Passwords And PINs
Passwords are a secret. They are a secret you share with any one of the estimated 200 million active websites on today’s Internet. (There are actually over 1.8 billion, but by far most of these — roughly 75% — are placeholder, or “parked” domains.) This information was gleaned from InternetLiveStats if you’d like to learn more.
A Personal Identification Number (PIN) is usually a simple set of four digits, although some companies will allow the use of alphanumeric strings. The burning question here is whether a Password, or a PIN, offers the greatest amount of security and this week’s Quick Tips article will try to answer it for you.
Let’s Begin With PINs
PIN is an acronym for Personal Identification Number. (It makes me cough when people refer to a PIN ‘number’. Or a VIN ‘number’. Would you normally say, “Personal Identification Number number”? Of course not.)
Whereas a password is shared with an outside entity, a PIN is attached to, or associated with, a device such as a laptop computer. If a crook steals your laptop, and it is protected by a password, then the bad guy could theoretically “brute force” that password and gain access to your machine. A PIN, in this case, is better. It is associated with the hardware itself, and not an outside entity like a website.
A normal reaction would be to say that a 4-digit PIN couldn’t possibly be as secure as a strong 16-character password, and that seems to make sense, but in this case it isn’t necessarily true. That’s because a PIN is protected by a Trusted Platform Module (TPM). The TPM will lock after a set number of failed login attempts. The bad guy only has a limited number of tries, so a brute-force attack won’t work. Of course, the scumbag could get lucky and hit upon the correct PIN right off, but the odds are slim– there are 362,880 possible combinations using the numbers 1- 9.
Incidentally, many websites these days employ a similar technique for the same reason. DCT, for example, will block someone for a period of time who tries several false password attempts. This helps to dissuade abuse of the system.
Note: If your computer is not equipped with a TPM chip, using BitLocker can achieve the same result.
How About Passwords
A PIN can’t be effectively used when signing in to a website. They are short and are therefore easy to crack, so a password becomes necessary. Passwords should be long and strong. 16 characters is a good length these days (it use to be 8), and by “strong” I mean that it should contain at least one number, one special character (e.g., !@#$%^&*()), and both upper-case and lower-case letters. Even using a very fast computer, it could take hundreds of years to “brute force” a good password. (You can do the math if you like, but I’ll pass on this one.)
Due to the complexity needed to create a good password, and to the strongly recommended one-time usage of each password, a password manager becomes a necessary tool. I don’t know about you, but I can’t remember hundreds of complex passwords– my brain doesn’t work that way. There are many good password managers available on the Internet. To make it easier for you, many excellent ones are free. Here are some recommendations for you to consider:
For your information, I use LastPass. Even the free version has many useful features. The above video mentions it as a top pick and I concur.
Which Is Better?
The only right answer is that it depends. If you want to protect a device at a local level, then a PIN is the way to go. Microsoft even offers the option of using a PIN instead of a password to sign in to your account, and it is necessary to create a PIN if you want to use bio-metric log in solutions. (This is a fallback mechanism in case your fingerprint reader fails for some reason.)
As always, if you have any helpful suggestions, comments or questions, please share them with us,