Why are ATM PINs 4 digits long?

Dave G. | June 25th, 2007 | Filed Under: Slashdot Rounddown

The answer is best summed up in this article about the ATM Machine turning 40 years old. They quote John Shepherd-Barron, the inventor of the ATM:

Mr Shepherd-Barron came up with the idea when he realised that he could remember his six-figure army number. But he decided to check that with his wife, Caroline.

“Over the kitchen table, she said she could only remember four figures, so because of her, four figures became the world standard,” he laughs.

If you had asked me how they had come up with the length requirements, I would have thought that somewhere, someone might have tried to run some basic statistics, figure out acceptable losses based on likelihood of a PIN number getting guessed. Then try and balance that user requirements.

Nope. That wasn’t (isn’t?) how decisions and standards are made. And even today, MOST PINs are four digits in length. Policies are well documented inside of the enterprise. One thing that usually doesn’t get well preserved is why those policy decisions were made.

The other choice quote from this article:

“Money costs money to transport. I am therefore predicting the demise of cash within three to five years.”

While I can appreciate anyone who tries to predict the future, we should remember there is a reason why we say most of them are insane. I can see a future without cash, but even if we all said right now that it is time to move away from cash, it would take more than five years to execute on that.

Finally, Mr Shepherd-Barron, is working on a new invention. One to scare salmon-stealing seals away from his salmon farm:

“I invented a device to scare them off by playing the sound of killer whales, but it’s ended up only attracting them more.”

It’s clearly an uphill battle to top the invention of the ATM.

6 Comments so far

  • Jeremiah Blatz

    June 25th, 2007 3:26 pm

    Funny story, but 4 probably is the right number, from a usability point of view. Short term memory holds from 4-7 items for almost everyone, and it’s much easier to remember something when you can hold the whole thing in short-term memory at once. So, from a support cost point of view, 4 is probably as high as you can go for something like ATM cards, where the cost of a forgotten PIN is high.

    Also, of course, ATMs have a 2-factor system, you need the card and the PIN. From an economic POV, it even appears that the original system was too secure. Back in the day, the machine would keep your card if you misguessed the PIN 3 times. Now with dip and swipe machines, they can’t confiscate your token. (Presumably they do some locking on the back end.) If you assume that banks make rational risk assessments (big if), then that feature wasn’t worth the cost.

  • PaulM

    June 26th, 2007 11:41 am

    The frustrating part of a story like this is that password/PIN strength requirements* boil down to a little bit of research and some algebra. There’s no need for a random, arbitrary decision like this.

    * CSC-STD-002-85
    http://ftp.fas.org/irp/nsa/rainbow/std002.htm

    @Jeremiah: Since the PIN authenticates the user to the card, I would argue that it’s not 2-factor auth. Not to mention that many banks have used (and continue to support for the short-term future) 10^4 PIN’s as passwords for online banking apps.

  • dragonfrog

    June 26th, 2007 12:34 pm

    I wonder if his wife ever phoned anyone without looking up the number. Ah well.

    Something they don’t mention is why many ATMs still make such a racket of whirring and clattering - they could have been making them quiet for the past 15 or 20 years, but when they started introducing the quiet ones, many users got worried that nothing was happening and they weren’t going to get their money - so they went back to having them produce completely unnecessary loud mechanical noises.

    Now though, people are probably sufficiently used to the idea of computers doing stuff without producing noise, that quiet ATMs are starting to show up.

  • Ted

    July 2nd, 2007 12:36 am

    I think the decision of the pin number could be made by an intelligent man in his head without the statistical information written down and analyzed.

    We will just see if the 4 digit pin survives for the next 40 years.

    At the ATM machine.
    - Something you have, and something you know.
    - Card is blocked after 3 incorrect pin entries. (may differ between banks)
    - My 4 digit pin code isn’t used online.

  • Lionell

    July 5th, 2007 12:50 am

    Even if your bank gives you the option of selecting a longer PIN, it may not be any more secure. Some PIN verification methods (VISA PVV for certain, possibly others) have a very limited password hash length (like 4 digits). You may happen to pick a 5-digit PIN with a has that can’t be produced by some 4-digit PIN, but it’s unlikely. There is almost certainly a 4-digit PIN which will produce the same hash, and work for your card.

    That said, 3 guesses over 10,000 values is pretty safe.

  • Dennis Wronka

    July 6th, 2007 10:01 pm

    Here in Hong Kong PIN-numbers have 6 digits.
    This actually is something you really have to get used to after living in a country with only 4 digits for over 20 years.

    @dragonfrog: It’s exactly the same with washing-machines. If they’re silent people get worried if the machine is actually doing something.

    • Leave a reply