Probability / odds question

Any maths gurus able to help with probability odds of guessing 4 digit numbers?

With a 4 digit PIN, the odds of guessing the correct one is 1 in 10000 I think.

But if there are 50 correct PINs, and you have 5 guesses, what are the odds of guessing one of the correct PINs?

I’ve tried googling for help but quickly get lost trying to understand it

I make it 0.0247561490, so about one in forty.

0.025, 2.5%, or 40:1 if you prefer your probability that way.

1 in 40 does seem pretty low (although in practical terms I guess it’s still pretty unlikely).

Thanks for the help

Actual pin numbers?
Have you got a list of the 50 to choose from?

Re-read that.

If its actually pin numbers and you’re only looking to hit one of them it’s a lot better than 1:40 you can pretty much discount the first two digits as being 19 given the number of people who use their year of birth and of those that don’t you’re as likely to get 19 as your randomly assigned number as not so you’re really only trying to guess the last two

It’s a theoretical secure coded entry at this point. PINs have to be 4 digits so correctly guessing one correct PIN is 1:10000.

The entry unit gives 5 attempts before it locks. So that increases the odds of guessing correctly as more chances (5:10000).

If there are 50 users each with their own PIN – that increases the odds of guessing any correct PIN within your 5 attempts.

If that works out to 1:40 chance of guessing a correct PIN within 5 attempts it probably isn’t secure enough so would need to go with proximity tags.

That seems wrong at 1:40 each one is 9999 choose 1.
Each subsequent pin does not affect any previous one (e.g could be duplicate Pins)

So the answer is 9999C1 X 50

Slightly over 1 in 40.

10000 options, 50 correct, so each guess has a 1 in 200 chance.

5 goes means 1 in 40.

However each subsequent guess after the first increases the chance of being correct by a small amount that this maths doesn’t account for.

Ooops sorry it’s 5 goes each so it’s 9999C5 X 50

10000/5/50=40

If there are 50 users each with their own PIN though, are you ensuring that they all have a unique pin? Counterintuitively perhaps, having duplicate PINs would create a lower probability of guessing because there’s fewer correct ones.

Also, are these PINs randomly generated or user-generated? People are predictable. 0000, 1234, 4321, 2580, 1066, 2023, user’s birth year, user’s partner’s birth year (hello, social media)…

You’ve got five attempts to guess one of 200 passwords (assuming all unique), no-one’s going to be brute-forcing that unless they walk past every day. Starting at 0000, if the first correct PIN starts just with a 1 that’s over a thousand attempts. You’ve got a bigger threat from shoulder-surfing or people holding the door open for them. I was stood idly in Boots a little while back whilst waiting for my partner to queue to pay for something. I watched staff come and go through the ‘staff only’ door, I easily got half a dozen entry codes without even trying, I have a good memory for numbers and of course really I only need one.

As mentioned PINs aren’t randomly distributed so it massively skews the odds

http://www.datagenetics.com/blog/september32012/

Can you put it on an inner door to shield it? Like how a public toilet always has two doors?

I guess really the million dollar question is, what are you securing (a million dollars?😁) You wouldn’t put a ten thousand pound security system on the stationery cupboard (unless you’re Staples). How much security do you need? Have you sought quotes for options?

Is tracking staff movement important, do you actually need 50 PINs (which would then have to unique) or do you just need one which you could give to all 50 staff. Is it one door or multiple secure areas within the building which only some staff are allowed into? Proximity fobs may be a better option but it’ll surely be more costly and people get them mixed up or go “I’ve left mine inside, can I borrow yours?”

PINs would be randomly generated, wouldn’t be letting folks pick.

1:200 chance of guessing a correct PIN but with 5 attempts – it’s unlikely to be brute forced, but a 1:40 chance of randomly guessing would be a hard sell however unlikely it actually is to occur.

Stupid question perhaps but,

Does the entry system support longer PINs and 4 is just default behaviour?

And actually my theoretical scenario isn’t really as simple as a door, and although in practical terms there would be a couple of million quid behind it, in practical terms you couldn’t remove it once you’d got through.

But trying to get sign off on a system with a 1:40 chance of brute forcing on any given day is too much like “odds I might bet on” rather than “lottery winning odds”. Prox is already in place but randomised PINs required due to a programming quirk to produce user names of who has entered rather than user ID number . Sounds stupid, is stupid, thanks for odds calculation assistance 😁

I don’t remember this conversation in TS2

Prox is already in place but randomised PINs required due to a programming quirk to produce user names of who has entered rather than user ID number

If you need proximity AND a PIN, you’ve basically just described MFA. You’re back to 5 attempts to guess the 1 in 10000 number unique to that fob. Remove the lockout even, how long do you suppose it’d take to happen across it if you were just standing there randomly mashing buttons? 7591, nope. 0537 nope. 9458 nope. Your hand would fall off before you got it purely by chance.

Prox is already in place but randomised PINs required due to a programming quirk to produce user names of who has entered rather than user ID number

That’s a really good analysis, cheers for the link.

slightly more than 1/40

Guess 1, you have 50/10000 chances = 1/200

(assuming you get it wrong first time)

Guess 2, you have 50 possible right answers but now only 9999 wrong choices, assuming you aren’t such a nob to use the same guess again

Guess 3, 50/9998

The difference is so small that TBH makes no real difference but slightly more than 1/40

It’s obviously nuts to allow everyone to have their own PIN for a single entry point, whoever thought that one up should be taken out and shot. I’ve never come across one of these entry points where it wasn’t either (a) a single number for everyone, changed occasionally (you hope) by the owner and disseminated to the authorised entrants or (b) everyone has their own PIN but it’s tied to some other ID card or some such, so you need the correct PIN for the card.

The difference is so small that TBH makes no real difference but slightly more than 1/40

Agreed.

The original request was effectively for a draw without replacement. Considering a jar of marbles it’s as if there are 10,000 marbles, of which 50 are red, 5 draws are allowed, and having 1 red ball is a win.

The odds are adjusted further as, as has been noted, there are not 10,0000 possible options as many sequences will be removed for obviousness. ‘0000’, ‘1111’, etc for example. It’s not entirely a brute-force probabilistic approach. Though approximating it to that is a reasonable initial approach.

If you need proximity AND a PIN, you’ve basically just described MFA. You’re back to 5 attempts to guess the 1 in 10000 number unique to that fob.

They can’t uniquely identify the fobs, which is why they need the individual PINS.

I think that the key here is the purpose of the door. If it’s for actual security, then in actual fact a PIN system of any type is pretty useless as it would be easily broken. If it’s just to control access then 1 in 40 is probably enough to put randoms off.

It seems unlikely (given the above analysis of how PINs are chosen) that the 50 PINs are all unique, which would reduce the odds of hitting one naively. But increase the odds if you used a decent frequency table for testing.

Regardless, it’s an idiotic system.

They can’t uniquely identify the fobs

Lolwut?

They can but aren’t, maybe. Key fobs have a unique code, otherwise what would be the point if you could just buy one and start using it? What happens if one gets lost?

Ha ha, good point.