Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

21 comments on “How Can a PIN Be as Secure as a Password?”

  1. 4 digit pins are quite easy to sniff out as there really are not very many combinations of 4 numbers, however passwords are better because there are 26 letters in the alphabet plus a choice of capitals and symbols too. It would take a hacker much longer to sniff these out.

    Reply
    • Did you read the article? Hacker’s don’t have the same level of access for a PIN as they do for a traditional password. And the article directly addresses the steps you can take to make a PIN more secure.

      Reply
  2. My biggest problem with the W10 pin is that there is no locking upon multiple failed attempts and it opens immediately when the correct pin is entered. For example, if you have the very uncommon and highly secure pin “1234”, someone can sit at the computer and keep trying. So if they tried the even more secure and slightly less common “123456”, they would get in after the 4th digit was entered. So, Leo, you are correct that to make it more secure, add more digits and don’t use something easy to guess.

    Reply
      • …although, I have to admit, I find it hard to believe that ‘mustang’ beat out all of the available curse words and body parts.

        Reply
      • But it’s not safer than 123456 because of poor design on the part of Microsoft, once you’ve entered the first four digits, 1234 Windows will log you in immediately before you have a chance to add the last two digits. I can’t believe the designers at Microsoft could be so stupid. Type in a bunch of numbers and count them as you type Windows will tell you how many characters are in the PIN.

        Reply
    • “My biggest problem with the W10 pin is that there is no locking upon multiple failed attempts and it opens immediately when the correct pin is entered.” – This can be configured using Group Policy in the Pro, Enterprise and Educations editions, but not in the Home edition. I don’t see the omission as being particularly problematic.

      Reply
  3. As an aside on a separate technical matter, and taking absolutely nothing away from the arguments, but purely to correct the use of a specific word, adding an extra digit to a PIN does not make it “exponentially” safer. It makes it 10 times safer, and adding a second extra digit makes that now safer 5-digit PIN 10 times safer yet. An exponentially safer PIN would get safer at an even faster rate.

    Reply
    • Actually adding 1 digit makes it 10 times safer. 2 digits makes it 100 times (10^2) safer. 3 digits makes it 1000 (10^3) times safer. Maybe I should have said “geometrically” (I don’t think so) but it’s important that it not be thought of as linear. :-)

      Reply
  4. I’ve been computing for a decade, but this left me puzzled. I’m not alone in this I see. How does a PIN, (regardless of length), secure my local computer if I don’t enter it with keystrokes?
    Please re-visit this Leo and speak to those of us who need it on a bit more pedestrian level. Sorry about the density but If I don’t get it I usually have company.
    Thanks

    Reply
    • Yeah, this seems somewhat nonsensical to me. If a keylogger is present on your system, it can log both the PIN and any passwords that you subsequently enter, including your Microsoft password (if you enter it). Leo’s contention would seem to be that you probably will not enter your Microsoft Account password after logging in with your PIN, so it will not be captured. While that may be true, any other passwords – banking, email, etc. – that you enter will be captured, and those passwords are likely more important than the one protecting your Microsoft Account.

      All in all, I think keyloggers are pretty irrelevant to this discussion.

      Reply
  5. “The single biggest difference between using a PIN and a Microsoft account password to sign in to your machine is that the PIN only works on the specific machine for which you set it up.” – I’m somewhat puzzled. How’s a PIN tied to a device on a non-TPM enabled system?

    Reply
  6. Hi Leo, I just wanted to add a comment about using your pin for sign in. You said you would lose synchronization across machines, but that didn’t happen with mine. I use a laptop and pin at work, and a desktop and password at home. I changed the desktop wallpaper on my home computer and the next day when I went to work, it was on the laptop when I fired it up. Kind of confused and surprised me since I really didn’t want it there.

    Reply
  7. Leo, you did a valiantly great job explaining why MS decided to use a pin. But, I’ll present a perhaps cynical alternative rationale. This is the type of goof that happens all too often in software, or for that matter in technical designs: Someone comes up with what they think is a great idea, usually trying to “fix” what ain’t broken. Then they discover that there is a hole (i.e. problem) with the design, so instead of undoing the problem, they tack on a patch to problem and somehow rationalize it. MS wanted to tie in the MS account to all computer log-ins for their marketing, so in Windows 10 they said you must use your MS account rather than a machine password. Then they discovered that this scheme wasn’t so secure – specifically, not secure for MS. So they invented the pin concept to protect MS accounts from being hacked, but not lose the association between a computer and the MS account. If machine login security was a real concern, then they could have just as easily tied in your machine password to the hardware signature.

    What’s curious is that the pin doesn’t have to be all numbers. It can be configured to use letters and special characters. In other words, the same concept as the good old machine password, but now it’s tied to your hardware signature and indirectly to you MS account.

    Of course, as Leo already said, if someone has physical access to your machine, none of this matters anyway.

    Reply
  8. I originally set up the machines in my house with MS account logins and a Home Group. We found that the logins were a nuisance because we use long passwords that aren’t easy to type. So we switched to PINs and the Home Group quit working.

    Has anybody else had this problem?

    Reply
  9. Now you can use letters and special characters in your PIN. By definition, it’s no longer a PIN, Personal Identification Number, it’s a PIP Personal Identification Password or Passphrase. ;-)
    You can count on Microsoft for ridiculous naming conventions.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.