Hiding a PIN number

Brian,

Most people have access to a mobile phone, so take their ‘phone book’ with them.

If I wanted to hide a pin of 1234, I might enter a phone number of 019561234871. The PIN would, or should, be recognised from within the number - as long as one digit can be remembered! That number might be saved as a number for “Fred” (or anything you fancy) on the phone. Perhaps Larry Brown (for Lloyds Bank), Neil Whotsisname (for National Westminser), etc.

It is simply a hidden reminder, particularly for those that can remember the numbers but not the order, or can only remember part of it.

Probably won’t help those of us with dementia, mind.

@$$@$$1N63 (assassin) may or may not be caught by a crack attempt depending on the rules being applied, brute force will always break it eventually, just a matter of how long it takes.

Most password cracks will start with a decent dictionary, plus names of/from popular films, books, sports, pets, etc, then apply a number of rules to modify the letters: @ or 4 for A, $ or 5 for S, 3 or £ for E, 1 or ! for I, etc and then add numbers or random characters on the beginning or end.

I used to regularly run a similar crack against our password file, and used to break around 90% of them in under 10 minutes for the entire 1000+ entry file, and constantly warn them about weak passwords. Unfortunately several of them complained if their password ever changed from 'ChangeMe'!

You can still use the above approach, but don't use the same alteration for all instances of the same letter, and rather than use a single word, use multiple words or use a phrase that is easy to remember and choose the first letter of each word, that way it is not even in the dictionary to start with, you can also replace entire words with numbers 'won' or one' with 1, 'to' 'too' or 'two' with 2 and 'for' or 'four' with 4, etc.

C4t.$at.m@t - Cat sat mat

B6b$hy4w? - Baa baa black sheep, have you any wool?

Nitt4agm2c2taotp - Now is the time for all good men to come to the aid of the party.

The simplest way of obtaining any password is still watching someone type it in, so best to use both hands and learn to type it reasonably fast.

I used to have a passphrase for PGP (pretty good privacy ) around 20 years ago, that required a lengthy pass phrase. The one I used was my spellings for the Excalibur 'charm of making', that applied 2048 bit encrypyion to whatever message I was sending to someone:

Anaarl nathrak uthus bethud bethel nienthe - good luck to anyone remembering that whilst watching me type it in!

Watch out for criminals with cigar cutters looking to remove your thumb/finger (think Durant in Darkman ) for biometric recognition.

Edited By Zebethyal on 05/07/2018 14:36:40

History lessons at my school consisted of memorising lists of dates in the first half of the lesson, followed by a test in the second half. Imaginative or what?

This has left me with a potential mine of PIN numbers with links to obscure events which few folk will be able to date.

Edited By Mick B1 on 05/07/2018 14:35:34

Simpler still, look at the post-it stuck to the monitor or "cunningly" hidden on the underside of the keyboard.

Brian

I used to write down the ten's compliment of the digits and then reverse them. These days I can't be bothered and just use the same pin number for all my cards - but don't tell anyone!

Russell

Or for C programmers 2b || !(2b) = To be or not to be

and if you are worried about biometrics what about removing the entire eye as in Dan Brown's Angels and Demons?

With a suitable couple of extra digits as a prefix, or suffix, they can be made to look like telephone numbers. The art is making the name plausible, and memorable for yourself.

Howard

I'm sad enough that that made me chuckle

Edited By David T on 06/07/2018 16:31:21

Someone I know has used a credit card sized piece of cardboard with something like a 6 x 5 matrix of squares on it. Each square has a letter of the alphabet on it and a digit from 0-9. These are allocated at random. All he does is remember a key word which means something to him and uses it to find the appropriate numbers of the pin.

I must admit to using the pin hidden in telephone or fax number in the past.

At one time at work I had to remember about 20+ passwords for different items of computer hardware/routers etc., and being a bank they were not always simple. But using them regularly I could remember them all.

Colin

In the early nineties I was part of a team doing a roll out for a large organisation and as we went round the huge office we would ask the user to log in and we would do the upgrade. However people were less concerned with security in those days so after the first day what happened was that we would turn up and a bunch of people would allow us access by telling us their passwords or letting us know where they were saved while they went off for a coffee.

Post-it notes on the edge of the screen with the password in plain text or perhaps disguised as phone numbers were the most common, followed by a note in the top desk drawer. The passwords we were told included sports teams (MUFC, AVFC, LCFC, Blues, Reds, Notts, Barbarians, Essex etc) names, presumably of family or pets, or every swear word as foul as you like.

I still reckon that if I typed **** or ******** into a computer in any large office I could get into at least one computer. (replace the asterisks to (bad) taste!)

Chaps,

Some of you are using methods that aren't secure. It's important not to underestimate the methods used by an expert to break them, or even a script kiddie. The tricks people use to make and remember passwords and pin numbers are well-known and most of them are poor security. Might seem tough by human standards, but they're paper thin in the face of a computer attack. Even a small computer can search for a password permutation in a file containing several million possibilities in well under a second, crack anagrams in microseconds, and apply substitutions in a flash. The pre-defined comparison file can contain words copied from the dictionaries of many different languages, plus lists of well-known choices, c0mm0n numerations, and other known obfuscations.

The single most important feature of a security key is that it be an unpredictable combination. Don't use anything based on a meaningful string of characters, or a meaningful string that's been encrypted with pen and pencil methods.

We are so bad at making up passwords that many organisations won't let us. Instead users are periodically told to pick one from a freshly generated and unique list of randomised character, number and punctuation strings at least 9 characters in length. The disadvantage of this system is people write down hard to remember passwords. They even write down passwords after being told it's a sacking offence...

Zebethyal recommended a good way of generating long semi-randomised passwords from a memorable phrase. I often use characters selected from book titles, author names, publisher and edition numbers spiced up with punctuation. Much to be said in favour of 'Nitt4agm2c2taotp' but - for obvious reasons - avoid obvious pass phrases.

Does strong security matter? Lots of people hide front-door keys under a flower pot and never get burgled. I prefer not to take unnecessary risks on the internet; anyone can come calling...

Dave

Edited By SillyOldDuffer on 06/07/2018 20:33:00