With many stores discouraging the use of cash during the pandemic, a lot more shoppers are typing in passcodes called PINs to use debit and credit cards. But how safe are those codes?

New University of Guelph research suggests while many of us use PINs, or personal identification numbers, multiple times a day, few of us update them regularly. Some users go decades without an update, even after sharing those codes with others or knowingly having their security breached.

Dr. Hassan Khan
Dr. Hassan Khan

The study led by Dr. Hassan Khan, a professor in U of G’s School of Computer Science, revealed worrying PIN practices among Canadians, including many who admitted they had never updated their codes, and others who said they used the same one for everything.

Presented earlier this month at the Annual Computer Security Applications Conference, the study is the first of its kind to look at PIN use across many contexts from digital assets such as cellphones, to financial assets such as bank and credit cards, to physical assets such as keyless locks.

Given that most Canadians type in PINs multiple times a day, it’s important to understand how people choose and manage them, said Khan.

“This research is particularly important because the use of PINs is on the rise,” added Khan, whose co-authors include computer science colleague Dr. Rozita Dara and Dr. Adam Aviv of George Washington University.

An increasing number of systems, including computer operating systems such as Windows, recommend the use of numeric PINs instead of passwords. Loyalty cards and programs also use PINs, which can become cumbersome given that the average Canadian participates in 12 such programs.

“Many of these programs use PINs over passwords in the belief that PINs are easier to remember,” he said.

A hand covers the keypad while punching in a PIN code

But Khan’s research revealed that many Canadians struggle to keep track of their codes. Based on hour-long interviews among 35 study participants, the researchers found respondents’ most important criterion for choosing a PIN was how easy it would be for them to remember. The PIN’s security “strength” or whether they had used the same code elsewhere was less important.

Of the 35, 28 participants reported reusing the same code for several applications. One said they had used the same PIN for every use – digital or financial – for 30 years without ever updating it.

“Our study found that memorability was often the most important consideration when it came to choosing a PIN. Many reported not wanting to hold up lineups while they tried to remember PINs, which is why some chose the same one,” said Khan.

Participants also widely reported sharing PINs, particularly with spouses or children. For financial assets, only seven of the participants reported never sharing their PINs with anyone.

A full 71 per cent of the participants described situations in which their PINs were likely compromised, either through a guessing attack or a “shoulder surfing” attack in which someone peeked while they typed in their code. But only a minority of these people – 45 per cent – said they had then updated their codes.

When asked why they hadn’t updated, the respondents said they trusted the attacker as a friend, they believed the attack failed or they were too lazy to change their PIN.

The study also found many Canadians go long periods before updating their PINs, often for many years in the case of financial assets such as bank cards. Six participants reported never changing a PIN across any category since configuring them.

When it came to physical assets, nine participants reported “inheriting” garage door PINs after moving to a new house, but only three reported updating them. The remaining six said they either didn’t know how or were unable to update the code.

Khan said there may be ways to help users keep better track of their PINs. Digital wallets on smartphones, for example, can remember passwords for users and eliminate the need for entering PINs, but they don’t work for physical codes.

Systems that compel users to regularly update codes often aren’t helpful because users tend to switch back their PINs to their old ones.

“This study offers compelling reasons why the research community should focus on developing new tools to assist users in remembering passwords,” said Khan. “With the increasing use of PINs for different types of assets, our findings will help researchers design tools and strategies to improve the security of these assets.”

The research was partially funded by the Natural Sciences and Engineering Research Council of Canada and the United States National Science Foundation. Co-authors were Jason Ceci and Jonah Stegman of U of G and Dr. Ravi Kuber of the University of Maryland.


Dr. Hassan Khan