PIN generation and vulnerable PINs

I love the PIN option in the password generator in 1Password X. I hope this makes it to the other platforms soon, including within the password edit view.

I'm updating a 6 digit PIN for an airline using the above, and once I saved the entry in 1Password, I saw a banner saying the new password (PIN) was found on Have I Been Pwned. Out of curiosity, I generated another PIN in 1Password X, then went to https://haveibeenpwned.com/Passwords to see if it too was pwned. Yup! I did this about 30 times, all with the same result.

Services shouldn't be using a PIN for authentication unless it's for a phone keypad, kiosk/ ATM, etc. The v4 password list on HIBP has over 551M passwords, so it's easy to imagine there are not too many 4 or 6 digit PINs that escaped being in that data set.

As nice as it'd be for 1Password only to generate PINs or passwords that aren't in HIBP, I get that's unlikely to happen. Still, it'd be handy to have a "useless service provider that's unlikely to improve their security" flag to hide the banner for 30, 60, etc days. :)


1Password Version: Not Provided
Extension Version: X 1.13.2
OS Version: Windows 10 Pro 1803
Sync Type: 1Password

Comments

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Hi @stmorrpom6cenz,

    I'm sure I either read or heard Troy Hunt say something about populating the database with every permutation of a certain PIN length but I can't find the source or how many digits it was going to apply to. So it could be anything from every permutation for both 4 and 6 digit PINs are present to I've made the entire thing up in my head and who knows how I managed to dream it.

    It's a tricky line to tread. If I use the Password Generator infinite times to generate an 8 character password then at some point it will generate the word peekaboo and should that happen I want that rare event to be discarded for the reasons you mention. There will be a few other 8 character long passwords that it also applies to. These should be quite rare though given all the combinations possible. With a 6 digit PIN the combinations are exactly 000000-999999 or 1,000,000 combinations. It's just a pathetically low number. If we eliminate every combination seen we would likely seriously reduce the entropy and if somebody were to either know, guess or assume the use of 1Password they could eliminate large sections of the search space when trying to guess your PIN. Sometimes what seems intuitive doesn't work with the maths involved.

    There was a book on the history of cryptography that I enjoyed sufficiently that I've probably read it at least three times now and in the part that documented World War II and the Enigma machine one of the tricks used to help defeat the encryption by breaking the current code was that certain rules had been put in place, you weren't allowed to transpose two characters next to each other on the keyboard. Somebody thought it made things more secure but it was a rule that reduced the search space the encryption breakers needed to consider. My memory could be a bit faulty but essentially various tricks were used to reduce the search space and then what was left was small enough that brute force was used against it.

    That isn't to say that if a certain combination, say 1111 or 1234 is used so often that you need to avoid it just because but the presence of certain combinations may be present but seen so infrequently that their presence in HIBP doesn't mean they shouldn't be considered as still valid if a service is going to make the bad move of limiting the thing you know to a 6 digit PIN. I can only comment on 1Password for Mac at the moment but basically all 6 digit codes receive an equally harsh critique of their strength but when I test certain ones meter tanks as a result. It could be whatever list we use may need to be updated but eliminating every permutation in HIBP may not leave enough options.

This discussion has been closed.