Stop Using My Social Security Number as a Password ~ D. Patrick Caldwell on Software Engineering

Monday, January 19, 2009

Stop Using My Social Security Number as a Password

I've got another quick security post today. I'm getting really tired of people using my social security number like it's a password. Social Security wasn't invented to provide companies with a means of authentication. The SSN was never supposed to be a secret; it was designed to be an identifier. It's the one thing that's supposed to follow you throughout your life no matter what you do to your name or address.

However, now banks, cellphone providers, and the like use the SSN as though it's the ubiquitous epitome of "shared secret." The fact is that your social security number isn't really all that secure and if it is ever compromised, you can't change it. Imagine this. Let's say you're on the phone with your bank and they ask for your authentication password and you tell them, "it's peanut butter." Someone could hear you! Fortunately, if they do, you can call back in privacy and say, "I don't want my password to be peanut butter; that's been compromised. Please change it to french fries." Now, your password is secure again. Now, imagine you call your bank and they ask, "what're the last four digits of your social security number?" You say, "1234." Right then, you realize someone is writing down (or recording) everything you're saying. Sorry, but you're shit out of luck.

So what is the social security number for? Like I said, it's an identifier. It's a way that any company can keep you separated from all of the other entities in their database. Nobody will ever have the same social security number as you. That makes it less like a password (well, not at all a password) but rather a username. You're looking at dpatrickcaldwell.wordpress.com. dpatrickcaldwell is my username. Imagine what a dip stick you'd think me to be if my password was also dpatrickcaldwell. I invite you to try it . . . it's not dpatrickcaldwell (nor is it the last four digits of my social security number).

I know there are several readers (and judging by my statistics . . . about 3) who are now thinking, "well, what should I do then? Everybody wants it!" Tell them no. Say, "I cannot allow you to use my social security number as my password. I will alternatively provide a PIN or a pass phrase." Eventually, they'll understand that you're serious and they'll use something else or I'd recommend you find yourself another financial institution. Hell, if enough of us walk into our banks, sing a bar of Alice's Restaurant, change our authentication method to something other than our socials, and walk out . . . they just might think it's a movement . . . and friends, that's just what it is. The Anti Security Massacre Movement.

Please insist on using something other than your social security number for authentication and you'll find that your risk of identity theft will drop considerably.

I really appreciate comments so please feel free to comment on my posts. Whether you agree or disagree, I'd love to hear from you. Also, feel free to link back to your own blog in your comments. You can even subscribe to an RSS feed of the comments on this thread.

© 2008 — , D. Patrick Caldwell, President, Autopilot Consulting, LLC

No comments:

Post a Comment