A "competent" thief could guess the four-digit PIN of one payment card in every 11-18 wallets they stole, according to University of Cambridge researchers.
The research [pdf] is based on a mathematical analysis of two leaked datasets combined with the results of a survey of 1177 people.
The research project aimed to estimate the difficulty of guessing a human-chosen four-digit PIN.
Banks and credit card operators often allow customers to change their PIN, rather than use a supplied number.
Of those surveyed by researchers, 1108 had a PIN with exactly four digits. About 63 percent said the PIN was the one supplied by the bank or was one from a previous bank.
Another 21 percent used "pseudo-random" digits extrapolated from a phone number or other identification number.
Of those users found to have "non-random PINs", the highest proportion used a date for their four-digit PIN. Common were birthdays (theirs or a partner's) or an important life event.
In percentage terms, nearly seven percent of those surveyed based their PIN on their birth date.
The researchers said the incidence of birth dates as PINs - and the fact a stolen wallet often contained forms of identification with birth dates - could make "manual guessing by thieves [a] worthwhile" exercise.
"A lost or stolen wallet will be vulnerable up to 8.9 percent of the time in the absence of denied PIN lists, with birthday-based guessing the most effective strategy," the researchers said.
Banks could ameliorate some risk by blacklisting users from setting their PINs as a birthdate or an otherwise common set of numbers, such as 1234, the researchers said.
However, they also noted that "preventing birthday-based guessing requires a move away from customer-chosen PINs entirely".