PIN It Down: Hacking Scandals Pinpoint Security Risks

  • Print.


Illustration by Kelly Hume

This summer’s stories of cellphone hacking involving the British tabloid News of the World opened eyes to some unexpected security issues. And eyes opened wider as celebrity phones were hacked to expose pictures and other private information. So we now should see the need to secure devices and accounts that we probably didn’t give much thought to before.

We are already attuned to security concerns with computers and passwords. The phone-related hacking turns our attention to the use of PINs, the personal identification numbers that also protect important information. There’s no reason password principles should not apply to PINs, but it gets a little more complex, in large part because the numbers are less complex.

A PIN is typically four digits, giving us only 10,000 possible PINs to choose from. In some cases you might not be allowed to repeat or use certain numbers, limiting the possibilities further. Using the handy password-strength calculation tool at Gibson Research Corp.’s Password Haystacks (highly recommended), you’ll see that a four-digit password can be cracked shockingly quickly in a brute-force attack.

Of course, many baddies might start with something easier than a brute-force attack. Recent findings have shown the most common PIN numbers people use on their iPhones. Anyone surprised that 1234 topped the list?

Many people, for convenience, opt out of using PINs for voicemail when calling from their own number or to lock the screen of their cellphones. Not a good idea. A quick Google search of “how to hack voicemail” (finding nearly 36,000 hits) will open your eyes to new worlds of potential vulnerability.


As with all security issues, it comes down to determining acceptable risk and balancing risk against convenience (i.e., ease of remembering PINs). Here are a few helpful PIN pointers:

1) Have no defaults. Change any default PIN immediately.

2) Change PINs regularly. You will have to find instructions on how to change PINs, which sometimes can take some digging.

3) Avoid common PINs. The top five on the list mentioned above were 1234, 0000, 2580, 1111 and 5555.

4) Vary PINs. Is it really a good idea to have the same one for your phone’s screen lock and your voicemail? And your ATM? And your office or home security system?

5) Look for protection tools. A great feature, if available, is to limit the number of unsuccessful attempts before access is denied. Allow enough incorrect attempts to fit your mistyping level. In a firm, you might be able to set requirements for PINs or mandate regular changes. Just in terms of mathematics, if your voicemail system will let you go to a six- or eight-digit PIN, it will be much harder to crack.

6) Watch for developments in the areas of alerts. You might be able to get a text message or email if someone attempts to access your voicemail from an unapproved number.

Dennis Kennedy is a St. Louis-based legal technology writer and information technology lawyer. is his website and the home of his blog.

Give us feedback, share a story tip or update, or report an error.