The problem is much more organic and situational. With a web site, the security architecture is the customer's only protection; with physical security, we have to trust the customer much more to use the tool we give them in a manner that is sensible. Is the location secluded? Well lit? Under surveillance? Etc. We can't do all the thinking for them (unlike information security, where we assume we are much more aware than the user).

    – John Wu
    May 1 at 6:07



















4














Check out the 20 most popular 4-digit pins:



enter image description here



Those are the combinations that the attacker will try first. These include:



  • repeated digits / pairs

  • incrementing/decrementing sequences

  • geometrical patterns on the keypad

Excluding these (extrapolated to your 5-digit pins) will provide a tangible increase in security. I wouldn't bother going further than that (that is, excluding dates / zip codes / etc.), because an attacker which is determined enough to learn your coworker's birthday will be determined enough to get a valid pin through social engineering, or simply try enough pins to get in. Mind you that with 100000 combinations and 100 valid pins (assuming you have 100 coworkers), every 1000th pin will be valid even if the attacker goes for simple bruteforce.



If the fact that a pin can eventually be guessed sounds insecure in the environment where the lock will be used, you should choose a different kind of lock and/or additional security measures. Something as simple as a short alarm sound after 10 wrong pins will help a lot.






share|improve this answer

























  • I think you have the math slightly wrong. Some coworkers will have duplicate PINs. If you enforce unique PINs by assigning PINs this would not be a problem. Otherwise, a user entitled to one day of access could suss out other user's PIN by simply repeatedly requesting PINs.

    – emory
    Apr 30 at 15:49











  • @emory True there will be less unique pins due to birthday paradox, but it won't make a significant difference to bruteforce complexity.

    – Dmitry Grigoryev
    Apr 30 at 15:52











Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f209212%2fselecting-a-secure-pin-for-building-access%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























5 Answers
5






active

oldest

votes








5 Answers
5






active

oldest

votes









active

oldest

votes






active

oldest

votes









15














You're setting yourself up for an endless game of whack-a-mole. You listed a few ... No matter how many you think of, lazy users will come up with more guessable PINs. It's a church, so think of any Christian influenced PINs. The date of Christmas, the priest's favorite Bible verse, the patron saint's birth-date, maybe the Church's construction date... so on and so on. Consider patterns too if you want to go that far. For more possible PINs, here's a blogpost where the writer analyzed PINs leaked in various data breaches. May be helpful.



I know you're asking how to make your PINs more secure, but I feel the answer here is not to use standalone individual PINs. Consider that you're working with a small set of possible passwords already. Then you're reducing it by eliminating guessable ones. Then you're making multiple PINs work at once. Every step makes random guesses more and more likely to succeed.






share|improve this answer




















  • 1





    That's a great point about Christian influenced pins. The first two I would most likely try would be John 3:16 related, 0316 and 4316 (4th book of the New Testament). Those are non-obvious bad pins from a pattern standpoint, but at a church would be the equivalent of 1234. If there are 50 people with access to the beginning, I'd bet the odds are pretty good that someone picks one of those pins.

    – kuhl
    May 1 at 3:35






  • 1





    Lots of good comments in other answers. I chose this one because the link to the blogpost has good info. While 2 factor would be much better, the cost was deemed too high. The code 12345 was used during the final stages of construction and has since been black listed. (One person requested that PIN - ugh.)

    – Les
    May 1 at 13:10















15














You're setting yourself up for an endless game of whack-a-mole. You listed a few ... No matter how many you think of, lazy users will come up with more guessable PINs. It's a church, so think of any Christian influenced PINs. The date of Christmas, the priest's favorite Bible verse, the patron saint's birth-date, maybe the Church's construction date... so on and so on. Consider patterns too if you want to go that far. For more possible PINs, here's a blogpost where the writer analyzed PINs leaked in various data breaches. May be helpful.



I know you're asking how to make your PINs more secure, but I feel the answer here is not to use standalone individual PINs. Consider that you're working with a small set of possible passwords already. Then you're reducing it by eliminating guessable ones. Then you're making multiple PINs work at once. Every step makes random guesses more and more likely to succeed.






share|improve this answer




















  • 1





    That's a great point about Christian influenced pins. The first two I would most likely try would be John 3:16 related, 0316 and 4316 (4th book of the New Testament). Those are non-obvious bad pins from a pattern standpoint, but at a church would be the equivalent of 1234. If there are 50 people with access to the beginning, I'd bet the odds are pretty good that someone picks one of those pins.

    – kuhl
    May 1 at 3:35






  • 1





    Lots of good comments in other answers. I chose this one because the link to the blogpost has good info. While 2 factor would be much better, the cost was deemed too high. The code 12345 was used during the final stages of construction and has since been black listed. (One person requested that PIN - ugh.)

    – Les
    May 1 at 13:10













15












15








15







You're setting yourself up for an endless game of whack-a-mole. You listed a few ... No matter how many you think of, lazy users will come up with more guessable PINs. It's a church, so think of any Christian influenced PINs. The date of Christmas, the priest's favorite Bible verse, the patron saint's birth-date, maybe the Church's construction date... so on and so on. Consider patterns too if you want to go that far. For more possible PINs, here's a blogpost where the writer analyzed PINs leaked in various data breaches. May be helpful.



I know you're asking how to make your PINs more secure, but I feel the answer here is not to use standalone individual PINs. Consider that you're working with a small set of possible passwords already. Then you're reducing it by eliminating guessable ones. Then you're making multiple PINs work at once. Every step makes random guesses more and more likely to succeed.






share|improve this answer















You're setting yourself up for an endless game of whack-a-mole. You listed a few ... No matter how many you think of, lazy users will come up with more guessable PINs. It's a church, so think of any Christian influenced PINs. The date of Christmas, the priest's favorite Bible verse, the patron saint's birth-date, maybe the Church's construction date... so on and so on. Consider patterns too if you want to go that far. For more possible PINs, here's a blogpost where the writer analyzed PINs leaked in various data breaches. May be helpful.



I know you're asking how to make your PINs more secure, but I feel the answer here is not to use standalone individual PINs. Consider that you're working with a small set of possible passwords already. Then you're reducing it by eliminating guessable ones. Then you're making multiple PINs work at once. Every step makes random guesses more and more likely to succeed.







share|improve this answer














share|improve this answer



share|improve this answer








edited Apr 30 at 14:35

























answered Apr 29 at 18:10









Kevin MirskyKevin Mirsky

3437




3437







  • 1





    That's a great point about Christian influenced pins. The first two I would most likely try would be John 3:16 related, 0316 and 4316 (4th book of the New Testament). Those are non-obvious bad pins from a pattern standpoint, but at a church would be the equivalent of 1234. If there are 50 people with access to the beginning, I'd bet the odds are pretty good that someone picks one of those pins.

    – kuhl
    May 1 at 3:35






  • 1





    Lots of good comments in other answers. I chose this one because the link to the blogpost has good info. While 2 factor would be much better, the cost was deemed too high. The code 12345 was used during the final stages of construction and has since been black listed. (One person requested that PIN - ugh.)

    – Les
    May 1 at 13:10












  • 1





    That's a great point about Christian influenced pins. The first two I would most likely try would be John 3:16 related, 0316 and 4316 (4th book of the New Testament). Those are non-obvious bad pins from a pattern standpoint, but at a church would be the equivalent of 1234. If there are 50 people with access to the beginning, I'd bet the odds are pretty good that someone picks one of those pins.

    – kuhl
    May 1 at 3:35






  • 1





    Lots of good comments in other answers. I chose this one because the link to the blogpost has good info. While 2 factor would be much better, the cost was deemed too high. The code 12345 was used during the final stages of construction and has since been black listed. (One person requested that PIN - ugh.)

    – Les
    May 1 at 13:10







1




1





That's a great point about Christian influenced pins. The first two I would most likely try would be John 3:16 related, 0316 and 4316 (4th book of the New Testament). Those are non-obvious bad pins from a pattern standpoint, but at a church would be the equivalent of 1234. If there are 50 people with access to the beginning, I'd bet the odds are pretty good that someone picks one of those pins.

– kuhl
May 1 at 3:35





That's a great point about Christian influenced pins. The first two I would most likely try would be John 3:16 related, 0316 and 4316 (4th book of the New Testament). Those are non-obvious bad pins from a pattern standpoint, but at a church would be the equivalent of 1234. If there are 50 people with access to the beginning, I'd bet the odds are pretty good that someone picks one of those pins.

– kuhl
May 1 at 3:35




1




1





Lots of good comments in other answers. I chose this one because the link to the blogpost has good info. While 2 factor would be much better, the cost was deemed too high. The code 12345 was used during the final stages of construction and has since been black listed. (One person requested that PIN - ugh.)

– Les
May 1 at 13:10





Lots of good comments in other answers. I chose this one because the link to the blogpost has good info. While 2 factor would be much better, the cost was deemed too high. The code 12345 was used during the final stages of construction and has since been black listed. (One person requested that PIN - ugh.)

– Les
May 1 at 13:10













26














PINs are usually accompanied by some other authentication factor, like biometrics or a physical token. So, the PIN is not a lone factor in authentication.



But you appear to describe a situation where people can gain access to a secured building by punching in a code. Let me rephrase that: by using static, difficult-to-change sequence of numbers that can be easily copied and shared, the public gains access to the inside of your building.



The control against that threat is to make it very difficult to record and guess or use the physical appearance of the pin pad to deduce the code. That means making the PINs long and putting physical controls in place to make recording more difficult and to place layers of additional authentication protection on the inside of the building.



Because you are asking about the rejection process, my suggestion would be to use a random number generator instead of people choosing their own, and make it long. This bypasses people choosing PIN pad patterns or other pattern-based PINs which can be easy to guess or observe.






share|improve this answer




















  • 4





    "additional authentication protection" examples could be welcome (RFID badge, classic key, etc.)

    – A. Hersean
    Apr 29 at 13:19






  • 2





    @A.Hersean or more strong physical barriers, cameras, manned security, etc.

    – schroeder
    Apr 29 at 13:20






  • 1





    Of course longer is better, but I don't think the PIN needs to be very long. I'd say it just doesn't have to be guessed, recorded, or abused. This means 12345 or 00000 would never be allowed, wrong PINs would trigger a notification or action of some sort, the pad should not be able to be viewed or recorded from a distance (it might face a wall), etc.

    – reed
    Apr 29 at 13:28






  • 3





    if you make it long, people will write it down rather than memorise it, creating another security risk.

    – jwenting
    Apr 30 at 9:59






  • 2





    @jwenting for something infrequently used, I suspect that it would be written down anyway.

    – schroeder
    Apr 30 at 10:13















26














PINs are usually accompanied by some other authentication factor, like biometrics or a physical token. So, the PIN is not a lone factor in authentication.



But you appear to describe a situation where people can gain access to a secured building by punching in a code. Let me rephrase that: by using static, difficult-to-change sequence of numbers that can be easily copied and shared, the public gains access to the inside of your building.



The control against that threat is to make it very difficult to record and guess or use the physical appearance of the pin pad to deduce the code. That means making the PINs long and putting physical controls in place to make recording more difficult and to place layers of additional authentication protection on the inside of the building.



Because you are asking about the rejection process, my suggestion would be to use a random number generator instead of people choosing their own, and make it long. This bypasses people choosing PIN pad patterns or other pattern-based PINs which can be easy to guess or observe.






share|improve this answer




















  • 4





    "additional authentication protection" examples could be welcome (RFID badge, classic key, etc.)

    – A. Hersean
    Apr 29 at 13:19






  • 2





    @A.Hersean or more strong physical barriers, cameras, manned security, etc.

    – schroeder
    Apr 29 at 13:20






  • 1





    Of course longer is better, but I don't think the PIN needs to be very long. I'd say it just doesn't have to be guessed, recorded, or abused. This means 12345 or 00000 would never be allowed, wrong PINs would trigger a notification or action of some sort, the pad should not be able to be viewed or recorded from a distance (it might face a wall), etc.

    – reed
    Apr 29 at 13:28






  • 3





    if you make it long, people will write it down rather than memorise it, creating another security risk.

    – jwenting
    Apr 30 at 9:59






  • 2





    @jwenting for something infrequently used, I suspect that it would be written down anyway.

    – schroeder
    Apr 30 at 10:13













26












26








26







PINs are usually accompanied by some other authentication factor, like biometrics or a physical token. So, the PIN is not a lone factor in authentication.



But you appear to describe a situation where people can gain access to a secured building by punching in a code. Let me rephrase that: by using static, difficult-to-change sequence of numbers that can be easily copied and shared, the public gains access to the inside of your building.



The control against that threat is to make it very difficult to record and guess or use the physical appearance of the pin pad to deduce the code. That means making the PINs long and putting physical controls in place to make recording more difficult and to place layers of additional authentication protection on the inside of the building.



Because you are asking about the rejection process, my suggestion would be to use a random number generator instead of people choosing their own, and make it long. This bypasses people choosing PIN pad patterns or other pattern-based PINs which can be easy to guess or observe.






share|improve this answer















PINs are usually accompanied by some other authentication factor, like biometrics or a physical token. So, the PIN is not a lone factor in authentication.



But you appear to describe a situation where people can gain access to a secured building by punching in a code. Let me rephrase that: by using static, difficult-to-change sequence of numbers that can be easily copied and shared, the public gains access to the inside of your building.



The control against that threat is to make it very difficult to record and guess or use the physical appearance of the pin pad to deduce the code. That means making the PINs long and putting physical controls in place to make recording more difficult and to place layers of additional authentication protection on the inside of the building.



Because you are asking about the rejection process, my suggestion would be to use a random number generator instead of people choosing their own, and make it long. This bypasses people choosing PIN pad patterns or other pattern-based PINs which can be easy to guess or observe.







share|improve this answer














share|improve this answer



share|improve this answer








edited Apr 29 at 14:51

























answered Apr 29 at 13:16









schroederschroeder

80.1k32178215




80.1k32178215







  • 4





    "additional authentication protection" examples could be welcome (RFID badge, classic key, etc.)

    – A. Hersean
    Apr 29 at 13:19






  • 2





    @A.Hersean or more strong physical barriers, cameras, manned security, etc.

    – schroeder
    Apr 29 at 13:20






  • 1





    Of course longer is better, but I don't think the PIN needs to be very long. I'd say it just doesn't have to be guessed, recorded, or abused. This means 12345 or 00000 would never be allowed, wrong PINs would trigger a notification or action of some sort, the pad should not be able to be viewed or recorded from a distance (it might face a wall), etc.

    – reed
    Apr 29 at 13:28






  • 3





    if you make it long, people will write it down rather than memorise it, creating another security risk.

    – jwenting
    Apr 30 at 9:59






  • 2





    @jwenting for something infrequently used, I suspect that it would be written down anyway.

    – schroeder
    Apr 30 at 10:13












  • 4





    "additional authentication protection" examples could be welcome (RFID badge, classic key, etc.)

    – A. Hersean
    Apr 29 at 13:19






  • 2





    @A.Hersean or more strong physical barriers, cameras, manned security, etc.

    – schroeder
    Apr 29 at 13:20






  • 1





    Of course longer is better, but I don't think the PIN needs to be very long. I'd say it just doesn't have to be guessed, recorded, or abused. This means 12345 or 00000 would never be allowed, wrong PINs would trigger a notification or action of some sort, the pad should not be able to be viewed or recorded from a distance (it might face a wall), etc.

    – reed
    Apr 29 at 13:28






  • 3





    if you make it long, people will write it down rather than memorise it, creating another security risk.

    – jwenting
    Apr 30 at 9:59






  • 2





    @jwenting for something infrequently used, I suspect that it would be written down anyway.

    – schroeder
    Apr 30 at 10:13







4




4





"additional authentication protection" examples could be welcome (RFID badge, classic key, etc.)

– A. Hersean
Apr 29 at 13:19





"additional authentication protection" examples could be welcome (RFID badge, classic key, etc.)

– A. Hersean
Apr 29 at 13:19




2




2





@A.Hersean or more strong physical barriers, cameras, manned security, etc.

– schroeder
Apr 29 at 13:20





@A.Hersean or more strong physical barriers, cameras, manned security, etc.

– schroeder
Apr 29 at 13:20




1




1





Of course longer is better, but I don't think the PIN needs to be very long. I'd say it just doesn't have to be guessed, recorded, or abused. This means 12345 or 00000 would never be allowed, wrong PINs would trigger a notification or action of some sort, the pad should not be able to be viewed or recorded from a distance (it might face a wall), etc.

– reed
Apr 29 at 13:28





Of course longer is better, but I don't think the PIN needs to be very long. I'd say it just doesn't have to be guessed, recorded, or abused. This means 12345 or 00000 would never be allowed, wrong PINs would trigger a notification or action of some sort, the pad should not be able to be viewed or recorded from a distance (it might face a wall), etc.

– reed
Apr 29 at 13:28




3




3





if you make it long, people will write it down rather than memorise it, creating another security risk.

– jwenting
Apr 30 at 9:59





if you make it long, people will write it down rather than memorise it, creating another security risk.

– jwenting
Apr 30 at 9:59




2




2





@jwenting for something infrequently used, I suspect that it would be written down anyway.

– schroeder
Apr 30 at 10:13





@jwenting for something infrequently used, I suspect that it would be written down anyway.

– schroeder
Apr 30 at 10:13











12














There are only 100000 potential values if you have a 5 digit PIN. That means that a single PIN can be brute forced in a relatively small length of time, unless there is some form of secondary restriction against a person standing next to the door and trying each number. This gets worse if there are multiple people with distinct codes for access to the system - assuming each person selects a random code, an attacker entering a single code has a n/100000 chance to find a working code, where n is the number of people with access.



It would probably be reasonable to expect a dedicated attacker to manage 1000 tries per hour - it doesn't take very long to type a 5 digit number. That would give an upper bound of 100 hours, with a single code. That's 3 (pretty boring) weekends with some breaks for food, which, depending on what is in the building, may well be worth it. The system as described can't implement account lockout - the only way to determine which user is trying to access is through the code.



So, how to solve this?



  1. Use the PIN as a secondary factor - have an access card, and a PIN, for example. It is then possible to have account lockout after some failed PIN entries.

  2. Enforce limits on the PIN in other ways - have someone guarding the door who prevents too many tries, have a CCTV camera pointing at the door which is monitored for unusual activity (someone standing there trying each possible code)

  3. Have a much longer PIN, making it impractical to keep trying codes

You would also probably want to ensure that the codes being entered cannot be monitored in other ways - for example, by pointing a video camera at the key pad.






share|improve this answer




















  • 5





    While it's true that the system can't implement account lockout of an individual account, you can implement broad protection against brute force attacks in a way that's still passive and cheaper than an onsite security guard or requiring someone to constantly check a camera. Have the system page an administrator or other responsible party if X incorrect entries are received within a given time frame. Or, have the PIN system shut itself off after X incorrect tries (forcing legitimate users to access the building with a physical key, which most PIN systems would have as a backup anyways).

    – dwizum
    Apr 29 at 14:23






  • 7





    There are lots of windows and glass doors (all visible from adjacent streets). So if someone really wanted to get in, smash and grab would be relatively easy. There are also cameras that record the video. So camping out and brute forcing would seem to be less likely.

    – Les
    Apr 29 at 14:49







  • 4





    I don't understand the 100000/n. For n=1 surely it only takes 50000 tries on average.

    – Matt
    Apr 29 at 22:29






  • 7





    @dwizum if my kids - 2 and 5 - have access to the keypad and there is a lockout, they are going to lock it out every single time. Children can not resist pressing buttons. Considering this is a church it is probably that children will have access to the keypad.

    – emory
    Apr 30 at 12:45






  • 3





    @emory - put the keypad 6 feet off the ground. :) To your point though, there's a keypad system to enter my daughter's school, it looks like a regular telephone dialpad. There's no obvious "enter" button. It only submits an attempt to the server after a user hits the star key, and then it only submits the 4 characters entered immediately prior to hitting star. Something like this can help protect against child random-button-mashers.

    – dwizum
    Apr 30 at 13:29















12














There are only 100000 potential values if you have a 5 digit PIN. That means that a single PIN can be brute forced in a relatively small length of time, unless there is some form of secondary restriction against a person standing next to the door and trying each number. This gets worse if there are multiple people with distinct codes for access to the system - assuming each person selects a random code, an attacker entering a single code has a n/100000 chance to find a working code, where n is the number of people with access.



It would probably be reasonable to expect a dedicated attacker to manage 1000 tries per hour - it doesn't take very long to type a 5 digit number. That would give an upper bound of 100 hours, with a single code. That's 3 (pretty boring) weekends with some breaks for food, which, depending on what is in the building, may well be worth it. The system as described can't implement account lockout - the only way to determine which user is trying to access is through the code.



So, how to solve this?



  1. Use the PIN as a secondary factor - have an access card, and a PIN, for example. It is then possible to have account lockout after some failed PIN entries.

  2. Enforce limits on the PIN in other ways - have someone guarding the door who prevents too many tries, have a CCTV camera pointing at the door which is monitored for unusual activity (someone standing there trying each possible code)

  3. Have a much longer PIN, making it impractical to keep trying codes

You would also probably want to ensure that the codes being entered cannot be monitored in other ways - for example, by pointing a video camera at the key pad.






share|improve this answer




















  • 5





    While it's true that the system can't implement account lockout of an individual account, you can implement broad protection against brute force attacks in a way that's still passive and cheaper than an onsite security guard or requiring someone to constantly check a camera. Have the system page an administrator or other responsible party if X incorrect entries are received within a given time frame. Or, have the PIN system shut itself off after X incorrect tries (forcing legitimate users to access the building with a physical key, which most PIN systems would have as a backup anyways).

    – dwizum
    Apr 29 at 14:23






  • 7





    There are lots of windows and glass doors (all visible from adjacent streets). So if someone really wanted to get in, smash and grab would be relatively easy. There are also cameras that record the video. So camping out and brute forcing would seem to be less likely.

    – Les
    Apr 29 at 14:49







  • 4





    I don't understand the 100000/n. For n=1 surely it only takes 50000 tries on average.

    – Matt
    Apr 29 at 22:29






  • 7





    @dwizum if my kids - 2 and 5 - have access to the keypad and there is a lockout, they are going to lock it out every single time. Children can not resist pressing buttons. Considering this is a church it is probably that children will have access to the keypad.

    – emory
    Apr 30 at 12:45






  • 3





    @emory - put the keypad 6 feet off the ground. :) To your point though, there's a keypad system to enter my daughter's school, it looks like a regular telephone dialpad. There's no obvious "enter" button. It only submits an attempt to the server after a user hits the star key, and then it only submits the 4 characters entered immediately prior to hitting star. Something like this can help protect against child random-button-mashers.

    – dwizum
    Apr 30 at 13:29













12












12








12







There are only 100000 potential values if you have a 5 digit PIN. That means that a single PIN can be brute forced in a relatively small length of time, unless there is some form of secondary restriction against a person standing next to the door and trying each number. This gets worse if there are multiple people with distinct codes for access to the system - assuming each person selects a random code, an attacker entering a single code has a n/100000 chance to find a working code, where n is the number of people with access.



It would probably be reasonable to expect a dedicated attacker to manage 1000 tries per hour - it doesn't take very long to type a 5 digit number. That would give an upper bound of 100 hours, with a single code. That's 3 (pretty boring) weekends with some breaks for food, which, depending on what is in the building, may well be worth it. The system as described can't implement account lockout - the only way to determine which user is trying to access is through the code.



So, how to solve this?



  1. Use the PIN as a secondary factor - have an access card, and a PIN, for example. It is then possible to have account lockout after some failed PIN entries.

  2. Enforce limits on the PIN in other ways - have someone guarding the door who prevents too many tries, have a CCTV camera pointing at the door which is monitored for unusual activity (someone standing there trying each possible code)

  3. Have a much longer PIN, making it impractical to keep trying codes

You would also probably want to ensure that the codes being entered cannot be monitored in other ways - for example, by pointing a video camera at the key pad.






share|improve this answer















There are only 100000 potential values if you have a 5 digit PIN. That means that a single PIN can be brute forced in a relatively small length of time, unless there is some form of secondary restriction against a person standing next to the door and trying each number. This gets worse if there are multiple people with distinct codes for access to the system - assuming each person selects a random code, an attacker entering a single code has a n/100000 chance to find a working code, where n is the number of people with access.



It would probably be reasonable to expect a dedicated attacker to manage 1000 tries per hour - it doesn't take very long to type a 5 digit number. That would give an upper bound of 100 hours, with a single code. That's 3 (pretty boring) weekends with some breaks for food, which, depending on what is in the building, may well be worth it. The system as described can't implement account lockout - the only way to determine which user is trying to access is through the code.



So, how to solve this?



  1. Use the PIN as a secondary factor - have an access card, and a PIN, for example. It is then possible to have account lockout after some failed PIN entries.

  2. Enforce limits on the PIN in other ways - have someone guarding the door who prevents too many tries, have a CCTV camera pointing at the door which is monitored for unusual activity (someone standing there trying each possible code)

  3. Have a much longer PIN, making it impractical to keep trying codes

You would also probably want to ensure that the codes being entered cannot be monitored in other ways - for example, by pointing a video camera at the key pad.







share|improve this answer














share|improve this answer



share|improve this answer








edited Apr 30 at 8:03

























answered Apr 29 at 13:26









MatthewMatthew

25.9k78295




25.9k78295







  • 5





    While it's true that the system can't implement account lockout of an individual account, you can implement broad protection against brute force attacks in a way that's still passive and cheaper than an onsite security guard or requiring someone to constantly check a camera. Have the system page an administrator or other responsible party if X incorrect entries are received within a given time frame. Or, have the PIN system shut itself off after X incorrect tries (forcing legitimate users to access the building with a physical key, which most PIN systems would have as a backup anyways).

    – dwizum
    Apr 29 at 14:23






  • 7





    There are lots of windows and glass doors (all visible from adjacent streets). So if someone really wanted to get in, smash and grab would be relatively easy. There are also cameras that record the video. So camping out and brute forcing would seem to be less likely.

    – Les
    Apr 29 at 14:49







  • 4





    I don't understand the 100000/n. For n=1 surely it only takes 50000 tries on average.

    – Matt
    Apr 29 at 22:29






  • 7





    @dwizum if my kids - 2 and 5 - have access to the keypad and there is a lockout, they are going to lock it out every single time. Children can not resist pressing buttons. Considering this is a church it is probably that children will have access to the keypad.

    – emory
    Apr 30 at 12:45






  • 3





    @emory - put the keypad 6 feet off the ground. :) To your point though, there's a keypad system to enter my daughter's school, it looks like a regular telephone dialpad. There's no obvious "enter" button. It only submits an attempt to the server after a user hits the star key, and then it only submits the 4 characters entered immediately prior to hitting star. Something like this can help protect against child random-button-mashers.

    – dwizum
    Apr 30 at 13:29












  • 5





    While it's true that the system can't implement account lockout of an individual account, you can implement broad protection against brute force attacks in a way that's still passive and cheaper than an onsite security guard or requiring someone to constantly check a camera. Have the system page an administrator or other responsible party if X incorrect entries are received within a given time frame. Or, have the PIN system shut itself off after X incorrect tries (forcing legitimate users to access the building with a physical key, which most PIN systems would have as a backup anyways).

    – dwizum
    Apr 29 at 14:23






  • 7





    There are lots of windows and glass doors (all visible from adjacent streets). So if someone really wanted to get in, smash and grab would be relatively easy. There are also cameras that record the video. So camping out and brute forcing would seem to be less likely.

    – Les
    Apr 29 at 14:49







  • 4





    I don't understand the 100000/n. For n=1 surely it only takes 50000 tries on average.

    – Matt
    Apr 29 at 22:29






  • 7





    @dwizum if my kids - 2 and 5 - have access to the keypad and there is a lockout, they are going to lock it out every single time. Children can not resist pressing buttons. Considering this is a church it is probably that children will have access to the keypad.

    – emory
    Apr 30 at 12:45






  • 3





    @emory - put the keypad 6 feet off the ground. :) To your point though, there's a keypad system to enter my daughter's school, it looks like a regular telephone dialpad. There's no obvious "enter" button. It only submits an attempt to the server after a user hits the star key, and then it only submits the 4 characters entered immediately prior to hitting star. Something like this can help protect against child random-button-mashers.

    – dwizum
    Apr 30 at 13:29







5




5





While it's true that the system can't implement account lockout of an individual account, you can implement broad protection against brute force attacks in a way that's still passive and cheaper than an onsite security guard or requiring someone to constantly check a camera. Have the system page an administrator or other responsible party if X incorrect entries are received within a given time frame. Or, have the PIN system shut itself off after X incorrect tries (forcing legitimate users to access the building with a physical key, which most PIN systems would have as a backup anyways).

– dwizum
Apr 29 at 14:23





While it's true that the system can't implement account lockout of an individual account, you can implement broad protection against brute force attacks in a way that's still passive and cheaper than an onsite security guard or requiring someone to constantly check a camera. Have the system page an administrator or other responsible party if X incorrect entries are received within a given time frame. Or, have the PIN system shut itself off after X incorrect tries (forcing legitimate users to access the building with a physical key, which most PIN systems would have as a backup anyways).

– dwizum
Apr 29 at 14:23




7




7





There are lots of windows and glass doors (all visible from adjacent streets). So if someone really wanted to get in, smash and grab would be relatively easy. There are also cameras that record the video. So camping out and brute forcing would seem to be less likely.

– Les
Apr 29 at 14:49






There are lots of windows and glass doors (all visible from adjacent streets). So if someone really wanted to get in, smash and grab would be relatively easy. There are also cameras that record the video. So camping out and brute forcing would seem to be less likely.

– Les
Apr 29 at 14:49





4




4





I don't understand the 100000/n. For n=1 surely it only takes 50000 tries on average.

– Matt
Apr 29 at 22:29





I don't understand the 100000/n. For n=1 surely it only takes 50000 tries on average.

– Matt
Apr 29 at 22:29




7




7





@dwizum if my kids - 2 and 5 - have access to the keypad and there is a lockout, they are going to lock it out every single time. Children can not resist pressing buttons. Considering this is a church it is probably that children will have access to the keypad.

– emory
Apr 30 at 12:45





@dwizum if my kids - 2 and 5 - have access to the keypad and there is a lockout, they are going to lock it out every single time. Children can not resist pressing buttons. Considering this is a church it is probably that children will have access to the keypad.

– emory
Apr 30 at 12:45




3




3





@emory - put the keypad 6 feet off the ground. :) To your point though, there's a keypad system to enter my daughter's school, it looks like a regular telephone dialpad. There's no obvious "enter" button. It only submits an attempt to the server after a user hits the star key, and then it only submits the 4 characters entered immediately prior to hitting star. Something like this can help protect against child random-button-mashers.

– dwizum
Apr 30 at 13:29





@emory - put the keypad 6 feet off the ground. :) To your point though, there's a keypad system to enter my daughter's school, it looks like a regular telephone dialpad. There's no obvious "enter" button. It only submits an attempt to the server after a user hits the star key, and then it only submits the 4 characters entered immediately prior to hitting star. Something like this can help protect against child random-button-mashers.

– dwizum
Apr 30 at 13:29











5














Full disclosure: I worked for several years as the software architect for a very large, Fortune 500 company that manufactures and programs these sort of electronic locks, including government and homeland security applications. Our biggest customer, though, was the National Association of Realtors. There is a very good chance you are using a product from my former company.



Our engineers had many discussions about PIN black listing, and they were all very fun while they lasted, but always ended the same way:



  1. We are way overthinking this.

  2. We just have to make it harder to guess the PIN than to throw a rock through a window. Physical security trumps all.

Also:



  1. When there is a limited number of digits, it is safer to provide a single PIN to all users and rotate it frequently (once a month is typical). If you allow each user their own PIN, it reduces the search space dramatically. For example, if you have 100 users and there are only 1000 possible codes, with a single guess you have about a 1 in 10 chance of getting through that door. If everyone shared a single code it would be 1 in 1000.


  2. All of our electronic products did ship with a blacklist of ten codes: all 1's, all 2's, all 3's, all 4's, etc. Any other code was selectable by the customer. The black list was configurable by the customer but honestly nobody ever did it.






share|improve this answer

























  • You're right but it's more nuanced than "physical security ...". People will call the police for a broken window but won't bother about someone having a few goes on a keypad (provided they look like they might belong).

    – pbhj
    May 1 at 1:37











  • You get it @pbhj. The problem is much more organic and situational. With a web site, the security architecture is the customer's only protection; with physical security, we have to trust the customer much more to use the tool we give them in a manner that is sensible. Is the location secluded? Well lit? Under surveillance? Etc. We can't do all the thinking for them (unlike information security, where we assume we are much more aware than the user).

    – John Wu
    May 1 at 6:07
















5














Full disclosure: I worked for several years as the software architect for a very large, Fortune 500 company that manufactures and programs these sort of electronic locks, including government and homeland security applications. Our biggest customer, though, was the National Association of Realtors. There is a very good chance you are using a product from my former company.



Our engineers had many discussions about PIN black listing, and they were all very fun while they lasted, but always ended the same way:



  1. We are way overthinking this.

  2. We just have to make it harder to guess the PIN than to throw a rock through a window. Physical security trumps all.

Also:



  1. When there is a limited number of digits, it is safer to provide a single PIN to all users and rotate it frequently (once a month is typical). If you allow each user their own PIN, it reduces the search space dramatically. For example, if you have 100 users and there are only 1000 possible codes, with a single guess you have about a 1 in 10 chance of getting through that door. If everyone shared a single code it would be 1 in 1000.


  2. All of our electronic products did ship with a blacklist of ten codes: all 1's, all 2's, all 3's, all 4's, etc. Any other code was selectable by the customer. The black list was configurable by the customer but honestly nobody ever did it.






share|improve this answer

























  • You're right but it's more nuanced than "physical security ...". People will call the police for a broken window but won't bother about someone having a few goes on a keypad (provided they look like they might belong).

    – pbhj
    May 1 at 1:37











  • You get it @pbhj. The problem is much more organic and situational. With a web site, the security architecture is the customer's only protection; with physical security, we have to trust the customer much more to use the tool we give them in a manner that is sensible. Is the location secluded? Well lit? Under surveillance? Etc. We can't do all the thinking for them (unlike information security, where we assume we are much more aware than the user).

    – John Wu
    May 1 at 6:07














5












5








5







Full disclosure: I worked for several years as the software architect for a very large, Fortune 500 company that manufactures and programs these sort of electronic locks, including government and homeland security applications. Our biggest customer, though, was the National Association of Realtors. There is a very good chance you are using a product from my former company.



Our engineers had many discussions about PIN black listing, and they were all very fun while they lasted, but always ended the same way:



  1. We are way overthinking this.

  2. We just have to make it harder to guess the PIN than to throw a rock through a window. Physical security trumps all.

Also:



  1. When there is a limited number of digits, it is safer to provide a single PIN to all users and rotate it frequently (once a month is typical). If you allow each user their own PIN, it reduces the search space dramatically. For example, if you have 100 users and there are only 1000 possible codes, with a single guess you have about a 1 in 10 chance of getting through that door. If everyone shared a single code it would be 1 in 1000.


  2. All of our electronic products did ship with a blacklist of ten codes: all 1's, all 2's, all 3's, all 4's, etc. Any other code was selectable by the customer. The black list was configurable by the customer but honestly nobody ever did it.






share|improve this answer















Full disclosure: I worked for several years as the software architect for a very large, Fortune 500 company that manufactures and programs these sort of electronic locks, including government and homeland security applications. Our biggest customer, though, was the National Association of Realtors. There is a very good chance you are using a product from my former company.



Our engineers had many discussions about PIN black listing, and they were all very fun while they lasted, but always ended the same way:



  1. We are way overthinking this.

  2. We just have to make it harder to guess the PIN than to throw a rock through a window. Physical security trumps all.

Also:



  1. When there is a limited number of digits, it is safer to provide a single PIN to all users and rotate it frequently (once a month is typical). If you allow each user their own PIN, it reduces the search space dramatically. For example, if you have 100 users and there are only 1000 possible codes, with a single guess you have about a 1 in 10 chance of getting through that door. If everyone shared a single code it would be 1 in 1000.


  2. All of our electronic products did ship with a blacklist of ten codes: all 1's, all 2's, all 3's, all 4's, etc. Any other code was selectable by the customer. The black list was configurable by the customer but honestly nobody ever did it.







share|improve this answer














share|improve this answer



share|improve this answer








edited Apr 30 at 22:27

























answered Apr 30 at 22:09









John WuJohn Wu

7,64211731




7,64211731












  • You're right but it's more nuanced than "physical security ...". People will call the police for a broken window but won't bother about someone having a few goes on a keypad (provided they look like they might belong).

    – pbhj
    May 1 at 1:37











  • You get it @pbhj. The problem is much more organic and situational. With a web site, the security architecture is the customer's only protection; with physical security, we have to trust the customer much more to use the tool we give them in a manner that is sensible. Is the location secluded? Well lit? Under surveillance? Etc. We can't do all the thinking for them (unlike information security, where we assume we are much more aware than the user).

    – John Wu
    May 1 at 6:07


















  • You're right but it's more nuanced than "physical security ...". People will call the police for a broken window but won't bother about someone having a few goes on a keypad (provided they look like they might belong).

    – pbhj
    May 1 at 1:37











  • You get it @pbhj. The problem is much more organic and situational. With a web site, the security architecture is the customer's only protection; with physical security, we have to trust the customer much more to use the tool we give them in a manner that is sensible. Is the location secluded? Well lit? Under surveillance? Etc. We can't do all the thinking for them (unlike information security, where we assume we are much more aware than the user).

    – John Wu
    May 1 at 6:07

















You're right but it's more nuanced than "physical security ...". People will call the police for a broken window but won't bother about someone having a few goes on a keypad (provided they look like they might belong).

– pbhj
May 1 at 1:37





You're right but it's more nuanced than "physical security ...". People will call the police for a broken window but won't bother about someone having a few goes on a keypad (provided they look like they might belong).

– pbhj
May 1 at 1:37













You get it @pbhj. The problem is much more organic and situational. With a web site, the security architecture is the customer's only protection; with physical security, we have to trust the customer much more to use the tool we give them in a manner that is sensible. Is the location secluded? Well lit? Under surveillance? Etc. We can't do all the thinking for them (unlike information security, where we assume we are much more aware than the user).

– John Wu
May 1 at 6:07






You get it @pbhj. The problem is much more organic and situational. With a web site, the security architecture is the customer's only protection; with physical security, we have to trust the customer much more to use the tool we give them in a manner that is sensible. Is the location secluded? Well lit? Under surveillance? Etc. We can't do all the thinking for them (unlike information security, where we assume we are much more aware than the user).

– John Wu
May 1 at 6:07












4














Check out the 20 most popular 4-digit pins:



enter image description here



Those are the combinations that the attacker will try first. These include:



  • repeated digits / pairs

  • incrementing/decrementing sequences

  • geometrical patterns on the keypad

Excluding these (extrapolated to your 5-digit pins) will provide a tangible increase in security. I wouldn't bother going further than that (that is, excluding dates / zip codes / etc.), because an attacker which is determined enough to learn your coworker's birthday will be determined enough to get a valid pin through social engineering, or simply try enough pins to get in. Mind you that with 100000 combinations and 100 valid pins (assuming you have 100 coworkers), every 1000th pin will be valid even if the attacker goes for simple bruteforce.



If the fact that a pin can eventually be guessed sounds insecure in the environment where the lock will be used, you should choose a different kind of lock and/or additional security measures. Something as simple as a short alarm sound after 10 wrong pins will help a lot.






share|improve this answer

























  • I think you have the math slightly wrong. Some coworkers will have duplicate PINs. If you enforce unique PINs by assigning PINs this would not be a problem. Otherwise, a user entitled to one day of access could suss out other user's PIN by simply repeatedly requesting PINs.

    – emory
    Apr 30 at 15:49











  • @emory True there will be less unique pins due to birthday paradox, but it won't make a significant difference to bruteforce complexity.

    – Dmitry Grigoryev
    Apr 30 at 15:52















4














Check out the 20 most popular 4-digit pins:



enter image description here



Those are the combinations that the attacker will try first. These include:



  • repeated digits / pairs

  • incrementing/decrementing sequences

  • geometrical patterns on the keypad

Excluding these (extrapolated to your 5-digit pins) will provide a tangible increase in security. I wouldn't bother going further than that (that is, excluding dates / zip codes / etc.), because an attacker which is determined enough to learn your coworker's birthday will be determined enough to get a valid pin through social engineering, or simply try enough pins to get in. Mind you that with 100000 combinations and 100 valid pins (assuming you have 100 coworkers), every 1000th pin will be valid even if the attacker goes for simple bruteforce.



If the fact that a pin can eventually be guessed sounds insecure in the environment where the lock will be used, you should choose a different kind of lock and/or additional security measures. Something as simple as a short alarm sound after 10 wrong pins will help a lot.






share|improve this answer

























  • I think you have the math slightly wrong. Some coworkers will have duplicate PINs. If you enforce unique PINs by assigning PINs this would not be a problem. Otherwise, a user entitled to one day of access could suss out other user's PIN by simply repeatedly requesting PINs.

    – emory
    Apr 30 at 15:49











  • @emory True there will be less unique pins due to birthday paradox, but it won't make a significant difference to bruteforce complexity.

    – Dmitry Grigoryev
    Apr 30 at 15:52













4












4








4







Check out the 20 most popular 4-digit pins:



enter image description here



Those are the combinations that the attacker will try first. These include:



  • repeated digits / pairs

  • incrementing/decrementing sequences

  • geometrical patterns on the keypad

Excluding these (extrapolated to your 5-digit pins) will provide a tangible increase in security. I wouldn't bother going further than that (that is, excluding dates / zip codes / etc.), because an attacker which is determined enough to learn your coworker's birthday will be determined enough to get a valid pin through social engineering, or simply try enough pins to get in. Mind you that with 100000 combinations and 100 valid pins (assuming you have 100 coworkers), every 1000th pin will be valid even if the attacker goes for simple bruteforce.



If the fact that a pin can eventually be guessed sounds insecure in the environment where the lock will be used, you should choose a different kind of lock and/or additional security measures. Something as simple as a short alarm sound after 10 wrong pins will help a lot.






share|improve this answer















Check out the 20 most popular 4-digit pins:



enter image description here



Those are the combinations that the attacker will try first. These include:



  • repeated digits / pairs

  • incrementing/decrementing sequences

  • geometrical patterns on the keypad

Excluding these (extrapolated to your 5-digit pins) will provide a tangible increase in security. I wouldn't bother going further than that (that is, excluding dates / zip codes / etc.), because an attacker which is determined enough to learn your coworker's birthday will be determined enough to get a valid pin through social engineering, or simply try enough pins to get in. Mind you that with 100000 combinations and 100 valid pins (assuming you have 100 coworkers), every 1000th pin will be valid even if the attacker goes for simple bruteforce.



If the fact that a pin can eventually be guessed sounds insecure in the environment where the lock will be used, you should choose a different kind of lock and/or additional security measures. Something as simple as a short alarm sound after 10 wrong pins will help a lot.







share|improve this answer














share|improve this answer



share|improve this answer








edited Apr 30 at 15:50

























answered Apr 30 at 15:10









Dmitry GrigoryevDmitry Grigoryev

7,9432245




7,9432245












  • I think you have the math slightly wrong. Some coworkers will have duplicate PINs. If you enforce unique PINs by assigning PINs this would not be a problem. Otherwise, a user entitled to one day of access could suss out other user's PIN by simply repeatedly requesting PINs.

    – emory
    Apr 30 at 15:49











  • @emory True there will be less unique pins due to birthday paradox, but it won't make a significant difference to bruteforce complexity.

    – Dmitry Grigoryev
    Apr 30 at 15:52

















  • I think you have the math slightly wrong. Some coworkers will have duplicate PINs. If you enforce unique PINs by assigning PINs this would not be a problem. Otherwise, a user entitled to one day of access could suss out other user's PIN by simply repeatedly requesting PINs.

    – emory
    Apr 30 at 15:49











  • @emory True there will be less unique pins due to birthday paradox, but it won't make a significant difference to bruteforce complexity.

    – Dmitry Grigoryev
    Apr 30 at 15:52
















I think you have the math slightly wrong. Some coworkers will have duplicate PINs. If you enforce unique PINs by assigning PINs this would not be a problem. Otherwise, a user entitled to one day of access could suss out other user's PIN by simply repeatedly requesting PINs.

– emory
Apr 30 at 15:49





I think you have the math slightly wrong. Some coworkers will have duplicate PINs. If you enforce unique PINs by assigning PINs this would not be a problem. Otherwise, a user entitled to one day of access could suss out other user's PIN by simply repeatedly requesting PINs.

– emory
Apr 30 at 15:49













@emory True there will be less unique pins due to birthday paradox, but it won't make a significant difference to bruteforce complexity.

– Dmitry Grigoryev
Apr 30 at 15:52





@emory True there will be less unique pins due to birthday paradox, but it won't make a significant difference to bruteforce complexity.

– Dmitry Grigoryev
Apr 30 at 15:52

















draft saved

draft discarded
















































Thanks for contributing an answer to Information Security Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f209212%2fselecting-a-secure-pin-for-building-access%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Club Baloncesto Breogán Índice Historia | Pavillón | Nome | O Breogán na cultura popular | Xogadores | Adestradores | Presidentes | Palmarés | Historial | Líderes | Notas | Véxase tamén | Menú de navegacióncbbreogan.galCadroGuía oficial da ACB 2009-10, páxina 201Guía oficial ACB 1992, páxina 183. Editorial DB.É de 6.500 espectadores sentados axeitándose á última normativa"Estudiantes Junior, entre as mellores canteiras"o orixinalHemeroteca El Mundo Deportivo, 16 setembro de 1970, páxina 12Historia do BreogánAlfredo Pérez, o último canoneiroHistoria C.B. BreogánHemeroteca de El Mundo DeportivoJimmy Wright, norteamericano do Breogán deixará Lugo por ameazas de morteResultados de Breogán en 1986-87Resultados de Breogán en 1990-91Ficha de Velimir Perasović en acb.comResultados de Breogán en 1994-95Breogán arrasa al Barça. "El Mundo Deportivo", 27 de setembro de 1999, páxina 58CB Breogán - FC BarcelonaA FEB invita a participar nunha nova Liga EuropeaCharlie Bell na prensa estatalMáximos anotadores 2005Tempada 2005-06 : Tódolos Xogadores da Xornada""Non quero pensar nunha man negra, mais pregúntome que está a pasar""o orixinalRaúl López, orgulloso dos xogadores, presume da boa saúde económica do BreogánJulio González confirma que cesa como presidente del BreogánHomenaxe a Lisardo GómezA tempada do rexurdimento celesteEntrevista a Lisardo GómezEl COB dinamita el Pazo para forzar el quinto (69-73)Cafés Candelas, patrocinador del CB Breogán"Suso Lázare, novo presidente do Breogán"o orixinalCafés Candelas Breogán firma el mayor triunfo de la historiaEl Breogán realizará 17 homenajes por su cincuenta aniversario"O Breogán honra ao seu fundador e primeiro presidente"o orixinalMiguel Giao recibiu a homenaxe do PazoHomenaxe aos primeiros gladiadores celestesO home que nos amosa como ver o Breo co corazónTita Franco será homenaxeada polos #50anosdeBreoJulio Vila recibirá unha homenaxe in memoriam polos #50anosdeBreo"O Breogán homenaxeará aos seus aboados máis veteráns"Pechada ovación a «Capi» Sanmartín e Ricardo «Corazón de González»Homenaxe por décadas de informaciónPaco García volve ao Pazo con motivo do 50 aniversario"Resultados y clasificaciones""O Cafés Candelas Breogán, campión da Copa Princesa""O Cafés Candelas Breogán, equipo ACB"C.B. Breogán"Proxecto social"o orixinal"Centros asociados"o orixinalFicha en imdb.comMario Camus trata la recuperación del amor en 'La vieja música', su última película"Páxina web oficial""Club Baloncesto Breogán""C. B. Breogán S.A.D."eehttp://www.fegaba.com

Vilaño, A Laracha Índice Patrimonio | Lugares e parroquias | Véxase tamén | Menú de navegación43°14′52″N 8°36′03″O / 43.24775, -8.60070

Cegueira Índice Epidemioloxía | Deficiencia visual | Tipos de cegueira | Principais causas de cegueira | Tratamento | Técnicas de adaptación e axudas | Vida dos cegos | Primeiros auxilios | Crenzas respecto das persoas cegas | Crenzas das persoas cegas | O neno deficiente visual | Aspectos psicolóxicos da cegueira | Notas | Véxase tamén | Menú de navegación54.054.154.436928256blindnessDicionario da Real Academia GalegaPortal das Palabras"International Standards: Visual Standards — Aspects and Ranges of Vision Loss with Emphasis on Population Surveys.""Visual impairment and blindness""Presentan un plan para previr a cegueira"o orixinalACCDV Associació Catalana de Cecs i Disminuïts Visuals - PMFTrachoma"Effect of gene therapy on visual function in Leber's congenital amaurosis"1844137110.1056/NEJMoa0802268Cans guía - os mellores amigos dos cegosArquivadoEscola de cans guía para cegos en Mortágua, PortugalArquivado"Tecnología para ciegos y deficientes visuales. Recopilación de recursos gratuitos en la Red""Colorino""‘COL.diesis’, escuchar los sonidos del color""COL.diesis: Transforming Colour into Melody and Implementing the Result in a Colour Sensor Device"o orixinal"Sistema de desarrollo de sinestesia color-sonido para invidentes utilizando un protocolo de audio""Enseñanza táctil - geometría y color. Juegos didácticos para niños ciegos y videntes""Sistema Constanz"L'ocupació laboral dels cecs a l'Estat espanyol està pràcticament equiparada a la de les persones amb visió, entrevista amb Pedro ZuritaONCE (Organización Nacional de Cegos de España)Prevención da cegueiraDescrición de deficiencias visuais (Disc@pnet)Braillín, un boneco atractivo para calquera neno, con ou sen discapacidade, que permite familiarizarse co sistema de escritura e lectura brailleAxudas Técnicas36838ID00897494007150-90057129528256DOID:1432HP:0000618D001766C10.597.751.941.162C97109C0155020