Whats your PIN number?
- Thread starter User
- Start date
Page may contain affiliate links. Please see terms for details.
HLaB
Marie Attoinette Fan
How did so many people find out my number: ****
In the same way that the numbers drawn out of the lottery machine using balls that are spun round in a drum for about a minute or more are a lot more random than the ones drawn by a computer. On a lesser degree, the numbers drawn by the ERNIE machine for premium bonds are a lot more random than if you used the RAND() function in an Excel spreadsheet on your desktop PC, because although ERNIE is still a computer, its software is a lot more advanced in that it makes use of advanced cryptographic algorithms (and probably also ASICs) to achieve a higher degree of randomness.
If you choose a number in your head, it's going to be a lot less random than one chosen by a computer that bears no relation at all to you. For example, your birthday is very unrandom.
Randomness is a subject that I know a great deal about and one that you probably shouldn't really question me on.
Canrider
Guru
Does that RAND() still makes use of the internal clock to get a number seed? I assume so..
Found this fun quote which I'll use to lightly disagree with you:
"One of us recalls(...)being told by his computer center’s programming consultant that he had misused the random number generator: “We guarantee that each number is random individually, but we don’t guarantee that more than one of them is random.” Figure that out. —Press, William H., et al. (1992)"
If I were to go home, fire up Excel, generate a single random number, and use that instead of the pregenerated PIN the bank gave me, I would presume that that would be equally 'random' provided no information on how, where and when I generated it is retained.
In other words, '1973' is not a particularly good PIN for myself, as it's my year of birth, but it would be perfectly acceptable random-wise for my boss down the hall who has no birthdate connection with that particular year, but if I got the number '1958' out of Excel, that would be a sufficiently random PIN for myself, for the same (role reversed) reason. No?
Canrider
Guru
rich p: What you've said is the nub of the problem. Look at this:
http://en.wikipedia.org/wiki/Pseudorandom_number_generator
Not all random numbers are created equally!
http://en.wikipedia.org/wiki/Pseudorandom_number_generator
Not all random numbers are created equally!
They're both infinitely, equally, random without context - but as soon as you apply context to it - for example know they were chosen by a specific person, or even by a specific computer, then one may be more random than the other - but you wouldn't know which.
Basically randomness is the inverse of predictability. (If you take nothing else away from this lecture, take away this.) If something's infinitely random, it's completely impossible to predict - but try to think of 'impossible' as meaning as close to 'not physically possible' rather than 'not humanly possible' as you can.
Computer-generated random numbers are often called 'pseudo-random' because although they seem perfectly random to us humans, they never are completely random. i.e., if I had superpower intelligence and infinite mental capacity for research, comprehension and mathematical deduction, then I could tell you what the next 'random' number a computer program was going to produce was, by analysing the make up of the software that produced it and doing the same calculation it does in my head.
For instance, a very simple random number generator program might take the current time (dd/MM/yyyy hh:mm:ss) and it might do something like dd squared, divided by MM, add four, subtract yyyy, multiply by hh, add on mm, divide by the square root of ss, and then take the first two and the last two digits of the resulting number and that's your 'random' number. If I was really good at mental arithmetic and I had access to the same clock the computer was using and knew how the program was written, then I could work out what the next random number was.
Modern computer programs are a lot more advanced than that, but you can see how you need some element that a computer can't provide to introduce an element of 'true' randomness - they go by the same principle of just basic obfuscation as in my date example - so if you told me that one of 3065 or 8692 was what you'd chosen and the other was what the bank had chosen, then assuming I had the mental capacity to understand and emulate the bank's algorithm, I could tell which one the bank had chosen and which one you had chosen. Similarly if I knew the exact make up of your brain then I could predict what number you would have chosen.
That element that the computer can't provide is usually physics. e.g. the lottery balls is a good example. The drum with lottery balls in emulates a chamber of gaseous particles in which the position of each particle is completely random at any given point in time - in order to predict which balls were going to come out in what order, you'd need to know the exact spatial position of the balls at the start, and then do a 3D calculation for every single collision between two balls and calculate which one was going to be at the bottom when the door opened - as you can imagine an absolutely astronomical feat...
Now as to why you draw the line between pseudo randomness and true randomness there and how you can justify that choice, and why even physical processes such as the lottery balls or even just the throw of a dice aren't classed as pseudo random, is something I intend to read up on...
http://en.wikipedia.org/wiki/Random
Canrider
Guru
Hmm, wouldn't that argue in favour of changing your PIN under the following circumstance:
The bank (presumably) allocates random PINs sequentially as each account number is activated. From that, if you were going to go through each account and try and guess the PIN, you'd stand a better chance of doing so heuristically if everyone kept their assigned PIN, since there would be a single algorithm generating them?
The bank (presumably) allocates random PINs sequentially as each account number is activated. From that, if you were going to go through each account and try and guess the PIN, you'd stand a better chance of doing so heuristically if everyone kept their assigned PIN, since there would be a single algorithm generating them?
Twenty Inch
Guru
- Location
- Behind a desk
bonj said:
At last - the answer to why Bonj's posts are the way they are.
Yes, I believe so. I believe all non-cryptographically-strong functions in windows (of which the RAND() in Excel is a perfect example of) all basically use the same low-level function, which basically just uses a list - but the seed (the time of day) tells it where in the list to start. The list being sufficiently long introduces a good enough level of unpredictability (randomness) for most applications such as games, etc.Canrider said:
I think he would probably get on fairly well with User.Canrider said:
Correct.Canrider said:
However, that it could simply be guessed that you used Excel introduces a fairly strong level of predictability straight off. We're not talking about a requirement for any attempted prediction of your number to be certain to be correct, remember.
No - because someone may think "well he's not going to be stupid enough to use his own birthday, is he - I'll try the birthday of one of his staff up the hall" ...Canrider said:
Canrider said:
If it's predictable because it's your birthdate or that of someone you know then it's predictable, and therefore not random - regardless of the method of generation (I think... I suppose if a computer picked 1958 for you and it just happened to be your birthdate, then that would be 'randomly unrandom'
)Canrider said:
No, because they probably don't just increment PINs in the same way that they (probably) increment account numbers! Otherwise you could find someone with the same bank as you, and the simple formula (P + Q - R) would give you their (original) pin number, where P is your (original) pin number, Q is their account number and R is your account number. That would be insecure - banks wouldn't be allowed to do it.
Canrider
Guru
Sorry, I didn't mean increment the PIN, but just generate a new random number, so if you know that account# 100 has a (pseudorandom) PIN, then account #101 has a pseudorandom PIN governed by this, that, and the other properties of the (known) pseudorandom number generator. This would (taking the 'obvious' example of a bad generator like RANDU) drastically narrow down the range of PIN guesses needed to get into account #101, particularly so if #100's PIN is known.
