When working with a client once, they asked us to help harden their biological research labs by recommending additional security measures they could install. We did an initial and very casual walkthrough with them of the labs and how they were used. They were particularly proud of the Hirsch Scramblepads they had installed for access controlled doors. For those unfamiliar with these, they are an ingenious type of PIN pad where the numbers change each time you begin to enter your PIN sequence. This way, someone cannot peek merely at where your fingers were and assume that if you were at the bottom right of the pad, it was a 9. Anyway, they were (and still are in some circles) the Cadillac of PIN pads for access control.
As we began interviewing some of the lab staff, we asked how well they liked the keypads and how they were used. Most responded that they felt the keypads worked very well and were kind of “Star Wars” like because of their technology. We soon learned however, that the PINs used were 4 digit pins, and that there were a couple of hundred people who had access to these labs. To make it worse, departmental policy was that the individual was allowed to select their own PIN. Yikes.
So, I promptly walked up to a PIN pad, and entered “1234”.
“Click”. The door opened.
Okay, “1379”. “Click”.
Yep. Hmmm, one more, “2468”. “Click”. Okay, I see the biggest problem…
The good news, is it was a cheap fix. That doesn’t mean easy, it was just cheap. The long term fix was to add card access with CARD+PIN readers to enhance security; but in the mean time, we just increased the number of digits in the PIN, and assigned the PINs to the staff instead of letting them pick their own. That’s why it wasn’t easy. Some of the staff complained because now they had to learn a new PIN, and sometimes they forgot it, locking themselves out of the lab until they could remember it or get it reset. Memorizing a new number (don’t we have enough numbers, passwords, etc. to learn already?!) is not fun and shouldn’t be necessary just to get into work.
Reading this now, this all probably seems like common sense to you, and it is. It’s just that sometimes common sense isn’t used in practical applications the way we would always expect. Security is a hassle, an inconvenience. So, someone decided to make it easier on people and let them pick their own PIN. This is were Security Policy and Procedures come into play. They should be developed, implemented, maintained, and tested. Had a proper policy been conceived and applied to the issuance of access control PINs, our job wouldn’t have been so easy.
Just like passwords, a weak PIN is worse than NO PIN at all, because it gives you a false sense of security when there really is none. If you still use only PINs, pick unique PIN of at least 8 digits, and ensure that they are unique for each user. But better still, couple a PIN with an additional level of access control such as card access or biometrics. After all, two levels of security are always better than one.