Why the heck are you HMACing the password?!
What if they put in a 4 megabyte password, and send multiple requests? This could effectively DDoS you. However, you can prevent that, by pre-hashing with a fast algorithm such as SHA256.
Hashing is inherently throwing away some of the entropy, since it's a function mapping an arbitrary-sized input space (say, a 4MB password) into the output space of the hash function (in the case of SHA256, 256 bits). In this case, not storing 4 MB means that you're not really getting the "power" of a 4 MB long password.
Only 4 digit numbers, can be brute-forced within a reasonable amount of time. Think about it, you're only hashing 4 characters. You can turn 4 characters, into a really long string with an HMAC. And there you go, it's better than just storing 4 characters.
So it may seem like the output is longer, but really a hash/HMAC of an input space constrained to 4 numeric digits is not made harder to guess by passing it through a hash function. Since the hash function necessarily maps the same input to the same output, the range of possible outputs is still just 10,000 values. For example, a dictionary attack targeting pins would still be as effective against this scheme -- it does not inherently strengthen a weak password at all.
If the concern is simply to obscure the nature of the password (that it's a PIN) from an attacker, well, that smells a bit like security by obscurity to me :)
Full disclosure: I am not an expert.
So there's two things at play here:
Hashing is inherently throwing away some of the entropy, since it's a function mapping an arbitrary-sized input space (say, a 4MB password) into the output space of the hash function (in the case of SHA256, 256 bits). In this case, not storing 4 MB means that you're not really getting the "power" of a 4 MB long password.
So it may seem like the output is longer, but really a hash/HMAC of an input space constrained to 4 numeric digits is not made harder to guess by passing it through a hash function. Since the hash function necessarily maps the same input to the same output, the range of possible outputs is still just 10,000 values. For example, a dictionary attack targeting pins would still be as effective against this scheme -- it does not inherently strengthen a weak password at all.
If the concern is simply to obscure the nature of the password (that it's a PIN) from an attacker, well, that smells a bit like security by obscurity to me :)
Okay. Thanks.