Lootman wrote:UncleEbenezer wrote:BTW, four-digit PINs are by no means universal. When I lived in Italy they were five-digit, and just as easy to memorise.
For me anyway, it's more a matter of the number having significance so I can remember it. So I might choose a year for a 4-digit PIN, an American zip code as a 5-digit PIN, a date as a 6-figure PIN, and so on. A 4-digit PIN with no significance is harder to remember than a longer PIN that has significance, therefore I always struggle more with PINs I can't change.
That's actually not all that good an idea, because those trying to break PINs and other passwords are aware of it and concentrate their efforts on attempts that have obvious significance. For instance, if they try to break a 6-digit PIN with completely random attempts, they have a one-in-a-million chance of success on each attempt, but if they know (or strongly suspect) that it's a date, that drops to a one-in-36,525 chance. Still very unlikely, of course - but each attempt is nearly 30 times more likely to succeed...
And on passwords, there's a story I heard years ago about a company's IT manager who wanted to know how easily his users' passwords could be broken. So he got a list of women's first names and tested each one against the password database for each user (*), which broke a good fraction of the passwords (my recollection is about a third of them), and then he went out into the company car park and got all the car registration numbers and tried them, and that broke a further good fraction (my recollection is about a further 20%).
Basically, passwords and PINs that have significance to lots of people (like those names or the year 1066) and those that have significance only to you but are also easily associated with you (like those car registration numbers or your birthday) are
not good ones to use. What you need for a good memorable password or PIN is something with significance for you, to enable you to remember it, but that is unlikely to be thought of as having general significance or to be associated with you. For example, I've used my family's telephone number from my childhood in some of my passwords - it happens to be a number that's engrained in my memory, and it would be very difficult for hackers to associate it with me. (And just in case that's not quite as difficult as I think - or any of my relatives happen to be reading this and aren't as nice as I think they are ;
-) - I've also transformed it in a way I can remember and combined it with some other obscure information from my past!)
One other tip about good passwords and PINs: if you want to remember them, you need to get them into your
long-term memory. It's relatively easy to get them into short-term memory, as long as they're no more than about 7 'items' long (e.g. a 7-digit telephone number, or a 7-word phrase), but equally it's relatively easy for them to drop out of it again...
:-( They need to be persuaded to get into long-term memory before that happens, and the best way I've found of doing that is to make certain I
use them repeatedly. So for instance, when I registered on TLF, I immediately logged out and in again a few times, and then I quite deliberately didn't use the "Remember me" facility for a couple of weeks, which meant I had to use my password to log in again any time I'd not used the site for an hour or so. Which was a bit tedious, but the password is now there in long-term memory and I have no trouble at all remembering it when I need to!
(*) I should possibly explain that good password systems do
not store passwords in an easily-recoverable form in the password database, because that means that everybody's password is immediately compromised if anyone manages to steal a copy of the password database. Instead, they store the result of applying a 'one-way function' to the password - i.e. a function that can be reasonably easily calculated in one direction, but is very difficult to calculate in reverse - and when a user supplies their password, they recalculate that function of the password supplied by the user and see whether it matches what the database says the result should be. It's still possible to break a password by applying the function to each possible password in turn and seeing whether it matches, and if someone has managed to steal a copy of the password database, they'll be able to test millions of possible passwords per second. But if passwords are 'strong' enough, that is likely to take a very long time...
One implication of that is that if you see an account provider's "Forgotten password?" system offer to email you a reminder of what your password is, you know their password system is
not a good one: it shouldn't be capable of doing that! Good password systems instead reset your password, typically to something pretty random, email you to let you know what it is so that you can log on, and then suggest that you change it to something of your choice. Or preferably insist that you do so, partly because 'strong' random passwords are so unmemorable, but mainly because of the danger of a hacker getting hold of a copy of the email telling you what it is...
Gengulphus