How Many Possible Combinations Of 4 Digits

7 min read

You're standing at an ATM. Here's the thing — four digits. That's all between you and your cash.

Most people never think about what those four numbers actually represent. But here's the thing: the math behind those four digits is surprisingly interesting. They punch in their birthday, their anniversary, the last four of their phone number — and move on. And understanding it changes how you think about security, probability, and even how you pick a PIN Small thing, real impact..

Easier said than done, but still worth knowing.

Let's dig in.

What Is a 4-Digit Combination

At its simplest, a 4-digit combination is exactly what it sounds like: four numbers strung together. On top of that, each position holds a single digit from 0 to 9. That's ten possibilities per slot.

But — and this is where people get tripped up — "combination" means different things depending on context.

In everyday language, we use "combination" loosely. One cares about order. The code on a luggage lock. And there's a sharp distinction between combinations and permutations. Your phone passcode. But mathematically? Your garage keypad. The other doesn't.

When Order Matters (Permutations)

A PIN code is a permutation. 1234 is not the same as 4321. The sequence is the code. On top of that, every position matters. This is what most people actually mean when they ask about 4-digit combinations.

When Order Doesn't Matter (True Combinations)

A lottery draw where you pick 4 numbers and the order they're drawn doesn't matter? That's a true combination. {1, 2, 3, 4} is identical to {4, 3, 2, 1}. Totally different math.

With Repetition vs. Without Repetition

This is the other fork in the road. Can digits repeat?

  • With repetition allowed: 1111, 1212, 9999 — all valid
  • Without repetition: Each digit used once max. 1234 works. 1123 doesn't.

These four scenarios — order matters/doesn't matter × repetition allowed/not allowed — give you four completely different answers. And that's why "how many possible combinations of 4 digits" is a trick question unless you clarify what you're actually counting But it adds up..

Why It Matters / Why People Care

You might be wondering: okay, but why does this matter outside a math class?

Security Is the Big One

Your debit card PIN. So your phone open up code. The keypad on your front door. The combo on your gym locker. All of these rely on 4-digit codes. The total number of possibilities directly determines how guessable they are Easy to understand, harder to ignore. Took long enough..

If there are only 5,040 valid codes (no repetition, order matters), a determined attacker with time and patience has a very different job than if there are 10,000 (repetition allowed). And if the system locks after 3 failed attempts? The math changes again.

People Are Terrible at Randomness

Here's what most guides miss: the theoretical number of combinations barely matters because humans don't pick randomly It's one of those things that adds up..

Studies of leaked PIN databases show the same patterns over and over. 1234. 1111. 0000. 1212. 7777. Even so, birth years. Anniversary dates. The top 20 PINs account for something like 27% of all codes in use Practical, not theoretical..

So while the math says 10,000 possibilities, the effective search space for an attacker is often under 100. So that's not a math problem. That's a human problem.

Lottery and Gaming

Pick-4 lottery games. But daily numbers. Some use true combinations (order irrelevant), others use permutations (exact order). The odds you see printed on the ticket? They depend entirely on which version you're playing. People lose money not understanding the difference.

Programming and System Design

If you're building something that generates 4-digit codes — verification tokens, temporary passwords, device pairing codes — you need to know your actual keyspace. Generating 10,000 codes when you think you have 5,040? That's a collision waiting to happen Small thing, real impact..

How It Works: The Four Scenarios Broken Down

Let's walk through each case. I'll show the math, but more importantly, I'll explain why the math works that way.

Scenario 1: Order Matters, Repetition Allowed (Standard PIN)

This is your ATM PIN. Because of that, your phone passcode. Most keypad locks Easy to understand, harder to ignore. And it works..

The logic: Ten choices for the first digit (0–9). Ten for the second. Ten for the third. Ten for the fourth. Each choice is independent.

The math: 10 × 10 × 10 × 10 = 10⁴ = 10,000

That's it. 0000 through 9999. Every sequence from four zeros to four nines Practical, not theoretical..

Real talk: This is the biggest keyspace of the four scenarios. But as I mentioned, humans cluster around predictable patterns. The theoretical security is 1 in 10,000. The practical security is often 1 in 50.

Scenario 2: Order Matters, No Repetition (Permutations Without Replacement)

Some systems explicitly forbid repeated digits. In practice, older combination locks. Certain corporate password policies.

The logic: Ten choices for the first digit. Once used, it's gone — nine left for the second. Eight for the third. Seven for the fourth No workaround needed..

The math: 10 × 9 × 8 × 7 = 5,040

That's exactly half the previous space. You've eliminated 1111, 1212, 1223, and thousands of others.

Why this exists: Some designers think "no repeats = more secure." It's not. It just shrinks the space. An attacker who knows the rule only tries 5,040 codes instead of 10,000. You've helped them.

Scenario 3: Order Doesn't Matter, Repetition Allowed (Combinations With Replacement)

This one's weird. It's the "grab 4 digits from a bag, put each back, order irrelevant" scenario. Rare in real life, but shows up in some probability problems That's the part that actually makes a difference. That's the whole idea..

The logic: This uses the "stars and bars" formula. You're choosing

You're choosing 4 items from 10 types, where you can pick the same type multiple times, and the sequence {1,1,2,3} is identical to {3,2,1,1}. The formula is C(n + r - 1, r) where n = 10 digit types and r = 4 selections Still holds up..

The math: C(10 + 4 - 1, 4) = C(13, 4) = 13! / (4! × 9!) = 715

Only 715 distinct combinations. Worth adding: tiny. This is why you never see this used for security — it's a teaching example, not a design pattern Less friction, more output..

Scenario 4: Order Doesn't Matter, No Repetition (Standard Combinations)

This is your classic "choose 4 numbers from 0-9" lottery. Think about it: pick 4 distinct digits. 1-2-3-4 wins the same as 4-3-2-1.

The logic: You're selecting a 4-element subset from a 10-element set. No repeats, no ordering.

The math: C(10, 4) = 10! / (4! × 6!) = (10 × 9 × 8 × 7) / (4 × 3 × 2 × 1) = 210

Two hundred ten. This leads to that's it. If a system uses this and tells you "your code is 4 digits," an attacker who knows the rules tries 210 codes. Game over in seconds Small thing, real impact..


Summary Table

Scenario Formula Result Common Use Case
Order matters, repeats allowed 10⁴ 10,000 PINs, passcodes, OTPs
Order matters, no repeats 10P4 = 10×9×8×7 5,040 Restrictive policies, some locks
Order irrelevant, repeats allowed C(13,4) 715 Theoretical problems only
Order irrelevant, no repeats C(10,4) 210 Lottery (Pick-4 box play)

The Trap: When Specs Lie

Here's what burns teams: a requirement says "4-digit code.Also, randint(0, 9999)— 10,000 possibilities. Consider this: " The developer implementsrandom. But the product spec meant "4 distinct digits, order irrelevant" because the designer confused combinations with permutations. Or vice versa.

The code passes tests. That said, the audit passes. The attacker tries 210 combinations and walks in That's the part that actually makes a difference..

Always clarify:

  • "Does 1234 equal 4321?" (Order)
  • "Is 1123 valid?" (Repetition)
  • "Can the code start with 0?" (Leading zeros — usually yes, but not always)

Document the answer. Because of that, put it in the code comments. Put it in the threat model But it adds up..


A Note on Entropy

If you're generating these codes programmatically, the source of randomness matters more than the keyspace size.

Math.random() in JavaScript? Not cryptographically secure. An attacker who observes a few outputs can predict future ones The details matter here..

random.And randint in Python? But **Same problem. ** Uses Mersenne Twister — predictable And that's really what it comes down to..

Use secrets module (Python), crypto.getRandomValues() (JS), /dev/urandom (Linux), CryptGenRandom (Windows). The keyspace math only holds if every code is truly independent and uniformly distributed.


The Bottom Line

Four digits. Four scenarios. A 47x difference between the largest and smallest space.

The math is elementary. The mistakes are expensive. Every time you see "4-digit code" in a spec, ticket, or PR description, ask the two questions:

  1. Does order matter?
  2. Are repeats allowed?

If nobody can answer definitively, stop. Don't approve designs. Even so, don't write code. Get the answer in writing Worth knowing..

Because "it's just a 4-digit code" is the last thing you want on your incident report.

Fresh from the Desk

New This Month

Readers Also Loved

Parallel Reading

Thank you for reading about How Many Possible Combinations Of 4 Digits. We hope the information has been useful. Feel free to contact us if you have any questions. See you next time — don't forget to bookmark!
⌂ Back to Home