Earlier this week, the following chart was published/shared via Reddit, highlighting the most common four-digit PIN codes. The source of the analysis was a blog post from DataGenetics.

Common PIN Codes

The analysis leverages 3.4 million PIN codes, collated from released/exposed/discovered credential tables and public security breaches.

The data highlights that the top twenty PIN codes constitute 27% of all PIN codes, with common themes being two pairs and birth years.

The reason this information is valuable is that PIN codes are becoming more relevant as consumers and businesses look to embrace Windows Hello for passwordless authentication.

Windows Hello is a significant step forward for authentication, as it is FIDO2 compliant, which is phishing-resistant. By default, Windows Hello leverages biometrics (facial recognition or fingerprint), but is also backed by a PIN code (minimum four digits).

On the surface, the use of a PIN code feels less secure than a complex password. However, the key difference is the FIDO2 compliance and the fact the PIN code is only associated with one device (desktop, laptop, smartphone, etc.) Therefore, to use the PIN code, you must have physical access to the device itself (in theory, it cannot be compromised remotely).

In addition, when using Windows Hello, the PIN code is stored in the Trusted Platform Module (TPM), which includes anti-hammering protection, which aims to prevent the PIN code from being brute forced.

By default, the TPM (v2.0) is configured by Windows to lock after 32 authorisation failures and to forget one authorisation failure every 10 minutes. This configuration can be customised, which should be considered based on the risk profile of the business/user/data. Additional information can be found in the TPM Fundamentals article published by Microsoft.

Assuming a four-digit PIN code is used, with the default TPM anti-hammering protection, attempting all 9999 possible PIN combinations would take approximately two years.

With that said, I would still recommend leveraging the insights from this data analysis to select a “strong” PIN code (minimum six digits), targeting a unique number sequence.