Is bank account passcode secure?

The standard passcode length of bank account is 6 digits. It means the possibilities of passcode is merely 106. With regards to the calculation power of contemporary computer, it is quite simple task to get the 6 digits’ password with the brute force attack (try every possibilities). The time cost will not exceed 1 second. According to widespread passcode setting suggestion, we are encouraged to make the password long and odd enough such as combining numbers and characters, even putting some strange marks in it. However, in terms of bank account, the password we can set is only 6 digits. Assume there are 700 million people in the world, in average, every 700 people in the world will have same password for their bank account.

Feel free to use this image, just link to www.SeniorLiving.Org This photo expresses how I feel about our current government budget.
“Injured Piggy Bank With Crutches” via Flickr user Ken Teegardin


Bank has their own reason

Of course, bank has their own snag. The ATM only has telephone keypad and it is impractical to change all of them to keyboard style. But why constrain the length of password? Why not let it be 10 digits or even 20 digits? According to George Armitage Miller, human’s immediate memory is seven digits plus or minus two. Hence it is really inconvenient to have a 10 digits’ password or even the longer. Image your password is 20 digits’ length. Every time you get cash out, you have to type the 20 digits’ length passcode carefully into the ATM. It’s really a stumbling procedure.

“atm” via Flickr user Sean MacEntee


Why secure?

So the length of the password cannot be altered, how can such short password ensure the security? The answer is the lockout policy. As we all known, if one account’s passcode has been tried more than 3 times, the account will be frozen. This policy can prevent the account from brute force attack effectively. Because the ATM is isolated from the outside internet, it is impossible for hacker to embed malicious program into the ATM system to eliminate the lockout restriction.

This will be related to the another topic. Is the 6-digit passcode secure when you are shopping online? In this circumstance, bank account is totally exposed to the worldwide internet. Hacker can embed the malicious program through internet easily. The common strategy hacker utilizes is offline brute force attack. The lockout policy won’t work if the brute force attack is under offline situation. Hence the password can be easily revealed. To prevent this happening, multiple protecting strategies work together to ensure the account safety. Password is the initial protection, secure code on your credit card and validation code send to your phone etc. are followed steps to ensure the security. That’s why when you retrieve money from ATM, entering password is enough while shopping online, the procedure is much more complicated.


Is transmission channel secure?

On the client side, hacker is hard to get the password. But what about in the transmission procedure? The password will be transferred from client side to the server through the whole internet. What about hacker intercept the information in the mid? This is called man-in-middle-attack which is exactly what cryptography aim to solve. Of course the password will not be transferred in the plaintext, it will be encrypted in a certain method. However, the password only has 6-digit-long, it is quite simple to find the mapping relationship. (one character represents the other character) In the practical, password will not be transferred solely. It will combine with the account name whose value is normally a 16-digit-number. Meanwhile, different users will have various encrypt methods. That means even two user’s passwords are both 123456, the cipher text will be different.


Everything real is rational. Although the passcode is merely 6 digits, we don’t need to worry about the security too much.



3 Responses to “Is bank account passcode secure?”

  1. Xiaofan Ping says:

    Hi Batpurev
    Pretty good question. I haven’t think about this question deeply. But according to what i have known, the cryptography is focused on how to prevent the Man-in-the-middle-attack. Which means it just can guarantee when you transfer your secure message, other guys cannot decrypt it. But whether can other guys see your card information is totally up to you. Let’s make a very simple example, if you show your account number and security code to other guys, the only thing they need to do is trying your 6 digits password. Good thing is, unless you tell other guys or let them see your credit card, this is no other way others can know your information. A more extreme example is that you write down your password in a paper and stick on your computer. No encryption measures can prevent you from doing this. So it is better to not let other people see your account number, especially the security code. Actually, to make it more secure. The online purchasing website will also require you have an account for there website. and when you create your account, you can set a very long password and website will ask you to make connection with your phone or your personal email. Multiple steps guarantee the safety of your account.

  2. kbatpurev says:

    Thanks Xioafan, a complex topic explained simply. I always think that account numbers are relatively easy to get hold of…so if someone is targeted by an online hacker in some cases its possible that they already know the 10 digit account number. And it would be the last 6 digits that they would be targeting to break, which as you explained can be done easily with modern computers? What are your thoughts on this?

  3. Tessa Marshall says:

    Fascinating! I’ve always thought of online purchases as much more vulnerable than offline – but when you describe in terms of potential combinations it sounds less so.