Fix your phone’s PIN (almost) effortlessly
In an episode of Netflix’s Lupin, the title character breaks into a phone with three guesses:
The guy was around 50… so, that would be 1970… 1971… or 1969—there.
His companion is incredulous, but this is all too common. If your phone’s PIN is based on a year, date, address, or phone number, even an amateur thief can break into it with a few educated guesses. Even if they don’t know your personal details, everyday numbers contain exploitable patterns. From there, they can get into your pictures, your social media accounts, your messages, and your email. They can also reset your passwords for nearly every account.
Conventional wisdom says that phone PINs should be at least six digits long. That’s based on the fact that police departments—and presumably criminals— can figure out a four-digit password quickly using specialized hardware. (Think button-pushing robots.) The phone is supposed to lock them out after a few wrong attempts, but they may be able to bypass this restriction. There is a cat-and-mouse game between forensics companies and phone manufacturers, so even if phones are secure today, they might not be tomorrow.
The biggest threat for many isn’t criminals or overzealous police, but abusive family members or coworkers. If someone can snitch your phone for a few seconds every day and try three passwords, that’s enough to try every meaningful 4-digit number in your life in under a month. If they also catch a glimpse of you typing a digit or two, it’s practically game over.
A few words about randomness
PINs need to be unguessable, which means random. Randomness is a big topic in statistics and computer science, but suffice it to say that it’s trickier than it sounds. Worse, humans naturally see patterns even where they don’t exist, so in trying to make something look more random, they make it less random.
For example, here’s a random number I just had a computer generate:
36240886394841554
Each digit is equally likely, so after the first digit every digit has a 1 in 10 chance of repeating the previous digit. With the 17 digits above, you would typically find 1 or 2 repeats. Indeed, there’s an 88 and a 55.
The next random number I generated looks even more suspicious:
5552238602256057
It starts with three 5’s, a double-two, and contains yet another double-two! Random numbers look suspiciously full of patterns!
The lesson here is: don’t just pick digits from your head. Use a real source of randomness and don’t second-guess it.
We will use physical sources of randomness. This isn’t just easier than asking a computer for a random number, it’s more reliable. Real dice can’t be hacked.
So how do you improve your PIN without too much pain?
The goal is to have a PIN made up of six completely random digits — and memorize it effortlessly. This is surprisingly easy…if you are willing to take some time. Rather than change all the digits at once, how about change one digit per month for six months? That way you only need to memorize one new digit at a time.
Step 1: the first digit
You’re going to improve your PIN 50-fold in one step: tenfold by adding a digit, and fivefold by randomly selecting where to add the new digit. You’ll need dice and a paperback book. Choose a reasonably thick book with a spine that hasn’t been creased to open to any particular pages.
Close your eyes and flip the book over repeatedly until you can’t remember whether or not it is right side up. Then flip through the book to a random page. Take the page number on the right side (odd if the book is right side up, even if upside down.) Use the least significant digit: if the page is 345, your digit is 5.
Now roll a die. On 1, the digit goes at the beginning. On 5, it goes at the end. Two through four place the digit that many places in between. Re-roll on 6.
Step 1½: Change your PIN
Software changes so fast that you can’t rely on the screenshots below for exact instructions, but you should get the gist of it.
On Android, open Settings, then click on Security, then Screen Lock, then PIN. (Don’t choose Pattern; it was a cool idea, but finger smears reveal the pattern.)
On iPhone, choose Settings, then (depending on the phone) Touch ID & Passcode or Face ID & Passcode, then Change Passcode, then Passcode Options (which is nearly hidden by the keyboard) and Custom Numeric Code.
That’s it! Now update your PIN and use it frequently to help you remember. Your new PIN is…not great, but it will require 50 times as many guesses as your old one.
Step 2: the second digit
A month later, or as soon as you are completely comfortable with the five-digit PIN, add another digit. Same as before, except with the new digit at the end if you roll a 6.
The remaining digits
Now that your PIN is long enough, let’s clean up the lack of randomness. Don’t rush this — the more often you change your PIN, the more likely you are to confuse yourself with old PINs. Starting on the left (the most likely to be guessable), replace one digit each month with a random digit from your book. If your digit is the same as the old digit, don’t change it — just skip ahead a month and change the next digit.
Whew!
Most people don’t change their PINs and passwords even when they are guessable because memorizing random numbers is no fun, especially when you might lock yourself out of the phone. By changing just one digit per month, you can immediately improve your PIN and ultimately have strong security.
