PIN or password? – How to protect your Smartphone from attacks!

M.Sc. Jan Hörnemann

PIN or password? – How to protect your Smartphone from attacks!

The password is the number one means of authentication, it protects our devices from unauthorized access, but also digital accounts such as the e-mail account are protected by their own password. The password comes in various forms, but the most common are a real password or a 4-digit PIN. We have taken a closer look at these two methods to determine whether the 4-digit code offers enough security.

PIN or password: number of code possibilities

A so-called brute force attack aims to try out all the possibilities. Accordingly, a device is best protected against this type of attack when there are as many possibilities as possible.

4-digit PIN code:

The PIN code offers 4 digits which the user can freely assign to create his own PIN code. So per digit the user has 10 possibilities, namely the digits “0” – “9”. We now have to multiply these 10 possibilities by the 10 possibilities of the other digits to get the number of possibilities the system provides:

number of possibilities (PIN code) = 10 * 10 * 10 * 10 = 10,000

Password options:

The number of possibilities of the classic password logically depends on the number of digits. For comparison with the 4-digit PIN code, we first calculate the number of possibilities for a 4-digit password. Per digit the user now has not only 10 possibilities but about 72! These 72 characters include all letters of the alphabet, with upper and lower case (without ä, ö, ü, ß) characters. In addition to these (26 * 2 = 52) characters, there are 10 special characters and the 10 digits we already know from the PIN code.

To calculate the number of possibilities of a 4-digit password, we proceed in the same way as in the PIN code example, but now with 72 possibilities per digit:

Count possibilities (4-digit password) = 72 * 72 * 72 * 72 = 26.873.856

This representation alone shows the difference in the number of possibilities when we as users have the complete character set at our disposal. In the following, we will now look at an example which should illustrate how important it is to choose a password that is as long as possible.

We assume a fast computer, which creates about 2 billion instructions per second. According to Wikipedia one of the latest processors can handle much more instructions per second, but for our example the simplification is sufficient.

To crack a 4-digit PIN code, the computer needs about 2 billion instructions per second: 10,000 / 2,000,000,000 = 0.000005 seconds (Note: A blink of the eye takes about 0.4 seconds).
To crack a 4-digit password takes in this example: 26,873,856 / 2,000,000,000 = 0.013437 seconds

Although a 4-digit password provides about 2700 times more possibilities than the 4-digit PIN code, there is no advantage as both versions are cracked in less than 1 second.

How long should a password be chosen?

Basically, a longer password offers better security against a brute force attack. There are several ways to remember these long passwords, one way is to use a password manager.

Let’s stick to our example and calculate how long it would take the attacker to crack a 6-digit password and in comparison a 10-digit password:

Duration for (6-digit password) = 72 * 72 * 72 * 72 * 72 * 72 * 72 / 2,000,000,000 = 69.657 seconds

Duration for (10-digit password) = 72 * 72 * 72 * 72 * 72 * 72 * 72 * 72 * 72 * 72 * 72 / 2,000,000,000 = 21,666 days

The difference between a 6-digit and 10-digit password is about 59 years. Each additional digit would increase this distance exponentially. Through this example we have shown what difference a long password makes.

Am I safe with a long PIN or password?

You are well protected against a brute force attack with a long password. A further protection measure, which is available in many smartphones, is the locking after e.g. 10 failed attempts etc. Such mechanisms ensure that a brute force attack is difficult to carry out.

Besides this attack vector, there are countless others that aim to crack your password. Social Engineering or even phishing sites can be used to crack your passwords.

Finally, we can state that there are many scams that try to steal our passwords, but as soon as we as users have the possibility to protect our device or account with a long password, we should use this variant.

Photo of author

M.Sc. Jan Hörnemann

Hello dear reader, my name is Jan Hörnemann. I am a TeleTrust Information Security Professional (T.I.S.P.) and have been dealing with information security topics on an almost daily basis since 2016. CeHv10 was my first hands-on certification in the field. With a Master of Science degree in Internet Security, I have learned about many different aspects and try to share them in live hacking shows as well as on our blog. In addition, I am active as an information security officer and have been qualified by TÜV for this activity (ISB according to ISO 27001)