You're standing at an ATM. Four digits. That's all between you and your cash.
Most people never think about what those four digits actually represent. This leads to they pick a birthday. So a year. Here's the thing — the same code they've used since 2003. But here's the thing — the math behind those four numbers is surprisingly interesting, and understanding it changes how you think about security, probability, and even game shows It's one of those things that adds up..
Let's break it down It's one of those things that adds up..
What Is a 4-Number Possibility
When someone asks "how many possibilities with 4 numbers," they're usually talking about one of two things. That said, a 4-digit PIN where each position can be 0–9. Or a combination of 4 distinct numbers drawn from a larger pool Less friction, more output..
They're not the same question. Not even close.
The PIN scenario: 10,000 combinations
This is the one most people actually mean. Four slots. In practice, each slot holds a digit 0 through 9. Repetition allowed. Order matters.
-
-
- All the way to 9999.
-
That's 10 × 10 × 10 × 10 = 10,000 total possibilities. Ten thousand. It sounds like a lot until you realize a computer can guess all of them in milliseconds.
The lottery scenario: combinations without repetition
Different beast entirely. Worth adding: no repeats. Say you're picking 4 numbers from 1–49 for a lottery ticket. Order doesn't matter.
That's "49 choose 4" — written as C(49,4) or ⁴⁹C₄. The math gives you 211,876 combinations. Way more than a PIN, but the rules are totally different.
Permutations: when order matters but no repeats
Now imagine a 4-digit code where you can't reuse digits. Second: 9 remaining. Third: 8. In real terms, first digit: 10 choices. Fourth: 7.
10 × 9 × 8 × 7 = 5,040 possibilities And that's really what it comes down to. That alone is useful..
Half as many as a standard PIN. The restriction cuts the space dramatically.
Why It Matters / Why People Care
You might be wondering — okay, cool math. But why does anyone actually care about this?
Your phone lock screen
That 4-digit passcode on your iPhone? That's why they added the "erase after 10 failed attempts" feature. 10,000 possibilities. Apple knows this. Without it, someone with physical access and patience could brute-force your phone in a few hours.
Android does similar. The math dictates the security policy.
ATM and debit card PINs
Banks settled on 4 digits decades ago. Think about it: not 5. Not 6. Four.
10,000 possibilities seemed reasonable in the 1970s. Day to day, today? That said, a determined attacker with a skimmer and a cloned card can try a few hundred PINs before the card gets eaten. They don't need all 10,000. They just need the common ones.
Master locks and padlocks
Those cheap 4-dial combination locks on gym lockers? Same math. 10,000 combinations. But here's the dirty secret — most of them have mechanical tolerances that let you feel the "click" on each dial. That's why you don't need 10,000 tries. You need maybe 100 The details matter here. No workaround needed..
The math assumes perfect randomness. Real hardware rarely delivers it Most people skip this — try not to..
Game shows and puzzles
Ever watch The Price Is Right? Contestants guess a 4-digit price. They're navigating a 10,000-space search space with audience help. But the "Pick a Number" game. The math explains why it's hard — and why the show can offer cars as prizes Nothing fancy..
People argue about this. Here's where I land on it.
How It Works (The Actual Math)
Let's get into the mechanics. Not because you need to derive formulas, but because the distinctions matter when you're evaluating real-world security.
The multiplication principle
This is the engine behind all of it. If you have a choices for the first thing, b choices for the second, c for the third, and d for the fourth — total possibilities = a × b × c × d.
Simple. Powerful. Applies everywhere.
Scenario 1: Digits 0–9, repetition allowed, order matters
At its core, your standard PIN.
Position 1: 10 choices (0–9)
Position 2: 10 choices (0–9)
Position 3: 10 choices (0–9)
Position 4: 10 choices (0–9)
10⁴ = 10,000.
Scenario 2: Digits 0–9, no repetition, order matters
First digit: 10 options
Second: 9 (can't reuse the first)
Third: 8
Fourth: 7
10 × 9 × 8 × 7 = 5,040 Simple, but easy to overlook..
This is also written as P(10,4) — permutations of 10 things taken 4 at a time. In real terms, the formula: n! / (n−r)! = 10! / 6! = 5,040.
Scenario 3: Digits 0–9, no repetition, order doesn't matter
Now we're choosing a set of 4 digits. {1,2,3,4} is the same as {4,3,2,1}.
This is combinations: C(10,4) = 10! × 6!Which means / (4! ) = 210.
Only 210. Tiny. Because order — the thing that makes 1234 different from 4321 — is gone.
Scenario 4: Numbers 1–N, choose 4, no repetition, order doesn't matter
This is your lottery math. × (N−4)!So / (4! C(N,4) = N! ).
For N=49: 211,876
For N=59: 455,126
For N=69: 864,501
The growth is polynomial, not exponential. But it adds up fast.
Scenario 5: Alphanumeric — letters and numbers
Now each position has 36 choices (26 letters + 10 digits). Or 62 if case-sensitive Not complicated — just consistent..
36⁴ = 1,679,616
62⁴ = 14,776,336
That's why "alphanumeric PINs" are dramatically stronger. Each extra character type multiplies the space Surprisingly effective..
Common Mistakes / What Most People Get Wrong
I've seen smart people trip over these constantly. Including myself, years ago.
Confusing permutations and combinations
Basically the big one. People hear "4 numbers" and assume one formula fits all. It doesn't That's the part that actually makes a difference..
If order matters → permutations
If order doesn
If order doesn’t matter → combinations
When the sequence is irrelevant, 1234 and 4321 collapse into a single possibility. Mathematically this is a combination, not a permutation. The same formula from Scenario 3 applies:
[ C(n,k)=\frac{n!}{k!,(n-k)!} ]
For a 4‑digit PIN drawn from 0‑9 without repeats, (C(10,4)=210). Now, that’s 200 × smaller than the 5 040 permutations. In practice, a system that treats “1234” and “4321” as identical is dramatically easier to brute‑force, which is why most authentication schemes keep order as a factor.
Common Mistakes / What Most People Get Wrong
1. Treating “any 4 numbers” as a single formula
People often see “four characters” and reach for the first formula that comes to mind—usually (10^4). The correct approach depends on three binary choices:
| Choice | Yes/No | Effect on count |
|---|---|---|
| Repetition allowed? | No → divide by (k!Consider this: | No → multiply by decreasing factors (10·9·8·7) |
| Order matters? ) (4! |
If you ignore any of these, you’ll over‑ or underestimate the search space by orders of magnitude.
2. Assuming perfect uniformity
Even a mathematically huge space can be crippled by non‑random generation. Consider a “random” PIN generator that picks the first four digits of a PRNG with a 16‑bit seed. An attacker who knows the algorithm can reduce the effective entropy from 13.3 bits (log₂ 10 000) to just 16 bits of seed material, then brute‑force the seed rather than the PIN itself And that's really what it comes down to..
3. Overlooking human patterns
People pick “123456”, birthdays, or keyboard walks (“qwerty”). Empirical studies of leaked password databases show that the top 20 PINs account for ≈ 20 % of all entries. A security analysis that assumes uniform randomness will grossly misjudge real‑world risk.
4. Confusing entropy with key length
A 4‑digit PIN has at most (\log_2(10,000)≈13.3) bits of entropy, even though it uses four positions. Adding a letter (26 possibilities) to one position raises the total space to (10^3·26 = 260,000) (≈ 18 bits), but if the letter is always the same “A”, the entropy stays at 13.3 bits. Entropy measures unpredictability, not symbol count.
Real‑World Randomness: Why “Perfect” Is Rare
Hardware RNGs vs. Software PRNGs
| Feature | Hardware RNG (TRNG) | Software PRNG (CSPRNG) |
|---|---|---|
| Source | Physical noise (thermal, photon, clock drift) | Deterministic algorithm seeded from entropy pool |
| Speed | Often slower, but true randomness | Fast, repeatable given seed |
| Predictability | Practically none (unless flawed) | None if seeded properly, but deterministic otherwise |
| Typical use | Cryptographic key generation, high‑value tokens | Session tokens, non‑critical IDs |
No fluff here — just what actually works Worth keeping that in mind..
Even the best TRNGs can exhibit bias or correlations over long runs. On top of that, the industry mitigates this with health tests (Dieharder, NIST SP 800‑22) and post‑processing (hash functions, XOR folding). A well‑designed CSPRNG seeded from a hardware entropy source is usually “good enough” for most applications, but it’s never perfect That alone is useful..
The “100 tries” myth
The article’s opening line—“need 10,000 tries. You need maybe 100.”—captures a common misunderstanding. In real terms, in a uniformly random 4‑digit PIN space, an attacker who tries 100 random guesses has only a 1 % chance of hitting the target. The “maybe 100” figure appears when the attacker can systematically enumerate the space (e.g.
the entire 10 000‑combination set, but only if the PIN is truly random and the attacker can guarantee that each guess is unique. In practice, human‑chosen PINs are far from uniform, and an attacker can exploit patterns to reduce the required attempts to a few dozen.
5. Ignoring the attack surface
Security assessments that focus solely on the theoretical key‑space often overlook the surrounding infrastructure: key‑storage, transmission, and side‑channel leakage. A 4‑digit PIN that is mathematically secure can still be compromised if:
- It is stored in cleartext on a server that suffers a breach.
- It is transmitted over an unencrypted channel, allowing packet sniffing.
- The device’s firmware leaks timing information that correlates guesses with responses.
A holistic approach must therefore evaluate how the PIN is generated, where it is stored, and how it is used.
Building a dependable PIN‑Generation Pipeline
| Stage | What to Do | Why It Matters |
|---|---|---|
| Entropy sourcing | Use a certified TRNG (e.g. | |
| Validation | Run the output through statistical test suites (NIST SP 800‑22, Dieharder). | Detects subtle correlations or biases that could be exploited. |
| Audit & monitoring | Log all generation and verification events; alert on anomalies. So naturally, g. Now, | |
| Rate‑limiting | Enforce strict limits on guess attempts (e. Think about it: | |
| Storage | Persist only the hash of the PIN (or a one‑way derived token). | Protects against eavesdropping and replay attacks. 3 with perfect forward secrecy. , exponential back‑off after 3 failures). In practice, |
| Transmission | Wrap all PIN exchanges in TLS 1. And | |
| Post‑processing | Apply a cryptographic hash (SHA‑256) followed by truncation to the desired number of bits. | Enables rapid incident response and forensic analysis. |
Practical Recommendations for Developers
- Never hard‑code “random” seeds—use system entropy pools or a dedicated hardware module.
- Avoid “random” by truncating a larger space—instead, generate a full‑length random number and then format it (e.g., 6‑digit PIN from a 32‑bit DECLARATION).
- Treat PINs like passwords—apply the same best practices (hashing, salting, rate‑limiting).
- Educate users—encourage them to pick non‑obvious PINs and to change them regularly.
- Stay updated—monitor advances in PRNG research and hardware RNG standards; update libraries accordingly.
Conclusion
The allure of a small, “easy” PIN is strong, but that simplicity masks a host of subtle pitfalls. Theoretical entropy alone does not guarantee security; the real world introduces human bias, implementation flaws, and side‑channel vulnerabilities that can collapse a 13‑bit space into a handful of guesses concrete. By treating random number generation as a multi‑layered process—starting with a solid entropy source, applying rigorous post‑processing, and securing the entire lifecycle—developers can see to it that even a humble 4‑digit PIN remains a formidable barrier against attackers. In short, perfect randomness is an ideal, not a guarantee; disciplined engineering is the true safeguard Worth knowing..