Security Basics mailing list archives

Re: PIN security

From: rohnskii () gmail com
Date: 23 Jan 2009 18:17:09 -0000

This is just my optinion.

A pin is the "old-style" name for a password.  Given the reality of encryption cracking today, a password/pin should 
not be less than 8 char, and preferably "complex" mix of characters.  A 4 digit PIN, especially in a new system should 
be considered criminally irresponsible.  

That being said, I think the inertial of the installed code and application base is going to make changing PIN length 
almost impossible.  I think they had a small window of opportunity with the present rollout of "chip" cards (ATM and 
Credit) but they missed it.

PS: have you seen this article on why the PIN is 4 char long:

http://www.securityfocus.com/blogs/227

Current thread:

PIN security s0h0us (Jan 23)
- Re: PIN security B 650 (Jan 23)
- Re: PIN security Kevin Tunison (Jan 27)
- <Possible follow-ups>
- Re: PIN security evilwon12 (Jan 23)
- Re: PIN security rohnskii (Jan 23)
- Re: Re: PIN security bradrose (Jan 27)