Educause Security Discussion mailing list archives
Re: Use of Partial SSN as Authenticator
From: Randy Marchany <marchany () CANDI2 CIRT VT EDU>
Date: Thu, 22 Feb 2007 11:34:22 -0500
I thought ANY part of the SSN would be considered a FERPA violation. Having said that, anything that asks for the last 4 digits of an SSN is BAD. I can go to the ssa.gov site, find a description of the SSN fields (xxx-xx-xxxx), realize the first 3 digits are by state (001-001 for NH, etc.), make a reasonable guess for the middle 2 digits (again fully explained in the SSN guide) and wait for someone to provide the last 4 digits. See http://members.tripod.com/%7Egene_pool/3invssn2.htm for a description of the SSN fields. I have seen applications that ask for the last digits of your driver's license number for a PIN code. Here in VA, DL #'s aren't SSNs so I suppose it's a little safer. I do understand the developers are probably trying to think of a number that most people would know but using any part of the SSN is not good. Have I said that enough? :-)))) -Randy Marchany
Current thread:
- Use of Partial SSN as Authenticator Gary Flynn (Feb 22)
- <Possible follow-ups>
- Re: Use of Partial SSN as Authenticator Charlie Reitsma (Feb 22)
- Re: Use of Partial SSN as Authenticator Randy Grimshaw (Feb 22)
- Re: Use of Partial SSN as Authenticator Steve Worona (Feb 22)
- Re: Use of Partial SSN as Authenticator Gary Flynn (Feb 22)
- Re: Use of Partial SSN as Authenticator Randy Marchany (Feb 22)
- Re: Use of Partial SSN as Authenticator Pace, Guy (Feb 22)
- Re: Use of Partial SSN as Authenticator Brad Judy (Feb 22)
- Re: Use of Partial SSN as Authenticator Jimmy Kuo (Feb 22)