You joke, but if we talk about web applications, one dangerous attack is not to guess the user password, but instead to match the most common passwords to a list of inventoried users...

Damn. How many bitcoins did you spend on that leak?

for (i = 0; i <= 9999; i++) { ... }

Glad to see that my 6-digit pin is safe from hacking for at least a few more years.

In 2009 my card had a 6-digit PIN and I went on holiday to Argentina. The card readers there only accepted 4 digits and they validated my card with the first 4 digits of my PIN.

That was a bit disconcerting.

PIN is actually completely optional.

A rogue terminal can decide to authorize the transaction with a “signature” (there are legitimate uses for this)

Or even with no PIN at all (there are also legitimate uses for this)

It’s also possible to do either of these 2 things and then report back that the transaction what authorized with a PIN

On that subject, I (a European) went to the US last week. It was time to pay at a restaurant in their needlessly complicated way where they hand you the bill, you return them the bill with your card and then they return once more for you to fill out the tip. Shortly after the second step the waiter returned apologizing, saying they could not bypass the PIN on the card like they normally could (which was slightly startling to me) and asked if I could come with them to enter it on the payment terminal myself.

Must have been a debit card that flat out refused anything but Chip & PIN.

Most cards aren't like this.

With my UK issued AmEx & Visa cards (both Charge/Credit), at certain places terminal didn't even ask me for a PIN, and the transaction just went through as "Chip & Signature"

Up in Lithuania they now starting to have a contactless tipping device where you scroll the wheel to select tip amount.

Which is kinda pointless since if you are paying and receiving service at the counter - you aren't really receiving a service to tip for.

Same experience (card came with default 6-digit pin that I didn't change), never have longer-than-4 pin when traveling outside of western democracies. The fact that it worked made me doubt that it was actually verified, but didn't have balls to play with this too far away from easily obtainable money

What the...?

Its crazy, but kinda reasonable

Don't be so sure of that. If your PIN just happens to start with 00, it is fairly trivial to jury-rig a common 4-digit hacking device to crack your 6-digit PIN.

jerry-rig*

eggcorn, acorn, all the same, just a different name:

https://en.m.wiktionary.org/wiki/eggcorn

This is why my PIN is 9998.

I believe most banks stop sequence numbers such as "1234", "9876"

Less work to do for the hacker, how kind

Marginally reducing the search space to prevent significant clustering probably is beneficial.

They probably do, but those still are valid PINs, that some banks probably don’t block.

Aren't card PINs only 4 numbers long? That's almost 10k possible combinations I believe, pretty trivial to put together.

Checking which corresponds to what card is the hard step because you need access to an acquirer to my knowledge, and you'll lose that access quiet quickly if you attempt too many incorrect combinations.

You can use more than 4 digits if you want a more secure PIN.

EMV (the card standard used by all modern chip/contactless cards) supports PINs between 4-12 digits in length.

I have been wanting to try a 4< digit pin, but I expect payment terminals to go bonkers because they don’t accept it. Have any of you a card pin longer than 4?

Six-digit pin works well for me in European countries - Czechia, Germany, Austria, Spain, Italy.

My girlfriend used a 5-digit PIN for over 10 years in the UK and never had any issues that I can recall.

I’d change mine too except I use the PIN so infrequently (99% contactless now days) I’m worried I’d forget the new one!

Just try and be surprised - no issues.

just don't try to use it in some remote exotic place, 4 places are often hardcoded but you may still be able to withdraw/pay, or not

All pins in my country are 5 digits. Which can be annoying for four-d visitors (depends on the bank, and I've not heard of problems for a while).

Damned, with 5 digits, the cost of storage alone is a deterant for a rainbow table