Windows 10 allows you to log in with a PIN instead of a password. In fact, you’re required to set up a PIN before you can set up Windows Hello to log in with a fingerprint or facial recognition.
A PIN is four or more numbers, exactly like the PIN for your debit card. Windows 10 starts immediately when you tap the last number – no need to hit Enter or click a button. You’ll be logged in faster than if you typed a long password.
Here’s the paradox: using a PIN is safer than using a password. That’s an interesting story that I’ll tell you down below. Let’s start with the rules for setting up a PIN to log into Windows.
How to set up a PIN in Windows 10
Set up a PIN in Windows 10 by clicking on Start / Settings / Accounts / Sign-in options.
The PIN has to be at least four numbers. Type it in twice. Done! You can sign in to that computer with a PIN.
Strongly recommended for security:
• Choose a PIN that has 6 numbers or more. (A phone number that you’ll remember – not yours – is a good choice.)
• Use a different PIN on each computer.
• Don’t use your debit card PIN.
You’re not restricted to a PIN after you set it up. Click on Sign-in options to choose any of the methods set up on the computer. In the picture above that’s (1) “picture password” (drawing a pattern on a touchscreen), (2) password, (3) PIN, or (4) fingerprint. The computer will remember the one you choose and offer it as the default next time, but you can always pick whichever one you want.
Why a PIN is safer than a password
You probably log into your Windows 10 computer with your personal Microsoft account. That has lots of advantages. Many Windows settings are synced – wallpaper, Internet Explorer favorites, and more. You have access to personal files in OneDrive. Your OneNote notebooks are synced through that account. Skype runs through your personal Microsoft account. Your purchases from the Windows Store are tied to that account. If you use Outlook.com for email, it’s set up automatically in the Windows 10 mail app. It might be the account tied to your Office Home subscription.
But there is one side effect of that convenience. If someone compromises the password for your Microsoft account, they can log into all the computers tied to that account, and they have access to everything online tied to that Microsoft account. It’s not just a login password any more. It’s the entry into your devices, your documents, and the credit card on file at Microsoft.
A PIN only unlocks the device it’s physically set up on. The PIN is not synced with Microsoft. It’s powerfully encrypted and stored on a tamper-resistant TPM chip that is deeply armored against attacks. When you enter the correct PIN, the TPM chip uses more encryption tricks to send an authentication key to Microsoft and log you into your account. The PIN Is never transmitted online; it never leaves the computer. There’s more information from Microsoft in this article about PIN security.
Most password hacks are carried out by remote hackers. A PIN can only be used by someone with physical possession of the computer. That’s a significant security advantage. If malware on your computer is monitoring your keystrokes and sending them back to a bad guy in Pottsylvania, Boris Badenov might learn your PIN but he can’t do anything with it.
That’s not the only protection built into the PIN. Theoretically it seems easier to guess a PIN than a password, right? That’s why Windows 10 only allows four incorrect attempts to enter a PIN. After four tries, the system requires a character string to be entered (A1B2C3) to ensure that the system is not under attack by an automated bot. After one more incorrect attempt, the computer has to be restarted. And if that sequence is repeated again, the PIN is blocked and can no longer be used.
The effect is that using a PIN actually provides more security than even the most complex password. If someone next to you at Starbucks watches you type in your PIN, they still can’t do anything unless they also steal your laptop. Malware that is logging your keystrokes doesn’t care how complex your password is. Your online accounts are at risk if someone gets that complex password, but not if they get your PIN.
Now the suggestions above for security make more sense.
• It’s pretty easy for someone next to you to watch you and memorize a four digit PIN. Make it six digits or more. Choose something you’ll remember but someone else won’t guess. Oh, and it should go without saying – be smart and don’t choose 1234 or something like it, eh? (Three quarter of a million people used 123456 for their LinkedIn password. Don’t call me if you get hacked because you had a stupid password. I will berate you and make you feel small.)
• A big reason that a PIN increases your security is that it only unlocks a single device. If you use the same PIN for your debit card and your phone and your computer, that misses the point. Figure out a system so the PINs are different!
Now go set up a PIN on your Windows 10 computers. This is one of those rare and wonderful tips that makes your life easier. Put it to good use. And be careful out there!
Given the information contained in this article, I can now see where the PIN might be safer than the password. The password is saved on the servers of Microsoft and any other site using any variation of it. This allows hackers to extract the password from an outside location and gain access to the computer by possession. A PIN is stored within the confines of the computer and never goes beyond the limits of the physical unit. In this manner, hacking the PIN is virtually impossible without physical access to the computer. The limit on that idea appears to me to be the fact that there are Trojans which can enter a unit, track activity, and transmit that activity back to the hacker. In this manner, a pin might be discerned by the keystroke repetitions that occur when a PIN could be active. Hackers are just as ingenious as the people attempting to stop them. In fact, many of the current and former crop of anti-virus and security specialists are former hackers who were caught or saw the light of the money available in the legal market with less risk of jail time. The same fact still prevails in that as our children grow up, they are more computer savvy than the generation before them. Any software created by a human can be hacked by a human eventually and any software created by an AI can be hacked by an AI. Whether that hack generates information worth the effort is still in question except in the case of Ransomware Lock-downs.
You’re right. So far there are no keystroke loggers being delivered to large numbers of people by malware. That kind of malware requires execution of the kind of program that virus scanners can detect and stop. The bad guys attacking large groups of people are all focused on fooling people into surrendering their passwords at fake websites, since that bypasses all security protection except paranoia.
If you’re being targeted, though, then the rules are different. A keystroke logger could deliver your PIN. Targeted attacks are like ninjas: it’s really hard to defend against them. Maybe it’s a jealous spouse with physical access to the PC; maybe you’re a journalist traveling overseas and the government is using hacking tools that aren’t available to run-of-the-mill bad guys. Much tougher security is required in those cases.
Haha! First they tried to eliminate local windows account pushing their universal Microsoft account (we still can use local nevertheless, which I do), then they are trying to return this local account under the name “Pin” and not letting use in this “Pin” local account letters, as we do in our old-fashioned password and telling us it is safer! WTF? Do they have brains at all??
Arrogant Microsoft FORCED me to use a pin. Just out of the blue win 10 stared asking for a password even though I had it set to open without a password. As if not annoying enough already, I don’t need to type in the complete password to open win10. Just the first four characters of the password, which happened to be numbers. Some arrogant goon at Microsoft took the first four numbers of my password and converted it into a PIN with ABSOLUTELY no input from me.
This seems so arrogant I wouldn’t make it up if I were writing satire about arrogance. I have renewed regrets about choosing this crummy fragile quirky SURFACE instead of the Apple tablet with similar power and memory for just a few bucks more.
So this is what we get from a corporation that has become so big and powerful that they feel they don’t need to be care what they do to the people who made them so stinking big and powerful in the first place. It’s a dictatorship like any other in history, in every way except it’s scope. Those who dare can still escape across the border to Apple or Linux.
I’ve seen that behavior with the demands for password and/or PIN but I can’t get a handle on it – the rules keep changing and I can’t find patterns to it.
But my alphanumeric & special char password is 13 characters long, and I never signed up for all the same services or synchronized my accounts with my email address, so in my case, wouldn’t just keeping my password be more secure than a 4, or even 6, digit PIN?
It might be more secure – but it’s definitely not easier!