Nerding out over patterns in stolen PINs

Has anyone ever completely nerded out over numbers, patterns and maths? I saw this article on ABC News about commonly used PINs, and I clicked into it not expecting to be quite this interested.

The authors have taken the four digit PINs from Troy's Have I Been Pwned site (using the API) and split them into the first two digits and the last two, so that the data could be plotted on an X-Y graph. The result is a graph which shows visually the most common combinations of digits.

It's a brilliant idea, because it makes the task of identifying patterns very simple, using visual means. Unsurprisingly, PINs like 0000, 1111, 1234, 1212 etc are the most common. The repeated digit combinations nicely show up as a straight diagonal line. There's also a strong representation for PINs beginning with 19 and 20, because these form the first two digits of the birth years of everyone alive today.

The visual representation also shows some popular PINs that I didn't expect to be common, such as 4321, just 1234 in reverse. And 2580 is common, because it's just a line straight down the keypad! Frighteningly, the data shows an attacker with access to 5 attempts to guess a PIN, using this information, has a 1-in-8 chance of success. I'm not quite sure on the maths behind that assertion but regardless, this is an excellent learning opportunity for us all.

Even if we (cyber sec professionals) smugly think our PINs and passwords are safely chosen, protected by MFA, converted to passkeys etc, are our work colleagues? Friends? Loved ones? This visual method in the ABC News article is a great conversation starter!

What other engaging methods have you used for cyber security education?