Because noone is out there trying to hack your bank card pin – you get that wrong a few times and the card will stop working.

Also you aren’t likely to reuse the pin from your card – if someone works it out they can’t then go and try the same email/password combination on myriad other services

In short it only *needs* to be 4 digits, that’s already 10000 different options and you get what, 3 guesses at it?

I heard a program on the radio where they interviewed the man who invented the ATM and when asked why he chose 4 numbers he said that [he’d asked his wife how many numbers she would like and 4 was the reply](http://news.bbc.co.uk/1/hi/business/6230194.stm) and that stuck.

First, I think a lot of banks require or at least allow 6 digit PINs these days.

But on to why it’s okay for them to be short…

Password logins require one thing. All you need is the password (and username, but that’s easy enough to get and is considered public).

A card’s PIN requires two things: physical possession of the card *and* the PIN code. (If you’ve heard of two-factor authentication before, that’s essentially what the card PIN is trying to be). Because it’s not the only thing you need to access the bank account, it’s theoretically okay for it to be short. Just don’t reuse your PIN because that will make it drastically less secure.

Of course, a _longer_ PIN is always better, but there are other reasons why banks allow a short PIN.

Bonus Section:

ATMs and PIN codes are old technology invented in the 60s; each PIN was originally meant to be used once for a particular cheque. In that case, a four-digit one-time password that also requires a physical object is actually remarkably secure.

All this time, PIN codes have stuck around because they’re easy to remember for humans. A longer code might just encourage people to create PIN codes with certain patterns or substitute numbers for letters and use common, easily guessed words. ATMs also help by only allowing you to enter a wrong PIN a certain number of times.

Finally, banks just don’t have an incentive to change this system. Number pads are cheaper to make than full keyboards, and changing from PINs to passwords would be very expensive since they’d have to upgrade a lot of old systems and millions of ATMs.

Banks had to sell customers on the benefits of ATMs. When ATMs were new, desktop PCs were normal to find in homes but not ubiquitous. There were still a *lot* of people who didn’t use technology in their day-to-day and had to be coaxed to embrace ATMs.

My grandmother outright refused to use ATMs because they reminded her too much of computers, and computers made her feel stupid. She could have put some effort into being a little less stupid, but she opted instead to simply reject the technology.

Somewhere in the late 90s I was waiting at a bank machine for these two little old ladies who were trying to figure out how to use it. One wanted to withdrawal $20.00. She got to the part when you enter the dollar amount you want and she entered “20” and hit “OK”. The machine told her she couldn’t have that amount. You can’t withdraw $0.20 from a bank machine in my part of the world. You have to enter *all* the digits. That means $20 requires that you enter ‘2000’ and the decimal point is added for you.

They couldn’t figure it out. They had a display in front of them that showed them they had entered $0.20 and they were getting mad that it wouldn’t give them $20.

These are the kinds of people we had to convince to adopt the tech. It wasn’t easy. > 4 digits on the PIN would have only made it worse.

That’s the kind of stuff banks had to figure out how to overcome. **There was no internet with complex passwords to compare to.** If you say to someone who isn’t sold on the technology, “You have to remember a 6 digit PIN” would not have been very good.

A debit card pin is a manually entered number that if you get incorrectly too many times, will become locked. That is a feature that does not necessarily exist for any particular website and their password feature.

[Software exists to brute force your password. ](https://www.komando.com/security-privacy/check-your-password-strength/783192/)

To make it easy to remember and enter on a keypad, instead of a whole keyboard at a store or atm.

The man who came up with the complex password requirements now says it was a mistake. It ended up forcing people create less secure passwords, or writing them down where someone else could access them.

Now that password keychains are easily accessible on our phones, it’s less of an issue to have long secure passwords,”. Also Two-Factor Authentication is spreading into normal acceptance for logins, and that can help alleviate the password burden.

Just want to say, 4 is the minimum. At least with the banks I’ve worked for you can do far more. I think the longest I’ve seen was 12 digits.