In this era of information explosion, there are a variety of media available for communication and data transmission in addition to those conventional tools, such as mail and telephone. Among which, the Internet is becoming more and more important for nearly everybody as it is considered one of the newest and most forward-looking media and surely “the medium of the future”. Nowadays, people are used to communicate or making transaction on Internet, which includes the activities of online ticket purchasing, e-mail transaction, and social network blogging. However, there could be plenty of sensitive information, such as personal data and business confidentials, being exchanged through the Internet in those activities, thereby enabling any person with malicious intent to have access to that sensitive information on Internet by any means. Consequently, there are a variety of security mechanisms being developed for protecting users from losing private and sensitive information to hacker attacks, such as a PIN-login system.
Generally, the pin for most web services using PIN-login system is composed of a pure string of numbers or English characters, which are to be inputted sequentially by a specific order as a password for authentication. However, such simple password may not be very effective in resisting attacker using either brute-force attacks or dictionary attack, since a hacker could easily program a computer to automatically and systematically generate and check all possible pin combinations until the correct combination is found. Such methods may be very time consuming but are still reasonably feasible.
The most common way to deal with brute-force attacks is by setting a restriction to the amount of error that a user is allowed to make for logging into a web service. However, although it could effectively prevent the brute-force attacks, the foregoing method also could cause certain inconveniences to a real user, especially when the user forgets his/her password, causing the user's account to be disabled during the try-and-error process. In addition, another way to deal with brute-force attacks is by increasing the amount of possible combinations required to be checked in a brute-force attack and thereby increase the time consumed before the correct password is found. Nevertheless, the increasing of possible combinations not only could be achieved by expanding the key length of the password, but also could be achieved by allowing symbols other than numbers and English characters to be used in the password string. However, asking users to remember a password consisting of a “mix of various symbols and characters” is similar to asking them to remember a sequence of bits, which is hard to remember, and only a little bit harder to crack. Therefore, users generally tend to use one simple password for all their registered web services without having the password to be changed regularly, and even design the password according to his/her personal information, such as birthday or personal ID number. By doing so, the user's privacy and property security are still endangered by hacker attack even when the amount of possible combinations for password checking had been increased exponentially.