PIN Security for Adminstrators

PINs (Personal Identification Numbers) have proliferated virtually every aspect of modern life. You use them to open your smartphone, pay for purchases with your debit or credit card, gain access to your home or office building, and so much more. These codes are often four to six digits and are commonly used to identify you (an individual user) to a system. 

In the access control world, PINs are one of several possible credentials administrators can use to control access at an apartment or office building, or a vacation rental property. Unlike mobile credentials, which are growing in popularity, PINs have been around for a long time. But that doesn’t diminish their practicality. PINs are super convenient because they don’t require the user to carry anything or install any apps.  They just memorize their PINs and plug it in when they want to open a door via a smart lock.  

However you deploy them, PINs act as a layer of protection for properties and the people who live and work there. So, it’s a good idea for administrators to review the guidelines around PIN security and make sure to follow and enforce them. 

Assign PINs

For those administrators using PINs and managing a large user population like a multifamily residential building, assign PINs to each user instead of allowing users to choose their own PINs for optimal PIN security. Most of today’s access control software like RemoteLock takes care of this for you by randomly generating a unique PIN for each user. 

Carefully Consider PIN Length

Shorter PINs are easier for bad actors to guess. But you also don’t want to burden users with extra lengthy PINs which they may often forget. As an administrator, you want to find the right balance between safety and convenience to achieve optimal PIN security. For example, let’s say you have roughly 100 users using 100 different four-digit PINs to enter the main door at the apartment building you manage. There’s a 1% chance that someone could guess a valid PIN. But if your user population grows, you’ll need longer PINs to ensure this level of security or greater security. For instance, with a population of 1,000 users using six-digit PINs, you’d have just 0.1% chance that someone could guess a valid PIN.  

Also be aware that with access control software like RemoteLock, your centralized dashboard not only shows you who has entered and where, but you’ll also see failed access attempts. Via the software, you can also specify a maximum number of login attempts before shutting down. This makes PINs resistant to brute force attacks. Finally, administrators can easily create and revoke access codes in just seconds from a laptop or smartphone, from anywhere. That’s how a platform like RemoteLock adds yet another security measure and ensures your system lets in authorized people and keeps out everybody else. 

If You Do Let Users Choose Their Own PINs … 

Just remember that PINs are credentials that depend upon human memory and input. Be sure to set clear parameters with your users concerning choosing PINs, including:

#1: Avoid using easy-to-guess PINs like birthdays, weddings or anniversaries. When bad actors are looking for information about a user, these are go-to numbers in the PIN guessing game. They target these dates because they know they are memorable and more likely to be used as PINs. 

#2: Avoid numerical-order PINs, such as 1234 or 456789, and PINs comprised of a single digit like 1111 or 7777. Furthermore, don’t use PINs consisting of sequential numbers on one column of the keypad like 1-3-5-7 on a 2×6 keypad, or 2-5-8-0 on a 3×4 keypad. Likewise, avoid patterns on the keypad like a four-corner PIN such as 1209 on a 2×6 keypad, or 1397 on a 3×4 keypad. 

#3: Take care when entering PINs. The most common way a PIN is compromised is by bad actors watching PIN entries on keypads. So, tell users to shield their movements on the keypad to deter snooping when others are around. 

#4: Don’t give out PINs online or over the phone, and don’t share PINs with others.

#5: Avoid using the same PIN for multiple devices. Just like the old proverb says to not put all your eggs in one basket, everything can be compromised should one user’s all-purpose PIN become known.

#6: If a user thinks his or her PIN has been compromised, encourage immediate reporting to you, the administrator. 

If created and protected properly, PINs are an effective way to protect physical spaces.  Practicing good PIN security requires some forethought, but it’s worth the effort to safeguard your properties and the people who live and work at these properties.  If the property you’re accessing–be it an apartment, office building or vacation getaway–is controlled by an advanced software solution like RemoteLock, rest assured that there are built-in security measures that protect PINs from compromise. 

Daniel Bailin

Chief Product Officer

With extensive experience in security, biometrics, mobile access, RFID and more, Daniel is the leading advocate and visionary for RemoteLock’s new and existing products. Having previously worked at both startups and Fortune 25 organizations, he maintains a passion for inventing only what needs to be new and finding ways to repurpose the good work of others for the rest.