In a move that will only cause me to get abuse from my colleagues, I’m about to tell you about a super fun little maths problem I’ve been working on this evening. To make it even more likely that I will be called a nerd/geek, this problem was inspired by a photo of a number pad I took a few days ago. Here is the photo, and here is the story.
This photo was taken in a bank. It was also taken with a lot of espionage skill. It’s the number pad on the back of the cashpoint. This is inside the bank, and will be used when the cash in the machine needs to be stocked. If you wanted to steal the money from the machine by going in this way, you’d need to know the PIN. Which makes the security of that PIN pretty important.
Now, I know the photo is blurry (I didn’t have time to take a decent photo else they’d have thought I was casing the joint) but you can see that some of the keys are brighter than others. This is an example of a Desire Path (which is a post I still need to write about). A desire path shows you how people really truly want to use an object. The cleaner keys show you that these are the ones getting regular use, the dirty keys are not getting pressed as much. The reason this is interesting is that I now know which numbers are used in the PIN of this entry system. Awesome.
Now this made me started thinking about the security of such a system. If you, for whatever reason, can’t avoid giving away which numbers you’ve pressed on one of these key pads, how can you make sure you’re choosing the most secure set of numbers? Just choose any four numbers and hope that the fact the person trying to crack it can’t tell which order you typed them in? Well, as it turns out, no that’s not the best strategy.
If you know that my PIN involves the numbers 1, 2, 3 and 4 then that tells you my PIN is one of 24 possible different combinations, because the order you use those numbers matters. My PIN might be 1234 or 4321 or 1243 or 2314 and so on. So choosing 4 different numbers for the PIN for this machine in the picture means a potential thief would have to guess up to 24 different combinations. Which actually, isn’t that secure.
This is where the maths comes in, what happens when the PIN involves a repeated number? In this case, only 3 of the keys on the number pad would be clean, rather than 4, as one key would be pressed twice. For instance, if the PIN was 1233, only the number 1, 2 and 3 would be clean. It may seem counter intuitive, but this approach actually increases the security of the PIN in this situation, even though it uses fewer numbers. The reason is it adds an element of uncertainty to the mix, there are now three different sets of four numbers that coud be used in the PIN. If 1, 2 and 3 are clean, the numbers in the PIN could be 1233, or 1223 or 1123. Even though there are fewer ways to arrange these numbers, because there are three is actually means that knowing the three numbers used in a four digit PIN means the thief would have to try up to 36 different combinations of numbers.
So my advice to the bank, after doing this maths is that they should pick a PIN with only three different numbers in it, not one with four. Or they should just clean the number pad, it looks kind of gross.
(The maths in the post was a series of permutation calculations, I’ve saved you from having to read them but if you’re interested I can share. Maths is cool.)