This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs

TL;DR

The paper examines 4- and 6-digit PIN choices for smartphone unlocking under a throttled attacker model, revealing that longer PINs provide little to no additional security and can worsen security in early attacker rounds. It evaluates real-world and data-driven blocklists, showing that current iOS-style blocks offer minimal protection unless blocklists are substantially larger (around 10% of the PIN space) at the cost of usability. Through a large MTurk study with multiple treatments, the authors quantify strength metrics (entropy and guess-based) and analyze user strategies, perceptions, and sentiment toward blocking. The findings inform mobile authentication design by arguing for careful blocklist sizing and by highlighting that the effectiveness of PIN-based security under throttling depends crucially on attacker models and system enforcement, rather than simply increasing PIN length. These insights have practical implications for developers and platform security policies aiming to balance usability with robust protection against rate-limited guessing.

Abstract

In this paper, we provide the first comprehensive study of user-chosen 4- and 6-digit PINs (n=1220) collected on smartphones with participants being explicitly primed for device unlocking. We find that against a throttled attacker (with 10, 30, or 100 guesses, matching the smartphone unlock setting), using 6-digit PINs instead of 4-digit PINs provides little to no increase in security, and surprisingly may even decrease security. We also study the effects of blocklists, where a set of "easy to guess" PINs is disallowed during selection. Two such blocklists are in use today by iOS, for 4-digits (274 PINs) as well as 6-digits (2910 PINs). We extracted both blocklists compared them with four other blocklists, including a small 4-digit (27 PINs), a large 4-digit (2740 PINs), and two placebo blocklists for 4- and 6-digit PINs that always excluded the first-choice PIN. We find that relatively small blocklists in use today by iOS offer little or no benefit against a throttled guessing attack. Security gains are only observed when the blocklists are much larger, which in turn comes at the cost of increased user frustration. Our analysis suggests that a blocklist at about 10% of the PIN space may provide the best balance between usability and security.

Figures (5)

• Figure 1: The installation used to extract the iOS blocklists.
• Figure 6: Guessing performance of a throttled attacker. The figure on the top is based on the number of guesses. The bottom figure is based on the required time and considers the different rate limits of Android and iOS (cf. Table \ref{['tab:rate-limiting']}).
• Figure 7: Blocklist size recommendation: For throttled attackers, limited to 100 guesses, a blocklist of $\sim\mkern-3mu 10$ % of the key space ($\sim\mkern-3mu 1150$ PINs) is ideal.
• Figure 8: Participants' perception of their PIN's security (Secure -- Insecure), memorability (Easy to remember -- Difficult to remember), and convenience (Easy to enter -- Difficult to enter).
• Figure 9: Participants' sentiment: We split the participants into four categories and classified their feelings in terms of sentiment using EmoLex mohammad-13-nrc-database.