🌐
Reddit
reddit.com › r/bitwarden › what is the hardest 6 digit password
r/Bitwarden on Reddit: What Is The Hardest 6 Digit Password
February 27, 2024 -

https://logmeonce.com/resources/what-is-the-hardest-6-digit-password/#

Sigh. Just sigh.

Passwordbits : 36.78 bits; cost to crack $0 USD

Bitwarden: !@Qw3rty very weak; time to crack 2 seconds

Top answer
1 of 5
15
This must be an AI hallucination. Even if we accept the idiosyncratic use of the word "digits" to mean "character", it contains statements that could not have been written by a human: "Mix up the letter order each time you login." [Wait – what?!?] But also: "Start with a mix of [uppercase and lowercase letters] and use the same order each time you type your password." "Generally, a 6 digit password consists of at least 77 quadrillion possible combinations." [This would imply that each digit is drawn from a pool of 652 characters...] "Unlike other passwords, [a 6-digit password] requires more characters to unlock the account." [More than 5, maybe?] "The longer the prefixes and characters, the harder it is for hackers to guess it." [What is a "long" character?] "Unreadable letter combinations" "Q: What Is The Hardest Six Digit Password? A: ...a password such as '$9x^L@D'" [OK, so the hardest 6-digit password is a 7-character password? Well played.] Even the photo in the "author's" byline looks obviously AI-generated: https://logmeonce.com/resources/wp-content/uploads/2024/01/Gloria.png
2 of 5
8
Is this a joke? 6 digits and than mentioning characters?
🌐
Quora
quora.com › What-is-the-hardest-6-digit-password
What is the hardest 6-digit password? - Quora
Answer (1 of 8): While making random guesses, all 6 digit numeric passwords should theoretically have the same chance of being chosen, i.e. 1/106. So, irrespective of which option you select from this pool, you are theoretically protected against a random guess. However, in reality, it will be s...
Videos
🌐 youtube.com
How To Change an iPhone or iPad's Six-Digit Passcode To ...
01:33
🌐 YouTube
How to Use a 6 Digit Passcode | iOS Tips - YouTube
May 6, 2016
04:03
🌐 YouTube
iOS 9: Six Digit Passcodes! - YouTube
June 16, 2015
🌐 youtube.com
iOS 9 : Passcode (6-digit password) - YouTube
04:22
🌐 YouTube
Can You Figure Out The Special 6 Digit Number? - YouTube
July 9, 2018
45.3K
25:09
🌐 YouTube
How to Create Strong, Easy to Remember Passwords - YouTube
June 2, 2022
View all
View all
🌐
This-pin-can-be-easily-guessed
this-pin-can-be-easily-guessed.github.io
This PIN Can Be Easily Guessed
A blocklist is a set of "easy to guess" PINs, which triggers a warning to the user. Apple iOS devices show the warning "This PIN Can Be Easily Guessed" with a choice to "Use Anyway" or "Change PIN." ... little benefit to longer 6-digit PINs as compared to 4-digit PINs.
🌐
GRC Public Forums
forums.grc.com › community conversations › security
Is 6 digits really enough for an OTP code? | GRC Public Forums
February 14, 2023 - Specifically, if I write a program ... 50% of the time (vs 100% of the time on a stationary target). Based on 1000 guesses per second (which is what Password Haystacks assumes for an online attack scenario), an attacker would have a 50% chance of guessing correctly in 18.52 minutes ...
🌐
Reddit
reddit.com › r/askmath › is there really a 20% chance of guessing the right password in 6 tries given the frequency of digits for this scenario? that is...scary.
r/askmath on Reddit: Is there really a 20% chance of guessing the right password in 6 tries given the frequency of digits for this scenario? That is...scary.
January 20, 2023 - That's seven digits. ... Crap! There's supposed to be 1 zero. ... I had to keep reading it as I though I couldn’t count to six. :-) ... And anything follows out of a contradiction. So it's true! Continue this thread ... Considering your correction, it's 6! / 3! 2! = 60 combinations. 6 tries makes it 6/60 or 10%. ... That is...scary. Why? It's a really short simple password and you know a lot about it already.
🌐
ResearchGate
researchgate.net › figure › Top-ten-6-digit-PINs-in-each-PIN-dataset_tbl2_313823128
Top ten 6-digit PINs in each PIN dataset | Download Table
Participants used their own smart-phone to first select a 4-digit PIN. They were then directed to select a 6-digit PIN with one of five randomly assigned justifications. In an online attack that guesses a small number of common PINs (10-30), we observe that 6-digit PINs are, at best, marginally more secure than 4-digit PINs.
🌐
Google Support
support.google.com › mail › thread › 317963475 › what-is-a-6-digit-password-or-code-google-keeps-asking-me-for-and-where-has-google-hidden-mine
What is a 6 digit password or code Google keeps asking me for? And where has Google hidden mine? - Gmail Community
Skip to main content · Gmail Help · Sign in · Google Help · Help Center · Community · Gmail · Terms of Service · Submit feedback · Send feedback on
🌐
Strong Password Generator
strongpasswordgenerator.org › 6-digit-password-generator
Using a 6 Digit Password Generator | 8 Benefits
By generating passwords that are ... which can include easy-to-guess terms or dates, the randomness inherent in a 6-digit generator makes it more difficult to guess....
Find elsewhere
🌐
Apple Community
discussions.apple.com › thread › 252595635
6-digit password broke in 15 min - Apple Community
... No one broke your 6 digit passcode unless it was 000000 or similar, or they saw you enter the passcode. With a 6 digit passcode it would take an average of 500,000 guesses, and the phone will become disabled after 10 guesses. They also must have hacked your Apple ID.
🌐
Reddit
reddit.com › r/hacking › list of 6 digit pins ranked by use ?
List of 6 digit pins ranked by use ? : r/hacking
January 27, 2024 - I can give u the top 1.000.000 digits of.you want. But they will probably be unsorted. More replies More replies ... Just bought a phone and the guy didn’t give me the damn password. After 3 guesses it was 111111🤦‍♀️
🌐
RapidTables
rapidtables.com › tools › password-generator.html
Password generator 6 chars
Strong random password generator. Create secured password online.
🌐
Stack Exchange
security.stackexchange.com › questions › 124682 › is-a-6-digit-numerical-password-secure-enough-for-online-banking
authentication - Is a 6 digit numerical password secure enough for online banking? - Information Security Stack Exchange
Top answer
1 of 13
66

Unusual? Yes. Crazy? No. Read on to understand why...

I expect your bank has a strong lockout policy, for example, three incorrect login attempts locks the account for 24 hours. If that is the case, a 6-digit PIN is not as vulnerable as you might think. An attacker that tried three PINs every day for a whole year, would still only have about a 0.1% chance of guessing the PIN.

Most websites (Facebook, Gmail, etc.) use either email addresses or user-selected names as the user name, and these are readily guessable by attackers. Such sites tend to have a much more relaxed lockout policy, for example, three incorrect logins locks for account for 60 seconds. If they had a stronger lockout policy, hackers could cause all sorts of trouble by locking legitimate people out of their accounts. The need to keep accounts secure with a relaxed lockout policy is why they insist on strong passwords.

In the case of your bank, the user name is a 16-digit number - your card number. You do generally keep your card number private. Sure, you use it for card transactions (online and offline) and it is in your wallet in plaintext - but it is reasonably private. This allows the bank to have a stronger lockout policy without exposing users to denial of service attacks.

In practical terms, this arrangement is secure. If your house mate finds your card, they can't access your account because they don't know the PIN. If some hacker tries to bulk hack thousands of accounts, they can't because they don't know the card numbers. Most account compromises occur because of phishing or malware, and a 6-digit PIN is no more vulnerable to those attacks than a very long and complex password. I suspect that your bank has no more day-to-day security problems than other banks that use normal passwords.

You mention that transactions need multi-factor authentication. So the main risk of a compromised PIN is that someone could view your private banking details. They could see your salary, and your history of dodgy purchases. A few people have mentioned that a 6-digit PIN is trivially vulnerable to an offline brute force attack. So if someone stole the database, they could crack your hash, and get your PIN. While that is true, it doesn't greatly matter. If they cracked your PIN they could login and see your banking history - but not make transactions. But in that scenario they can see your banking history anyway - they've already stolen the database!

So while this arrangement is not typical, it appears that it is not so crazy after all. One benefit it may have is that people won't reuse the same password on other sites. I suspect they have done this for usability reasons - people complained that they couldn't remember the long, complex passwords that the site previously required.

2 of 13
67

A 6 digit numerical password doesn't do much.

Why 6 Digits?

Troy Hunt has an excellent blog about being forced to create weak passwords where he talks about various bad practices including forcing short numerical passwords and puts forward the often used excuse that

“We want to allow people to use the same password on the telephone keypad”

The only valid reason to require a numerical only password is that the only input available to a user is numerical (e.g. with ATMs); (similarly the only valid reason to require a human readable password is that a human will read it - which would be a very bad sign if it was used not just for telephone banking, but for the website too).

But if that is the reason, why on earth would they force you to use the same insecure pass code online (or on mobile), when you have access to a full qwerty keyboard?

How easy to brute force the way in?

There are 106 possible passwords consisting of 6 digits.

For an unskilled attacker, getting into your account is no problem at all if they have your username and unlimited attempts. You should assume they have your username. Usernames are not secrets.

Let's maybe assume the bank has thought of this, and locks each account after 3 bad tries, or perhaps initiates a robot-limiting option like a captcha to try again after that. Then the attacker still has a 3/1000000 chance of getting in to a random account within that window.

That means if they attack 1000000 accounts, they can expect to get into 3. And making 3000000 requests would not take very long at all.

Compare that to how many passwords there are with 6 alphanumeric characters (by most security standards, far too short, and not complex enough).

There are 626 = 56800235584 possible 6 character alphnumeric passwords. That's still too weak but it's already 56800 times stronger!

Stored securely?

Needless to say, if the user database was breached, 106 possible passwords is ridiculously low entropy, and whatever hashing and salting system they've used, they can't keep your passcode secure.

Your bank's plan in the case of a database breach is presumably to roll over and cry. Maybe they think the outcome is so bad they just aren't going to plan for it.

Assuming the other authentication method is secure, should I worry?

An attacker seeing your finance history is a really big issue; you should be worried even if the other authentication method blocking transfers is secure. And you should not expect the other method to be secure.

How much other information is leaked about you without the 2nd authentication method? Your name, address, email, maybe?

These are more than enough to start doing background research on you, to get additional info - these could be clues to your other password, or good strong information on how to phish you. They might try calling you, using the information they have on you so far to gain your trust, pretending to be the bank, and trick you into revealing other secrets about yourself under a ruse that you need to authenticate to them by answering the last few questions they need in order to get into your account.

As another example, if the 2nd authentication method is a strong password, but you (and for most customers the "you" isn't tech savvy) but the customer happens to have ever been included in a database breach for another website where they used the same username/email and password, then its game over. - This logic applies to any username/password based system, but is particularly relevant in this case because the attacker is able to discover other information about you exposed by the first insecure authentication method, and because the 2nd password is now the only barrier to them taking your money - this is one reason why industry standard is to require a 2 factor authentication on banking websites before showing the user anything.

As for industry standards; my bank have an no max length password with the ability to take special characters, and then follow it up with a 2nd passcode which can only be entered by selecting some letters from a series of drop downs (so the entire 2nd passcode isn't used in a single attempt).

I'd prefer it if my bank used an out of band 2nd authentication factor; such as a code being sent to my phone.

🌐
Touch 'n Go eWallet
support.tngdigital.com.my › hc › en-my › articles › 6567248726809-What-is-a-strong-6-Digit-PIN
What is a strong 6-Digit PIN? – Touch 'n Go eWallet Help Centre
A strong 6-Digit PIN should not be predictable and cannot be easily guessed. We highly recommend that users choose a 6-Digit PIN that avoids these common pitfalls, as outlined below: No DOB (forwa...
🌐
TikTok
tiktok.com › discover › how-to-guess-a-6-digit-password
How to Guess A 6 Digit Password | TikTok
September 15, 2025 - Hint ( It's a 6 digit password) "hope it helped" #guessthepassword #putapasswordtomyipad #viral #4u #foru #4you #xybca #xzybca #fy #fyp #fypシ #fypppp
🌐
JustAnswer
justanswer.com › computer › mkarv-husbands-phone-asking-digit-passcode.html
How to Guess and Unlock a 6-Digit iPhone Passcode | Expert Q&A
He specializes in helping users with computer and software issues, leveraging over 5 years as a certified Computer Support Specialist with a Bachelor’s degree and expertise in hardware, networking, and programming.Start Chat ... Hi, my name is ***** ***** I will do my best to help you today. May I get your name, please? ... If I understand correctly, your husband's phone is asking for a 6-digit passcode but he only knows 4 digits. Is that correct? ... Apple has used 6-digit passcodes by default for several years now, so he should have set one up. Please have him try to guess the 6-digit passcode, otherwise he will need to reset the phone to factory settings, which will erase everything on it, in order to use it again.
🌐
USENIX
usenix.org › system › files › sec22fall_munyendo.pdf pdf
On the (In)Security of Upgrading PINs from 4 to 6 Digits
with iOS 9), the targeted attacker can guess over 25% of the · 6-digit PINs in 10 attempts, and over 30% in 30 attempts. Similar to the limited security benefits of password expi-
🌐
Stack Exchange
math.stackexchange.com › questions › 4625219 › what-is-the-formula-to-estimate-how-long-it-can-take-to-guess-an-otp
cryptography - What is the formula to estimate how long it can take to guess an OTP? - Mathematics Stack Exchange
Top answer
1 of 1
4

In your example, we can think about it as follows:

A six-digit code has 1,000,000 possible states, hence allows for a 1/1,000,000 chance to correctly guess it on the first try. Given that we can try thrice, the second chance is 1 / 999,999 and the third is 1 / 999,998. Although, the numbers are too close to 3/1,000,000 for it to make statistical difference.

So we can say, for one generated code, our chance is 3/1,000,000. That means, plugging into the formula 1-(1-p)^n = x, we get an n of ≈231,049 codes to generate for a 50% chance of cracking it.

In other words: If 231,049 different hackers each tried to hack a six-digit code by choosing 3 random codes, then about half of them would succeed.

Since we can do this 10 times an hour, we can conveniently just divide this by 10 to see how many hours it'd take, which is 23,105 hours, or about 2.6 years.

This is actually slightly better than your estimate.

Why does it not align with the linked calculation?

This is because you're not sufficiently exhausting the keyspace. As I said in the beginning, the second and third guess are slightly more likely to succeed than the first one, because you already know one code that isn't correct, and later two.

However, on your third wrong guess, the code becomes invalid and you are back at the beginning. For this reason, you have to use a different formula, which calculates the cumulative chance of independent events, rather than simply checking how large the keyspace is and dividing it in half.

Regarding the real world

In real life, it's likely even more difficult to be successful, because repeatedly entering wrong one-time codes could lock the account, or the service could notify the user that their account is likely compromised, which leads to them changing their password.

In short, OTP codes like this are not bullet-proof and can be guessed by sheer luck, but it's very unlikely to lead to consistent success.

Increasing Security

This scheme is already plenty secure - secure enough that PayPal uses it - but if you want to go even further, you could make the codes longer. 8 digits would turn 2.6 years to 260 years (roughly), and adding even some uppercase letters to it would make the keyspace even larger.

The downside would be a worse user experience, as "632 109" is slightly easier to type than "P88X 6A3H". It would risk users not enabling 2FA at all, all for making a theoretical attack theoretically more difficult.

🌐
Quora
quora.com › What-are-all-the-possible-codes-for-a-6-digit-lock-from-0-to-9-Im-trying-to-get-into-my-old-phone-and-dont-know-the-password
What are all the possible codes for a 6 digit lock from (0 to 9)? I'm trying to get into my old phone and don't know the password. - Quora
Answer (1 of 4): You want someone to list every number between 000000 and 999999 for you? That’s literally a million options. Assuming you can enter one number every five seconds, it could take you anywhere between five seconds (if you nail it on the first go) or 57 days of typing numbers ...
🌐
Electronics Weekly
electronicsweekly.com › home › why six digit pins are no better for security than four digits
Most Common 4-Digit PINs: Top Codes & Their Security Risks | Electronics Weekly
March 20, 2025 - If the participant was not allowed to select certain PINs, we also skipped those when guessing,” Markert told Electronics Weekly. And it was this that revealed that six digit PINs are no better than four digit PINs.
🌐
LogMeOnce
logmeonce.com › resources › how-to-guess-a-6-digit-password
How To Guess A 6 Digit Password
We are optimizing your request for the best experience