What's the difference between a password and a PIN?
A question I've always had but was too afraid to ask when I first learned about passwordless experiences.
One aspect of the identity and access management sphere that I've always wondered about is the difference between passwords and PINs. I would hear vendors talk about both as if they were different, but it was not immediately clear to me why.
So, I finally decided to educate myself about this and thought I'd share what I learned with anyone else who may also be confused (unless I'm the only one…).
What is a password?
Passwords remain the most common method of authenticating an account. A password is what is known as a shared secret, which is data known just to those involved in a communication; it serves to prove to one party that the other is who they say they are. Passwords are the most traditional method of protecting accounts.
However, passwords suck, to put it bluntly. Thanks to misguided complexity rules recommended back in 2003 by NIST (something they worked to turn away from in 2017), passwords can be difficult for most people to remember while remaining easy enough for software to crack. This doesn't even take into account that many people simply reuse passwords across multiple sites or use ones easily guessed. For example, Troy Hunt, creator of Pwned Password, wrote about how 86% of passwords used on one site appeared in his database of passwords stolen through data breaches -- sure making life easy for attackers!
What is a PIN?
So, passwords aren't great at keeping accounts protected, but how are PINs different? While a PIN might seem the same as a password when you first think about it (both are something users have to remember), they serve a different purpose.
PINs are not the same as passwords because they are generally tied to the devices you use. (In a rare moment, you might create a PIN for a web app -- I had to create one for Verizon -- but by and large they are for authenticating locally.)
And therein lies the difference between PINs and passwords: local authentication vs. remote authentication. You use a PIN to unlock your device, but you rarely use a password to do that. PINs are largely shorter than passwords (usually 4-6 characters compared to eight-plus), though it's possible to make it longer, if you wish.
Local vs. remote authentication
We need to discuss what this conversation between PINs and passwords is really about: local authentication vs remote authentication. Because after all, a password that's verified remotely could be short (if allowed) and be similar to a PIN, while you could create an alphanumeric PIN that's long and complex.
But often times, especially with mobile devices, local device encryption uses shorter memorized secrets. Meanwhile, remote authentication involves using an identity provider or directory, requiring the use of the password and most people call one a PIN and the other a password.
The key is to understand what you're doing: one decrypts a device or authenticates you to a local system, while the other is to authenticate through a remote IdP service. The threat model for the device means that a shorter, less complex PIN is fine, while the remote server means that you want more complexity. (But again, you want more than just a password anyway!)
How do Microsoft, Apple and Android handle PINs?
Microsoft encourages users to create a PIN for logging into any device through Windows 10 Hello, alongside using the device's biometrics. The PIN is tied to a specific device (you're prompted to make a unique one for each device since the PIN isn't shared) and remains local, reducing the breach potential if someone discovers a user's password.
Most smartphones have users create a PIN (alongside biometrics, if capable) to unlock their devices. The shorter length does make your PIN easier to crack than a password due to the more limited combination options (most use numbers, though with Windows Hello it can be any characters). At first glance, this makes PINs appear to be inherently less secure due to their shorter length and thus fewer combination possibilities (when restricted to numbers, that is). But that isn't as big an issue given that the PIN remains local, which means attackers need physical access to your device. Additionally, most devices limit the amount of times one can guess your PIN before an action is taken, reducing the effectiveness of a brute force attack.
Apple uses a PIN (though they call it a passcode) to serve as the initial authentication method before adding on biometrics for iOS devices. From Settings > Face ID & Passcode, users can set an iOS device to delete all data after 10 unsuccessful attempts, rendering a brute force attack on the device incredibly difficult. (Now, if they have you and the device, well a cheap wrench is all they need.) Additionally, Apple implemented time delays between multiple unsuccessful logins, which you can learn about in the iOS Security Guide [PDF].
Android refers to the local authentication method as a password (or a pattern), which is handled through Gatekeeper. The user creates a shared secret between them and the Trusted Execution Environment. Much like iOS, Android can slow down brute force attacks by instituting a timeout following multiple failed login attempts.
Clearing up confusion around password vs. PIN
This was meant as a short and sweet article to help others like me who didn't fully understand the differences between passwords and PINs. While passwords and PINs appear to be the same at first glance, they really serve as a remote authentication vs local authentication methods, which is why a PIN can be FIDO approved, while passwords are not.
Part of what drew me into this topic was due to how vendors market their solutions as "passwordless," but still allowed for a memorized secret (aka a PIN) as one authentication option. It created needless confusion in me; so, once again, a thank you" to marketers for making everyone's life just a little more difficult.