PIN vs Password: When to Use Each and How to Keep Them Safe
A 4-digit PIN has only 10,000 possible combinations. An attacker testing every one on a website would crack it in seconds. Yet that same 4-digit PIN on your phone is considered a reasonable security measure. The difference comes down to where and how it is verified — not the PIN itself.
What a PIN actually is
A PIN (Personal Identification Number) is a short numeric code, typically 4 to 8 digits, used to authenticate access to a device, card or service. The term originated in banking with the introduction of ATMs in the 1960s, and the concept has since spread to phones, building access systems, SIM cards and some online services.
Unlike passwords, PINs are almost always purely numeric. This means a 4-digit PIN has exactly 10,000 possible combinations (0000 through 9999). A 6-digit PIN has 1,000,000. These are very small numbers compared to character-based passwords of the same length, which is why context matters so much.
Why PINs are safe on devices
The reason a 4-digit PIN works on your phone is hardware lockout. The device enforces a limit on how many incorrect guesses are allowed — typically 5 to 10 — before triggering a time delay, wipe or full lockout. An attacker with your phone cannot simply write a script to try all 10,000 combinations; after a handful of wrong guesses, the device stops them.
Your bank card works the same way. Three wrong PIN attempts locks the card, and it cannot be unlocked without the bank's involvement. The small number of possible PINs is protected entirely by the rate limiting built into the hardware and the issuing system.
This is an important principle in security: the strength of a credential depends not just on the credential itself, but on the system that validates it. A short, simple code can be secure when the verification system severely limits how many attempts are allowed.
Why PINs fail online
Online systems — particularly poorly designed ones — often lack meaningful rate limiting. An attacker trying PINs against a web login can potentially test thousands of combinations per second. Even with generous lockout policies (say, 10 attempts before a 15-minute delay), all 10,000 combinations of a 4-digit PIN could be exhausted in under a day.
Even well-designed online systems with strict lockouts still make PINs vulnerable if the underlying password database is ever stolen. Unlike a phone's hardware lockout (which remains in place even if you steal the device), a stolen database can be attacked offline with no attempt limits at all. A 6-digit numeric PIN would be cracked in milliseconds in an offline attack.
This is why using a PIN as an online account password — particularly a short one — is a security risk, even if the site does not prohibit it.
PINs work well for...
- Phone lock screens
- Bank and credit cards
- Building or door access systems
- SIM card unlock
- Encrypted device unlock (when paired with biometrics)
PINs are not suitable for...
- Online account passwords
- Email accounts
- Anything without hardware lockout
- Services that store PINs as account passwords
- Your password manager master credential
How to pick a good PIN
Even within the context where PINs are appropriate, some choices are dramatically weaker than others. Research on leaked PIN databases consistently finds that a small number of PINs account for a disproportionate share of usage:
- 1234 — the most common 4-digit PIN, used by an estimated 10% of people
- 0000 — the second most common
- 1111, 2222 etc. — repeated digits are heavily favoured
- Dates — years, birth dates and anniversaries are predictable
- Keyboard patterns — 2580 (straight down the middle of a phone keypad) is frequently used
An attacker targeting a physical device will typically try these common PINs first. Even with hardware lockout, if your PIN is 1234 and the attacker gets 10 attempts, there is a meaningful risk. A randomly generated PIN has none of this predictability — it is just as likely to be any of the 10,000 (or million) possible combinations.
For 6-digit PINs, the improvement from randomness is more significant. Random generation ensures you are not gravitating toward the predictable patterns that attackers try first.
Get a truly random PIN with no predictable patterns
Our PIN generator uses your browser's cryptographic randomness to generate 4, 6 or 8-digit PINs with equal probability for every digit. No patterns, no bias.
Open PIN GeneratorPIN security depends heavily on the system enforcing it. Always follow the security guidance of the specific device or service you are using a PIN for.