Sometimes when you try to set up a password to an online account, you get a prompt saying your password is not strong enough; it needs to be a combination of uppercase and lowercase letters, and numbers. We all know this is to lower the risk of someone else hacking in to your account.
However, to withdraw money from an ATM using your bank card, you only have to enter a simple four-digit number. How is that considered safe?
A descriptive answer to this question is presented in the form of four explanations below.
There’s this thing called brute forcing. That’s where you basically try 0000, 0001, 0002… etc. Typically, people would try the common passwords first, so 0000, 1111, 2222, 1234, 4321… etc, and then start trying every password, but that’s besides the point.
When you’re using your bank pin, you have your physical bank card. And if you get the wrong pin too many times, that account gets locked out until you talk to the bank and get them to fix it. So somebody trying to guess your pin only gets 5/10,000 chances – and needs to actually physically have your card at that! After your card’s been locked out, they can’t do anything. Once you go to get it fixed, you’ll get a new card and the one they have is rendered useless. They get 5 chances, total. And then they have to steal your card again, and have no guarantees that the five pins they guessed before are going to be wrong, since you could’ve (and should’ve) changed your pin!
Online accounts are quite a bit different. Sure, you may have forgotten your password somewhere and been locked out of your account for 10 minutes or whatever before. But that’s not the only way people ‘hack’ online accounts. For that, we need to explain password hashing briefly.
Typically, when you sign up for an account somewhere, your password will be ‘hashed’. So if your Facebook password is
123456, Facebook would only know it as something like
$2a$06$0JXJ7T//rMLelqOfaYYEw.cwQYivfp0KkJLcGaJwH/1kV8i5Oh3AS. Meaning, if somebody hacks Facebook and gets the database of passwords, they still won’t know what your password is. Even if they try and login using your hashed password, it’ll just get hashed again, and Facebook will see it as something different.
Hashed passwords are also (kinda) impossible to reverse engineer. Regardless of what length password you put in, the hash will always be the same length. So multiple passwords can result in the same hash. Which does mean that it is possible to get from a hash to a password that results in that hash without brute force, you just can’t get the original password. But not having the original password doesn’t matter, as long as the password you have turns into the same hash. However; reverse engineering a hash like this is an incredibly difficult task.
Alright, so let’s get back to the whole brute forcing thing. Once somebody has your hash, they’re no longer bound by Reddit’s wrong password limits. They can write a program that hashes passwords and checks it against your hashed password all they want. Once they get the right password, they only need to try and login once. Regular ol’ computers can check millions of passwords per second – and more powerful computers built for this purpose can check in the tens of billions, or even higher. For a simple, short password it’ll take a matter of seconds. Even for some of the more ‘complex’ passwords people think up, it’s just a matter of days, maybe weeks. But not very long at all. Length is exponentially more important than symbols, blood of the first born, etc.
And that’s barely touched the surface of internet security.
Notice most banks don’t let you use the 4 digit code alone when you do online banking. (By which I mean web banking. Mobile is a slightly different case.)
When you visit a bank, you need a card (which is, as others have said, something you “have”) and if you enter the wrong passcode too many times, the ATM can eat the card (or at least invalidate it). This renders the 4 digit code much less susceptible to brute forcing all
9999 (edit: yes, 10,000) possible combinations, since you usually only get 3 attempts. (Or more, as some people have told me.)
On the other hand, web logins often don’t have any physical token. If there’s no physical token, locking someone out for a bad password means locking the entire account, which is obnoxious. I could make your customers very angry simply by randomly trying account / passwords until they got locked out, from computers all around the world. Apparently some banks actually do this, and my condolences to their customers.
You can get away with a simpler PIN for security if you have lockouts or if you (as some banks do) tie the login to a secondary security question and a “remember me on this device” type browser memory. This combines your password (the thing you know) with the computer (the thing you have) to make it safer.
Some people have pointed out they can use PINs for mobile banking. Those PINs are tied to the device. The first time you set up on a different device, you should need something more complex than a PIN. In this case the phone replaces the ATM card as the thing you have.For anyone saying they can log in with a PIN online only, try it in an incognito mode browser. If you can still log in with no further questions, I would consider treating that bank’s security as suspect
Something you know, something you have, something you are. Those are the three types of security. With a card and the aforementioned ATM pin, you check two of those (have and know), so the individual security of each can be less.With an online password you only have one (know), so the requirements need to be a lot stricter to compensate for not checking off the other two types of security.
Because that 4-digit code is just a cross-check with a physical card and can’t be brute-forced. It’s not the PIN giving you access to the account, it’s the card (or the ID when you go to the bank).