Skip to main content

Why do I have to enter a PIN to login?

By 26/06/2013July 5th, 2023Security

Frequently we get emails from clients who want to forego the requirement to enter a PIN number on login – additionally, a high proportion of support tickets we get are related to login problems and, most commonly, PIN numbers.

So, with all that in mind, why do we bother with a PIN number?

Firstly, it is worth remembering the type of data stored within an HRIS system – this is personally identifiable, employee data such as names and addresses and so on but, further to that, there is also data like dates of birth, driving license numbers, national insurance numbers (or Social Security numbers or whatever they are all called in your country or region) as well even bank details for many employees. Even just a subset of that data is enough to be able to attempt identity theft which could then allow people to get loans, apply for cards and generally run up debts and so on in your employee’s name.

In the UK, under the Data Protection Act 1998, there is a legal obligation on any organisation holding personal data to ensure, amongst other things, that it is securely stored and protected. The data controller (a person who either alone or jointly or in common with other persons determines the purposes for which and the manner in which any personal data are, or are to be, processed) is legally responsible for this.

Below are some links which might be useful to help you understand the law and your obligations as a Data Controller:

Responsibilities of a data controller

Key definitions of the Data Protection Act

What is personal data? A quick reference guide

OK so we get you to have to keep data, amongst other things, secure – what does a PIN number have to do with this? Most sites simply ask for a username and password so why have we added this extra step?

The first advice any site will give is to make sure that your password is not easy to guess – that is why we don’t allow passwords such as password, letmein and so on as they are just too easy to guess. General guidance is that passwords should be longer than 8 digits, include upper case, lower case, numbers, symbols and should not consist of any names or dictionary words nor consist of any patterns like qwerty and so on. (P.S. If you want to create strong passwords then there are some great sites online that do just this – one we use is this strong password generator, but there are lots more out there in you have a quick search on Google.)

So, surely, simply enforcing that people use strong passwords would be the answer? Well yes, it helps hugely and certainly stops the social engineering side of hacking being as effective but there has been a lot of research done recently, particularly in light of some high profile hacking incidents, into the reuse of passwords across multiple sites.

Curious about how secure your password is? Try it out with the password security tester – you might be shocked at the result!

Research has shown that anywhere from 50% to 80% of passwords are reused across multiple sites – if you take the incident last year where thieves stole more than 6 million passwords from Linkedin that means that anywhere from 3 million to 4.8m million of those passwords are being used elsewhere. A lot of that will be for things like Facebook or Gmail and so on, which on a personal level would be devastating, but would have quite a narrow impact but imagine if those same passwords we being used on things like Natural HR or or for your bank (incidentally this is one of the main reasons why banks choose to not use just passwords for login)?

By asking for an additional password (that is, in effect, what the PIN is) means that even if you have used your password elsewhere and someone has found it with your email address or your password is garfield after your cat (easy to “hack” AND anyone who knows you or did some social engineering on you who wanted to gain access could probably guess that quite easily – I bet your cats name is somewhere on Facebook, right?) then the PIN makes it harder for the person to gain illegal access – additionally, by asking for three random digits from your PIN, we are also reducing the effectiveness of any key logger software which may be on an endpoint and making it much harder for anyone to try any sort of automated login with lots of different variations as even if they know your password (and even your PIN) they won’t know which digits we are going to ask for.

So if you can genuinely say that you have a password like @”$h8B@-#><];-1 AND you don’t use it anywhere else and your PC is always up to date and secure and you don’t visit any “dodgy” sites and don’t ever download things without knowing what they are and never click links in email promising things like a nude picture of Britney or a that your bank needs to confirm your identity then maybe, just maybe, entering the PIN number is an inconvenience for you but, being honest with yourself, the addition of the PIN number makes your data stored in Natural HR that little bit safer which can only be a good thing – we think!