Selecting a secure PIN for building access

PINs are usually accompanied by some other authentication factor, like biometrics or a physical token. So, the PIN is not a lone factor in authentication.

But you appear to describe a situation where people can gain access to a secured building by punching in a code. Let me rephrase that: by using static, difficult-to-change sequence of numbers that can be easily copied and shared, the public gains access to the inside of your building.

The control against that threat is to make it very difficult to record and guess or use the physical appearance of the pin pad to deduce the code. That means making the PINs long and putting physical controls in place to make recording more difficult and to place layers of additional authentication protection on the inside of the building.

Because you are asking about the rejection process, my suggestion would be to use a random number generator instead of people choosing their own, and make it long. This bypasses people choosing PIN pad patterns or other pattern-based PINs which can be easy to guess or observe.

You're setting yourself up for an endless game of whack-a-mole. You listed a few ... No matter how many you think of, lazy users will come up with more guessable PINs. It's a church, so think of any Christian influenced PINs. The date of Christmas, the priest's favorite Bible verse, the patron saint's birth-date, maybe the Church's construction date... so on and so on. Consider patterns too if you want to go that far. For more possible PINs, here's a blogpost where the writer analyzed PINs leaked in various data breaches. May be helpful.

I know you're asking how to make your PINs more secure, but I feel the answer here is not to use standalone individual PINs. Consider that you're working with a small set of possible passwords already. Then you're reducing it by eliminating guessable ones. Then you're making multiple PINs work at once. Every step makes random guesses more and more likely to succeed.

There are only 100000 potential values if you have a 5 digit PIN. That means that a single PIN can be brute forced in a relatively small length of time, unless there is some form of secondary restriction against a person standing next to the door and trying each number. This gets worse if there are multiple people with distinct codes for access to the system - assuming each person selects a random code, an attacker entering a single code has a n/100000 chance to find a working code, where n is the number of people with access.

It would probably be reasonable to expect a dedicated attacker to manage 1000 tries per hour - it doesn't take very long to type a 5 digit number. That would give an upper bound of 100 hours, with a single code. That's 3 (pretty boring) weekends with some breaks for food, which, depending on what is in the building, may well be worth it. The system as described can't implement account lockout - the only way to determine which user is trying to access is through the code.

So, how to solve this?

1. Use the PIN as a secondary factor - have an access card, and a PIN, for example. It is then possible to have account lockout after some failed PIN entries.
2. Enforce limits on the PIN in other ways - have someone guarding the door who prevents too many tries, have a CCTV camera pointing at the door which is monitored for unusual activity (someone standing there trying each possible code)
3. Have a much longer PIN, making it impractical to keep trying codes

You would also probably want to ensure that the codes being entered cannot be monitored in other ways - for example, by pointing a video camera at the key pad.