Your Turn: Strategies to Strengthen PINs

Even if you add a fourth digit to the PIN, it can still be cracked in under two hours.  How do modern cell phones, tablets, and teller machines deal with this problem and still keep PIN numbers short enough to be memorable?  One technique they use is to only allow you a certain number of failed tries before making you wait a longer time.  

Here is a terminal password example you can run on one micro:bit to understand how this process works.

Example script: if_three_pin_fails_wait_an_hour

  • Enter, save, and flash if_three_pin_fails_wait_an_hour into a micro:bit
# if_three_pin_fails_wait_an_hour

from microbit import *

sleep(1000)

pin = '324'
fails = 0

while True:
    message = input("Enter PIN: ")

    if message == pin:
        fails = 0
        print("Access granted.")
    else:
        fails += 1
        print("Access denied.")
        if fails > 2:
            print("Oops, 3 fails in a row!")
            print("Try again in an hour.")
            sleep(3600000)
            fails = 0
  • Click Open Serial to view the terminal.
  • Press/release the micro:bit module’s reset button.
  • Try entering two incorrect PINs, followed by the correct 324 PIN.
  • Verify that it granted access.
  • Now, try entering three incorrect PINs in a row.  Does the script prevent you from entering more PINs?


Assuming you didn’t have the ability to press and release the micro:bit module’s reset button after 3 incorrect tries, it would take 216 combinations x 1 hour/combination = 216 hours.  You could further increase the security by having it make you wait a day before trying again, maybe after the 6th fail.

  • Open decimal_bank_vault_receiver, and save it as decimal_bank_vault_receiver_your_turn.
  • Modify the script to incorporate the 3-tries-per-hour limit using the techniques in if_three_pin_fails_wait_an_hour.
  • Also, make the X on the LED display flash 3 times, and then scroll the wait 1 hour message.
  • Make sure it doesn’t display Image.SQUARE_SMALL until after the hour has passed.
  • Test your modifications to make sure your script responds correctly:
  • Try 2 incorrect PINs followed by a 3rd correct one.
  • Try 1 incorrect PIN followed by a second correct one.
  • Verify that it stops responding for an hour after the 3rd incorrect PIN.

There is still a glaring vulnerability in this system!  Any micro:bit listening on the same channel will still receive a correctly entered PIN.  In other words, the PIN is still totally vulnerable to sniffing attacks!