Setting up windwos insider/developer after seeing they apparently have and integrated bash version (actually seems to be an integrated linux/posix a.la. cygwin/mingw, but I’m still jumping through hoops) and thus, for starters, setting up the annoying non-local password/pin login. Picking a pin, it immediately complained that “1234” is too common (which it is, but if anyone gets physical hardware access it’s game over – nothing about my setup is hardened enough to deal with that).

Now “too common” is a strange kind of concept when it comes to four-digit pins. By computer security standards, they’re almost always all too common – even a four letters/digits/special characters password (more than six thousand times as hard to guess) isn’t enough. That doesn’t mean PINs are bad – falling back to password after three guesses (and the device you guess on not being available by the thousands) they’re fairly reasonable. But it’s hard to mentally downshift into “which ones are extra special *more* common”.

So what, in their wisdom, did Microsoft pick? They tell you up front that “one repeated digit” and “only sequential” are out. So 0000, 1111, 2222.. and 1234, 2345, 3456.. Based on pure personal “what would be my next most obvious” I guessed 1357 – like 1234 but two steps between digits. That, too, was excluded. So was the same backwards. Trying a few more 0001 was ok, and so was 0101, 0102. So it appears “sequential” and “repeating” only counts at single digits and all digits. Attempting to extend 1357, further 2468, 3579.. aren’t allowed as well. In the “by twos, by threes..” direction, they also do not allow 1470 either. Nor 0741. Here, I feel like I’m starting to see numbers most people would have a hard time considering “so obvious” and I test a few on my wife to see if she judges them “clearly a pattern”, which she doesn’t. Each digit increasing by 4 doesn’t fit, but perhaps wrapping around at 10? Indeed wraparounds, 1593, 2604.. count as common.

So that’s large enough to be a hard-to-visualize number set, and it’s time to look at them programatically. Calling the first digit n and the step to next digit k, python would call that ( (n+k*0)%10, (n+k*1)%10, (n+k*2)%10, (n+k*3)%10)) ) i.e. start digit plus ( offset times position ) modula ten, four of them. n, the starting digit, can apparently be any of the ten (0-9, range(10) in python). Offset.. well, we can count 0 as “repeating” (1111, n=1, k=0). k=9 is the same as -1 (we live in mod 10 because of the wraparound, so 5+8->14->4) but that is in fact included too, so.. k is also the full set, 0-9. Expressed as a list, [((n+k*0)%10, (n+k*1)%10, (n+k*2)%10, (n+k*3)%10) for n in range(10) for k in range(10)].

[(0, 0, 0, 0), (0, 1, 2, 3), (0, 2, 4, 6), (0, 3, 6, 9), (0, 4, 8, 2), (0, 5, 0, 5), (0, 6, 2, 8), (0, 7, 4, 1), (0, 8, 6, 4), (0, 9, 8, 7), (1, 1, 1, 1), (1, 2, 3, 4), (1, 3, 5, 7), (1, 4, 7, 0), (1, 5, 9, 3), (1, 6, 1, 6), (1, 7, 3, 9), (1, 8, 5, 2), (1, 9, 7, 5), (1, 0, 9, 8), (2, 2, 2, 2), (2, 3, 4, 5), (2, 4, 6, 8), (2, 5, 8, 1), (2, 6, 0, 4), (2, 7, 2, 7), (2, 8, 4, 0), (2, 9, 6, 3), (2, 0, 8, 6), (2, 1, 0, 9), (3, 3, 3, 3), (3, 4, 5, 6), (3, 5, 7, 9), (3, 6, 9, 2), (3, 7, 1, 5), (3, 8, 3, 8), (3, 9, 5, 1), (3, 0, 7, 4), (3, 1, 9, 7), (3, 2, 1, 0), (4, 4, 4, 4), (4, 5, 6, 7), (4, 6, 8, 0), (4, 7, 0, 3), (4, 8, 2, 6), (4, 9, 4, 9), (4, 0, 6, 2), (4, 1, 8, 5), (4, 2, 0, 8), (4, 3, 2, 1), (5, 5, 5, 5), (5, 6, 7, 8), (5, 7, 9, 1), (5, 8, 1, 4), (5, 9, 3, 7), (5, 0, 5, 0), (5, 1, 7, 3), (5, 2, 9, 6), (5, 3, 1, 9), (5, 4, 3, 2), (6, 6, 6, 6), (6, 7, 8, 9), (6, 8, 0, 2), (6, 9, 2, 5), (6, 0, 4, 8), (6, 1, 6, 1), (6, 2, 8, 4), (6, 3, 0, 7), (6, 4, 2, 0), (6, 5, 4, 3), (7, 7, 7, 7), (7, 8, 9, 0), (7, 9, 1, 3), (7, 0, 3, 6), (7, 1, 5, 9), (7, 2, 7, 2), (7, 3, 9, 5), (7, 4, 1, 8), (7, 5, 3, 1), (7, 6, 5, 4), (8, 8, 8, 8), (8, 9, 0, 1), (8, 0, 2, 4), (8, 1, 4, 7), (8, 2, 6, 0), (8, 3, 8, 3), (8, 4, 0, 6), (8, 5, 2, 9), (8, 6, 4, 2), (8, 7, 6, 5), (9, 9, 9, 9), (9, 0, 1, 2), (9, 1, 3, 5), (9, 2, 5, 8), (9, 3, 7, 1), (9, 4, 9, 4), (9, 5, 1, 7), (9, 6, 3, 0), (9, 7, 5, 3), (9, 8, 7, 6)]

Bam.. Ok, not very readable, lets throw in “%d%d%d%d”%( expression ) so it collapses into strings, like [“%d%d%d%d”%((n+k*0)%10, (n+k*1)%10, (n+k*2)%10, (n+k*3)%10) for n in range(10) for k in range(10)]

[‘0000’, ‘0123’, ‘0246’, ‘0369’, ‘0482’, ‘0505’, ‘0628’, ‘0741’, ‘0864’, ‘0987’, ‘1111’, ‘1234’, ‘1357’, ‘1470’, ‘1593’, ‘1616’, ‘1739’, ‘1852’, ‘1975’, ‘1098’, ‘2222’, ‘2345’, ‘2468’, ‘2581’, ‘2604’, ‘2727’, ‘2840’, ‘2963’, ‘2086’, ‘2109’, ‘3333’, ‘3456’, ‘3579’, ‘3692’, ‘3715’, ‘3838’, ‘3951’, ‘3074’, ‘3197’, ‘3210’, ‘4444’, ‘4567’, ‘4680’, ‘4703’, ‘4826’, ‘4949’, ‘4062’, ‘4185’, ‘4208’, ‘4321’, ‘5555’, ‘5678’, ‘5791’, ‘5814’, ‘5937’, ‘5050’, ‘5173’, ‘5296’, ‘5319’, ‘5432’, ‘6666’, ‘6789’, ‘6802’, ‘6925’, ‘6048’, ‘6161’, ‘6284’, ‘6307’, ‘6420’, ‘6543’, ‘7777’, ‘7890’, ‘7913’, ‘7036’, ‘7159’, ‘7272’, ‘7395’, ‘7418’, ‘7531’, ‘7654’, ‘8888’, ‘8901’, ‘8024’, ‘8147’, ‘8260’, ‘8383’, ‘8406’, ‘8529’, ‘8642’, ‘8765’, ‘9999’, ‘9012’, ‘9135’, ‘9258’, ‘9371’, ‘9494’, ‘9517’, ‘9630’, ‘9753’, ‘9876’]

Looking at it, it can’t repeat (second digit is always one of ten offset from first, first changes only after all second have been tried) and they are in numerical order (we exhaust the each “lowest left” digit, and do so picking the “lowest left” next digit). We can even tell how many there are – 10 first digits w/ 10 permutation options each = 100 – exactly 1% of the total keyspace. Quite elegant.

I’m not 100% sure this is their thinking, but these are indeed excluded, and I can’t find any other “common numbers” being excluded (even though some might say “1000” is more obvious than “7036”). Feel free to show me wrong – I’d actually be intereted :-).