Why do you always have to use six-digit codes to log in?

With a big smile on my face, I called 906609 when I needed to sign in to Google with 2-step verification this week. Of course you should not share your login details with others, but this number has already expired for a week, moreover, it was not from Google, but from another provider who also uses a six-digit code when logging in. But it was really 906609, which is a pretty amazing number, as the numbers 906 and 609 are reversed and both are upside down.

Anyway, I noticed that there were often pretty numbers between these login codes and wondered if they were specifically chosen this way, until someone pointed out to me that it was more up to me than those numbers. Obviously not everyone gets excited when they have to enter 719333, whereas that’s a prime number that stays prime if you keep subtracting a number from the right (71933, 7193, 719, 71, and 7 are all also indivisible).

A colleague wondered something completely different about these codes: why are they always six-digit codes? I didn’t think about it again. But when I checked it was correct. Google, DigiD, Paypal, Twitter, and countless other places where I’m already signed in use six-digit codes. It can’t be a coincidence, so why would they do that?

These six numbers seem like a compromise between security and ease of use. The longer the code, the more difficult it is to guess. A six-digit code is a hundred times more difficult to guess than a four-digit code.

But the longer the code, the more difficult it is to write it correctly. You often have to remember this code for a short time, for example if you receive it on your phone in a text message and then have to enter it manually into an app on the same phone.

Average people can Store approximately five to nine numbers in their short-term memory. There are differences between cultures and of course between individuals. When I tested myself especially for this column, I was able to remember nine numbers. But that only works if I focus well, because I’m practically hopelessly lost when people call the 8 digits of their mobile number and have to remember it until I find a pen to write it down. Eight is only a lot.

I can always remember six numbers. It is a good idea to ask others how they do it. Suppose you need to remember 168214. How do you do that in your head? I automatically make two sets of three of those, saving the first set as “one hundred sixty-eight” and the second as “two – one – four”. But this can also be done in the form of six separate numbers, or as three groups of two or if you are a hero, such as one hundred and sixty-eight thousand two hundred and fourteen.

Does that make six digits the perfect number for a two-step verification code? Well, no. There are also companies that use four, or those (very cleverly in terms of security) that combine numbers and letters. But I suspect that most companies now use a six-digit code, because most other companies also use a six-digit code.