Why Are ATM Card PINs Usually Just 4 Digits Long?

ATM card PINs are usually 4 digits long because a 4-digit number is far easier to remember than a 6- or 7-digit one. A short PIN is, in principle, more vulnerable to guessing, but the 3-attempt card-lockout enforced by every ATM keeps brute-force attacks impractical, so banks treat the convenience-vs-risk tradeoff as worth it.

Unless you’ve been living under a rock, you surely have a bank account. And these days, that is synonymous with having an ‘ATM card’ or a debit/credit card. As you already know, in order to use such cards in ATMs or at POS (point of sale) terminals in grocery stores or supermarkets, you have to authenticate it using a unique 4-digit number known as a PIN (Personal Identification Number).

You have almost certainly observed another rather interesting thing about these PINs – the fact that they are usually just 4 digits in length. One would expect that the card PIN, which protects your entire bank account, and, in turn, stores your hard-earned money, would be much more complicated… but it’s not!

On the other hand, the numerous accounts that you have on the Internet usually urge you or even compel you to choose hard-to-guess passwords that consist of various special characters.

In fact, if you have access to the ‘Internet banking’ feature of the very same account, you’d know that the bank website makes it mandatory for you to choose a password that consists of at least one numeric digit and a special character. Also, many banks go a step further and make it mandatory for you to change your passwords every 2-3 months! Clearly, banks want to make sure that you choose a very ‘intelligent’ password for your online account, so why are most ATM card PINs (usually) just 4 digits long?

Recommended Video for you:

Methods Of Authentication

The major forms/techniques of security revolve around these three things: something you are, something you know and something you have.

In some places, you are granted/denied access to highly confidential areas following a retinal scan. Retinal tests, like fingerprint tests, tongue-print tests etc. fall under the realm of biometrics (something you are).

Similarly, the passwords to your online accounts fall under ‘something you know’. Finally, an ATM card comes under the category of ‘something you have’.

When you have an ATM card and its PIN with you, you check two of those three types of security, i.e. ‘something you have’ (the card itself) and ‘something you know’ (the PIN). Therefore, banks and financial institutions allow you to have just a 4-digit PIN, as it’s comparatively easier to remember than a 6- or 7-digit one. However, it also makes the PIN (a little) more vulnerable to attempts of brute forcing, but that’s a tradeoff between convenience and a limited threat.

Brute Forcing ATM PINs

Brute forcing is an attempt to determine a password by systematically trying every possible combination of characters until the correct one comes up. For a 4-digit numeric PIN, that means just 10,000 possibilities (0000 to 9999), which a computer could rip through in milliseconds.

Brute forcing in the case of ATM PINs would mean that a hacker would try combinations like 0000, 0001, 0002, 0003 and so on. They could also try the most commonly used PINs first, like 1234, 4321, 2222, 9999 etc. until they arrive at the right combination and hit the jackpot (pun intended).

Why ATM PINs Are (Relatively) Safe Against Brute Forcing?

Fortunately for ATM-card users, banks set a hard limit on how many times you can enter an incorrect PIN. Under the global EMV / ISO 9564 standard, the default is 3 attempts: after a third wrong PIN in a row, the card is blocked (sometimes just for the day, sometimes until you visit the branch to reset it). Some issuers allow 4 or 5 tries, but no major bank lets attackers try indefinitely.

This means that a person would first have to have your card, and they would then get only 3 attempts to gain access to your account. Although tools do exist that make brute forcing relatively easier than what it appears on the surface, for an average person (who somehow got their hands on your card), determining your 4-digit PIN through pure guessing is very, very unlikely.

That’s why banking institutions allow their ATM PINs to be just 4 digits in length. However, it doesn’t mean that you should choose a 4-digit PIN. The more digits you add to your PIN, the safer it gets (although it becomes a little harder to remember too). For that reason, some banks, particularly in parts of Europe (Switzerland is a notable example), issue 5- or 6-digit PINs by default, but the global norm is still 4. The ISO 9564 standard, which governs PIN security, allows anywhere from 4 to 12 digits while recommending issuers not exceed 6.

John Shepherd-Barron

The British inventor John Shepherd-Barron is widely credited with deploying the world’s first cash-dispensing machine, the De La Rue Automatic Cash System, which went live at a Barclays branch in Enfield, north London, on 27 June 1967. He’s the name most often attached to the “invention of the ATM”, though it’s really a shared honour: Scottish engineer James Goodfellow filed the patent for the PIN-and-magnetic-card combination we still use today (UK Patent No. 1,197,183, May 1966), and American inventor Luther Simjian had built an earlier deposit-only Bankograph back in 1939. Shepherd-Barron just got there first with a working cash machine.

Initially, Shepherd-Barron proposed 6-digit PINs (he wanted to use his old army serial number), but when he tested the idea on his wife Caroline, she told him that the longest string of numbers she could reliably remember was 4. He switched to 4 digits, ATMs caught on, and the rest is history. The story comes from Shepherd-Barron himself and is more anecdote than archival fact, but the convergence is hard to argue with: Goodfellow’s independent design also landed on a short numeric PIN, and 4 digits soon became the world standard.