Home page logo
/

educause logo Educause Security Discussion mailing list archives

Re: Use of Partial SSN as Authenticator
From: "Pace, Guy" <gpace () CIS CTC EDU>
Date: Thu, 22 Feb 2007 08:39:02 -0800

 
Thank you, Randy, for posting that. I knew there was a resource out
there that provided that information and a very strong reason against
using that four-digit sequence. You rock!

Guy L. Pace, CISSP
Security Administrator
Center for Information Services (CIS)
3101 Northup Way, Suite 100
Bellevue, WA 98004
425-803-9724

gpace () cis ctc edu


-----Original Message-----
From: Randy Marchany [mailto:marchany () CANDI2 CIRT VT EDU] 
Sent: Thursday, February 22, 2007 8:34 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Use of Partial SSN as Authenticator

I thought ANY part of the SSN would be considered a FERPA violation. 

Having said that, anything that asks for the last 4 digits of an SSN is
BAD. I can go to the ssa.gov site, find a description of the SSN fields
(xxx-xx-xxxx), realize the first 3 digits are by state (001-001 for NH,
etc.), make a reasonable guess for the middle 2 digits (again fully
explained in the SSN guide) and wait for someone to provide the last 4
digits.

See http://members.tripod.com/%7Egene_pool/3invssn2.htm for a
description of the SSN fields.


I have seen applications that ask for the last digits of your driver's
license 
number for a PIN code. Here in VA, DL #'s aren't SSNs so I suppose it's
a 
little safer.

I do understand the developers are probably trying to think of a number
that 
most people would know but using any part of the SSN is not good. Have I
said 
that enough? :-))))

        -Randy Marchany

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault