In an examination of 3.4 million four-digit passwords, the tech consultancy DataGenetics determined that users choose the PIN "1234" nearly 11% of the time.
"It's staggering how popular this password appears to be," the company says in a recent blog post. "Utterly staggering at the lack of imagination."
The second most-common password is 1111 at 6%, followed by 0000 at nearly 2%. Overall, the top 20 most common PINs make up just over a quarter of the database — meaning a hacker could probably have a lot of success breaking into accounts by trying just those 20 PINs.
This isn't the first time such patterns were discovered in how users choose passwords. In 2010, the most common password for e-mail and other online services was determined to be "123456." Other common Web passwords are the word "password," common phrases like "iloveyou" and "chocolate," and similar strings of numbers like "12345" and "111111."
"The four-digit PIN really should be more difficult to figure out," says Aite Group senior analyst Shirley Inscoe. "I don't think we've done enough in this country to educate consumers."
Even if consumers pick stronger PIN codes, they must still face the threat of hidden cameras planted at ATMs to observe their PIN codes as they are typed. Such cameras are often paired with a skimming device to read and store data from the ATM card's stripe.
"There's a big issue with the installation of cameras to capture the keypad," Inscoe says. "That's been an ongoing issue for several years. It's so easy to mask what numbers you're keying."
The most effective way to block fraudsters using cameras is for consumers to cover the keypad with their other hand when punching in their PIN, says Inscoe, whose own bank posts this advice at every ATM.
In its blog post, DataGenetics has some theories as to why some odd four-digit strings are among the most common. For example, #22 on the list is 2580, which is doesn't seem to follow the pattern of the other top choices — until one notices these digits are the middle row of numbers on a telephone or ATM key pad from top to bottom.
The least common PIN is 8068 — however, DataGenetics warns that, in documenting this, it has made the number less secure.
"Please don't go out and change yours to this," it warns. "Hackers can read too!"