Hugh, On Thu, Dec 31, 2009 at 5:13 PM, Hugh Griffith <[email protected]> wrote:
> Out of curiousity, does any know why we aren't using PIN numbers as > internet > passwords? (rereading your post, i'm not sure if you're talking about PIN in context of paiement card or to log in to the bank website, excuse me in advance if my answer is off-topic.) PIN numbers are usualy used with a paiement card. * This means you must possess the card AND the PIN. * Also, the card become unusable if you mistype your code 3 times. => That's why you can use it in this case. Noone can guess the PIN in 3 guesses. On the contrary, on internet : * Nowadays, program exists to try out any combinaison possible : the 1000 combinaisons available with 4 digits PIN can be tried in less than a second. * It is rare to lock your account after x attemps. (why? because it is a pain to unlock it afterward ) * this password is the only item you need to log in, so it is the weakest link in the securing process. All that put together explains why it is unwise to use a PIN code as a password. ( Follow-up: There are only 3 ways to secure an asset : * with something you know ( a password, a pin code) * with something you possess ( a card, a certificate) * with some part of you (your eye, your fingerprints, your DNA) And the more the better. ) If I've been unclear, let me know. Gilles. twitter.com/gillesdemarty ________________________________________________________________ Welcome to the Interaction Design Association (IxDA)! To post to this list ....... [email protected] Unsubscribe ................ http://www.ixda.org/unsubscribe List Guidelines ............ http://www.ixda.org/guidelines List Help .................. http://www.ixda.org/help
