[MichaelHoste]

That's something that crossed my mind, a 4-digits PIN is a weak password by definition.

But hashing them with the customer ID, date of birth, or something else, and using bcrypt to slow bruteforce down could already be an improvement.

[gus_massa]

bcrypt already includes salt [1] to prevent the use of rainbow tables. Adding more things is probably not very useful.

Anyway, a 4 digits pin numbers have only 10000 combinations, that can be bruteforced almost instantly.

(On the other hand, sending it by email is not a good idea.)

[1] https://en.wikipedia.org/wiki/Salt_(cryptography)

[Hackbraten]

But there’s no point in doing that. After a leak, you can assume the attacker already knows customer ID and date of birth along with the hypothetically hashed PIN. Brute-forcing the real PIN would take a few microseconds. So why even bother?