Why Mobile Payment Passwords Are Limited to Six Digits: Security, Brute‑Force, and Human Memory Limits
The article explains why popular mobile payment platforms like WeChat and Alipay use six‑digit numeric passwords, discussing brute‑force attack complexity, the rapid growth of computing power, human short‑term memory limits, and additional authentication layers that together make six‑digit passwords a practical balance of security and usability.
With the rise of mobile internet, mobile payments have become ubiquitous, and both WeChat and Alipay use six‑digit numeric passwords. The article asks why a more complex password cannot be set to improve security.
It describes the common brute‑force method: a six‑digit numeric password requires 10⁶ attempts, while a six‑character password using 62 possible symbols (uppercase, lowercase, digits) requires 62⁶ attempts. Increasing length or adding special characters further raises the search space, but modern computers can compute these possibilities quickly, reducing the practical security gain of longer or more complex passwords.
The piece then explains why six digits are chosen: six digits match human physiological limits for short‑term memory. A test shows that remembering a long string of numbers (e.g., 2471530121987) is difficult unless it is chunked into meaningful groups such as 24 hours, 7 days, 15 days, 30 days, 12 months, and the year 1987. Cognitive psychology research by George Miller (the “7 ± 2” rule) indicates adults can hold about seven items in short‑term memory, making six‑digit passwords near the upper limit of what most people can reliably recall.
The article also points out that payment platforms rely on multiple defensive layers beyond the password. For example, users must first log into the app, and additional account‑protection features (e.g., SMS verification when changing devices) provide secondary authentication. Assuming each layer has a 30 % breach probability, the overall chance of account theft drops to 2.7 %.
Finally, it compares the probability of cracking a six‑digit password (1 in 10¹²) versus a four‑digit password (1 in 10¹⁰), emphasizing that longer passwords are harder to guess, but the overall security depends more on multi‑factor authentication and user behavior than on password length alone. The conclusion is that a six‑digit payment password offers the best trade‑off between security and convenience.
Laravel Tech Community
Specializing in Laravel development, we continuously publish fresh content and grow alongside the elegant, stable Laravel framework.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.