A Shorter PIN Might Be More Secure against Smudge Attack
In an interesting little mathematical exercise, Zach Pace from the team implementing the new picture sign-in for Windows 8 says that on a phone with a 4-digit pin, 4 unique digits is the most secure against a smudge attack. I contend that he is wrong, and that 3 unique digits would be more secure.
A smudge attack is when someone searches a smartphone screen for smudges, and then correlates their position with the phone security code. For example, if you clean your screen then type in your PIN, then hold your phone on the correct angle to the light, one can figure out the digits in the PIN.
“A PIN will leave a smudge in a known location for each digit used in the code. If there are n digits in the PIN, and all digits are unique (the hardest to deduce case), there will be n! possible ways of ordering the PIN. For a typical 4-digit PIN, this is 24 different combinations.”
I assert that he is correct in all but declaring 4 unique digits to be the hardest to deduce case. Yes there would be 4! = 24 combinations. However what if you knew the PIN were 4 digits long and you only saw 3 smudge marks on the screen (let’s say, digits 1,2,3)? You have the following possibilities of digits in the set: 1,1,2,3; 1,2,2,3; 1,2,3,3. For each combination, you have 4! permutations, minus one for every case where the two like digits are adjacent (since in 1,1,2,3 swapping the position of the 1s does not create a new PIN). This equals 24 – 6. Since we have three sets, we have (24 – 6) x 3 = 54 possibilities.
Plus, what if the attacker is unsure of the amount of digits in the PIN? With four smudges, he can be sure that the PIN is at least 4 digits long. With three smudges, he must try all the 4-digit possibilities just explained, plus consider the extra 3! possibilities offered by a 3-digit PIN. Not that any phone actually offers the possibility of a 3-digit PIN in the real world (do they?), but hey, theoretically it’s significant.
Fortunately, or I suppose unfortunately if you’re looking to cast a few more aspersions on the security of Windows, this mistake in Pace’s statistical reasoning does not actually undermine his point about the improved security of their new sign-in technique.
The important outcome for you, the 4-digit PIN smartphone user, is that if your primary concern in selecting your PIN is guarding against smudge attack (which might be a reasonable point of view), chose 3 digits. The iPhone is a good example of a phone with a numeric PIN-based sign-in, whereas Android phones offer this and/or other options.