Pablo Averbuj

Writing Your Pin (kinda-securely)

The following is a description of a simple technique my parents taught me to encode a PIN directoy on a card and have it only be usable by you. The technique involves choosing a 10-letter key, for our example let’s say our key is “subverting”. Then you taken your pin and do a letter substituion based on position: if our pin is 4321, the encoded string is “vbus” and you can write that on your credit card. It’s probably easier to treat a 0 in your PIN as position 10 unless you’re a programmer. You can use the same key repeatedly with relative security. Of course if your secret is compromised all your PINs are compromised. If a PIN is compromised it would simplify discovering the key. I think this technique is fairly secure (i.e., secure enough), the biggest weakness I can think of is that you narrowing the keyspace down. In our case it’s reasonable to determine that there are no duplicates and thus reduce the keyspace from 10^4 to 10*9*8*7 which is about 50%. It gets worse if you have a duplicate number (e.g., 4232) the keyspace becomes 10*9*8*3 which is a 78% reduction in keyspace. Clearly: don’t repeat a number in your PIN.

The next problem is coming up with a key (it can’t have any letters more than once). It’s actually a kind of fun mental exercise. In the 10-15 minutes I was thinking of this article I only came up with a couple. However, given a dictionary it’s fairly easy to find 10-letter words that meet the criteria. Here’s the code I came up with:


perl -lne 'next unless(length == 10 and !/\W/); $a = join("", sort split(//, lc)); $a =~ tr/[a-z]//s; print if(length($_) == length($a))' /usr/share/dict/words


Where /usr/share/dict/words is your dictionary. My dictionary had 392 of such words, and you can also do 2-word combinations (e.g., “dutchovens”) but those are harder to come up with.

I should also add that it is possible to extend the cipher to be more complex/secure but the idea is to make it simple enough to translate from letters to numbers to liberate you from using the same PIN for everything. Also, here is a related to story on why banking PINs are 4 digits [via Bruce Schneier].