What's the probability that your PIN will be guessed in 1 attempt?
If you said 1 in 10,000 you're wrong.

VOIP phone

People are terrible random number generators. They select PINs for memorability and personal meaning paying little regard to security. A PIN that has meaning for one person is likely to have meaning to many others, resulting in some PINs being more common and therefore guessable.

Could one PIN burst your bubble?

4 digit PINs can be found throughout the enterprise in VOIP voice mail boxes, door access codes and much more. Often people expect the system to thwart PIN guessing attempts. For instance bank cards allow 2 incorrect attempts per 24 hours which thwarts most guessing. However most systems allow unlimited guesses, require no physical authentication device and have no penalty for incorrect attempts.

By contributing to our research you will help secure VOIP

security
  • Rank the strength of a PIN similar to how passwords are ranked.
  • Develop free software to restrict the selection of weak passwords for Asterisk, the opensource PBX.
  • Learn about the psychology of selecting a PIN.
    We will discover to what extent the aesthetics of a number influences PIN selection. What patterns are most commonly selected? Are primes selected more than expected? How common are PINs that begin with 0?
  • Simulate PIN cracking on VOIP networks. Determine the number of attempts it will take to crack the average PIN.
  • Visually display the security of the PINs on your network. Identify the weakest so admins/HR can prompt those users to change their PINs.

This research and the security enhancements it will enable are considered by some to be long overdue. In fact it amazes us that no one has conducted any open research into PIN selection considering the vast amount of parallel research into passwords.

Frequently asked questions

Question: Why should I trust you with my PINs?
Answer: You don't need to when you can trust the math. We want only PINs and not phone extensions, names or other information that tells us what the PIN is used for. This is similar to asking for keys but not which lock it fits. The larger the set of PINs the less suspectible to abuse it is.

Question: Will this help criminals guess PIN numbers?
Answer: No. Criminals attempting to guess bank card PINs will gain nothing from this. Sophisticated criminals using brute-force attacks against VOIP networks already have 'optimised' common PIN lists.

Question: Do you offer VOIP security consulting services?
Answer: We can refer you to reputable, competant companies depending on your needs. Please contact us for more information.

Question: How can I secure my VOIP network or PBX?
Answer: Please see the resources page.

Help from the internet community

help

To do this we need help from the internet community to provide the large datasets of PIN numbers required. The PINs we need have to be chosen by the users. This means we have to exclude PINs that are allocated by the system. If you are an admin of a VOIP service or in a position to help then please consider contributing.