Читать книгу The Official (ISC)2 SSCP CBK Reference - Mike Wills - Страница 136

Personal identification numbers are another example of a “what you know” factor in use. Frequently, you see PINs used as a second authentication factor when using a credit card, debit card, or other form of automated teller machine (ATM) card to access banking and financial services. PINs typically are from four to eight digits in length, and as with all factors depending upon human memory, they may be easily deduced using publicly available knowledge about the PIN's legitimate user. It also doesn't take that much machine time to crack a four-digit PIN, or even an eight-digit PIN; the search space is just too small. However, most ATMs and other systems using PINs will set limits on how many times the wrong PIN can be entered before locking the card out of that device.

A variation on the PIN is the use of a user-specified string of memorable information; the access control system then asks the user to provide a few individual characters from this string, rather than the whole value itself. Again, this has all the risks of presenting a very small search space to an attacker and might not actually make things easier for your legitimate users in the process.