Don't use PAN numbers as passwords!

rsinha

August 13, 2024

If you’ve ever paid taxes in India, you probably know what a Permanent Account Number is. If you don’t, the Indian Tax Authorities would like a word. Your PAN identifies you as a tax-payer and it shows up on your tax records. You get a little card that has your name and number on it, which you can also use as proof of ID, depending on who’s asking.

From time to time, I keep getting email from different Indian organisations like banks and mutual fund management companies. These are not meant for me, some person with the same name decided to give my email address as theirs. I’ve tried a bunch of times to get them to remove my email from their system, but I always run into a weird situation where they ask me to prove that I’m not who they think they are. Very frustrating.

Today I woke up and saw a bunch of account statements from a mutual fund that I definitely don’t have any dealings with. Along with the account statements, they helpfully provide part of your PAN in the email. The PAN is the password to open the statement. This is a very bad idea.

The last 4 characters are provided in the email, which means you only need to guess 6 alphanumeric characters. This is very, very easy on a modern computer. Curiosity got the better of me and I generated a quick wordlist using the last 4 digits provided. Here’s my reasoning:

First 3: FFF - these are always A-Z
Second character S is one of {A, B, C, F, G, H, L, J, P, T} this code tells you what kind of tax-payer you are
Third character T is one of {A-Z}, this is from your name.
Then you have DDDD 4 digits, from 0000-9999
Lastly you have the check digit C.

So your PAN is FFF S T DDDDC. We already know the last four DDDC as it is in the email

Using the reasoning above, it took about 1 minute to generate a word-list and about 1 minute to crack the password on the PDF without any GPUs or any fancy tech. I didn’t keep a copy of the email or the PDF as I wasn’t interested in reading other people’s account statements (mine give me enough sadness already).

Since the structure of the PAN is very deterministic, I don’t think it would be too difficult to pre-create a wordlist with ALL possible PANs and crack open any PDF that is using a PAN as its password.

tl;dr: PANs bad as passwords. More like security theater.