When is a password not a password?
Never. It’s always a password.
No matter what you call it – password, passcode, passphrase, secret, PIN, login or Jeff – and no matter if it is numeric or alphanumeric, under the hood it’s the same. The same rules apply on how you choose it and how you store it.
Since Friday we’ve been advising the 143 million people who have been affected by the giant Equifax data breach to put a freeze on their credit files.
Frozen credit files can’t be accessed by creditors, which should stop thieves who stole your identity during the breach from taking out a line of credit in your name. Of course it stops you from taking out credit too but unlike the crooks, you can unfreeze your credit files if you need to.
What stops the thieves from unfreezing your credit files is a PIN that you know and they don’t. Equifax chooses your PIN and gives it to you when you freeze your credit files.
Like all PINs, they’re just passwords by another name and the normal rules for choosing passwords apply: the PIN should be long, chosen at random and difficult to guess.
No matter how much a hacker knows about a person or system creating a password, that knowledge shouldn’t help. Likewise, knowing a password shouldn’t reveal anything about the system that created it or make guessing another one any easier.
That’s why we advise that your passwords shouldn’t be a child’s birthday, a pet’s name or your favourite sports team, and why you shouldn’t pick passwords according to a sequence or pattern.
In this case, however, you don’t get to choose: Equifax does it for you, so the normal rules about choosing passwords apply to them rather than to you.
Not PINs at all
Unfortunately Equifax PINs aren’t chosen at random, they are simply the date and time at which you performed your freeze.
If you froze your data on Friday night after watching our Facebook Live about the Equifax breach at, let’s say, 5pm, your PIN would be
The timestamp uses the format
MMDDyyHHmm where two characters are used to represent each of: month (01 to 12), day of the month (01 to 31), year, hours since midnight (00 to 23) and minutes (00 to 59).
It seems that this isn’t some hurriedly put together, post-breach workaround either, as journalist and data nerd Tony Webster pointed out on Twitter:
The PINs are 10 digits long. If Equifax chose numeric PINs at random the crooks would have a one in ten billion chance of guessing the right number on the first go (that still wouldn’t count as a strong password by the way, but it’s not bad).
By using dates Equifax have slashed the odds on a successful guess.
Even if the system used a randomly-generated timestamp and turned it into a PIN, the system would be flawed.
There are only 365 days in most years, so the
MMDD digits don’t deliver 10,000 different possibilities (0000 to 9999) as you might expect, and there are only 1440 minutes in a day, which slashes the range of possible values that
HHmm can take.
Even if Equifax picked years from anywhere in the last century, the
MMDDyyHHmm format would give just 365 × 100 × 1440 variations for a total of just over 50 million different PINs, rather than the 10 billion variations you might reasonably expect the security of the system to be based upon.
Of course, it’s much, much worse than that, because Equifax uses the time of your freeze application to lock in your PIN.
At the time of writing, the breach announcement happened about three days ago – and there are fewer than 5000 minutes in three days.
If you froze your credit files since the announcement, the odds of guessing your PIN correctly aren’t one in ten billion, they’re better than one in 5000.
If we assume that you didn’t freeze your credit files while you were asleep, and that you took at least a few hours to get round to applying for a freeze after hearing the news and deciding what to do, then the odds of guessing the PIN are even better still (better for the crooks, I mean; worse for you).
And that’s not the worst of it.
Because of the way the PIN-generating algorithm works, any timestamped logs of your activity on the Equifax systems that are related to your freeze (computers tend to generate a lot of timestamped logs) are effectively improperly secured copies of your PIN.
In other words, any PIN that’s generated like this just isn’t a PIN.
Our own Paul Ducklin put it this way:
The P in PIN is for Personal. It is by definition not a PIN if anyone else but you can figure it out by any method better than blind luck – for example by predicting it or retrieving it from a database.
Banks, he points out, don’t do it this way.
That is why banks issue ATM cards for which the PIN:
- Is chosen by you privately when the card is encoded at the bank, or
- Is generated randomly and printed using a tamperproof mailer that is sent to you separately from the card.
The PIN itself is not stored by the bank in plaintext form.
Equifax’s system ought to work that way. After all, those “freeze PINs” are essentially Equifax’s digits-only equivalent of, say, your Facebook or your email password.
Sadly, none of this comes as much of a surprise. As Forbes reports, Equifax have struggled with creating secure PINs before. In 2016 the company had to fix a serious flaw in the way it generated PINs issued to client employees:
[the PINs] consisted of the last four digits of an individual’s social security number and their four-digit year of birth
Unfortunately there is nothing you can do about this, it’s all on Equifax. Freezing your credit files remains your best course of action but you should know that the freeze is not as well protected as it should be.
The question is, what will Equifax do next? We think it needs to:
- Acknowledge that its PINs are not fit for purpose and fix them.
- Ensure that PIN entry is “rate limited” to prevent online guessing attacks.
- Promise to tell you if your PIN is hit by a guessing attack.
We’d also like to see Equifax commit to implementing the “right to deletion” of your data that GDPR will enshrine in Europe next year, even if US laws do not require it.
Remember, Equifax CEO Rick Smith said in a his announcement about the breach that Equifax “will not be defined by this incident, but by how we respond“.