Carry your PIN number in your wallet

I have a confession to make.  I have been carrying the PIN number to my credit cards in my wallet for the last five years!

In my wallet I have a slip of paper right next each of my cards that looks like this…

A B C D E F G H I
6 9 2 1 6 2 4 0 1
J K L M N O P Q R
8 7 9 1 7 2 3 2 4
S T U V W X Y Z
7 7 2 8 1 7 2 0

… I can remember a four letter word easier than four random numbers and have challenged many people to guess my pin number from it.  e.g. if the four letter word was MOVE then the PIN would be 1286 and if the four letter word was CHIP then the PIN would be 2013.

I cryptographic terminology this is classed as a one way hash, a terrible idea for encrypting data on the internet but for data as small as 4 numbers it works quite well.  4 numbers only gives (10^4 =) 10000 combinations at the best of times although there are things that can be done to try and break it.

If we take a standard dictionary file (/usr/dict/words) there are 1778 four letter words that could be used. Based on the example matrix above that equates to 907 different PIN numbers. While this is still too many to guess at random we are down a long way from the 10000 original possibilities. I’ll let you decide if that is an acceptable risk.

It’s worth noting that while most people would probably use a four letter dictionary word there’s nothing from stopping you using things like “A DOG” or “I RUN” or even a pass phase “Am I Nicely Secure?” = AINS.

What are your views? Foolish or clever? Are there any other wallet tricks that people know?

7 thoughts on “Carry your PIN number in your wallet

  1. Interesting idea. Words/letter combinations easier to remember than four digits, so see the benefit.

    Do you have a different lookup table for each card?
    And if so, does that pose a new risk to using the wrong table?

  2. Yes, a different lookup table for each card allows the pin for each card to be different but the word to be the same.

    I don’t think there is any risk of using the wrong table as each table sits behind its card in the wallet but you obviously have to use different random digits for each card else it would be obvious which four letters were being used.

    Humans are very bad at generating random numbers so this could be another attack vector but we are talking about very small amounts of data and a quick program or even a spreadsheet can be used to generate a more random table 🙂

  3. cake = 2676?

    i usually remember the shape the combination makes on the keypad

  4. No 🙂

    Shapes work well too but you do need a separate shape for all your PIN’s else they will all be the same again.

  5. Good idea, I too remember words but came unstuck when presented with a card terminal that didn’t have letters next to the numbers.

  6. My pin is now in muscle memory. as proven by the fact that I can buy many drinks at a bar whilst faaaar too drunk.

  7. I know this is an old topic; however I have an alternative idea to offer.
    Each card usually has 16 digits + 3 more on the back.
    Nearly all card issuers now allow you to select you own PIN.
    Choose a set position from the card number (hint: if you put your card in most readers – not ATMs – the last 4 digits on the card are still visible) e.g. the 14th & 15th. They will almost always be different across the cards you have, add two more numbers that mean something to you (old house number, partner / parent / child birthdate / birthmonth / birthyear, part of phone number etc. etc. and avoid repeats like 00, 11… ) & there you have a 4 digit PIN that is different for each card & easy to re-generate without carrying anything else, or depending on your phone being charged!
    Change you PIN at the ATM & job done!
    Only thing to watch for is the bank issuing a card with a new number – then you have to change PIN again…
    I find this particularly useful for cards that I use less frequently.
    Major potential downside could be if you are unable to read the numbers on the card!

Leave a Reply

Your email address will not be published. Required fields are marked *