Monday, January 19, 2009

Stop Using My Social Security Number as a Password

I've got another quick security post today. I'm getting really tired of people using my social security number like it's a password. Social Security wasn't invented to provide companies with a means of authentication. The SSN was never supposed to be a secret; it was designed to be an identifier. It's the one thing that's supposed to follow you throughout your life no matter what you do to your name or address.

However, now banks, cellphone providers, and the like use the SSN as though it's the ubiquitous epitome of "shared secret." The fact is that your social security number isn't really all that secure and if it is ever compromised, you can't change it. Imagine this. Let's say you're on the phone with your bank and they ask for your authentication password and you tell them, "it's peanut butter." Someone could hear you! Fortunately, if they do, you can call back in privacy and say, "I don't want my password to be peanut butter; that's been compromised. Please change it to french fries." Now, your password is secure again. Now, imagine you call your bank and they ask, "what're the last four digits of your social security number?" You say, "1234." Right then, you realize someone is writing down (or recording) everything you're saying. Sorry, but you're shit out of luck.

So what is the social security number for? Like I said, it's an identifier. It's a way that any company can keep you separated from all of the other entities in their database. Nobody will ever have the same social security number as you. That makes it less like a password (well, not at all a password) but rather a username. You're looking at dpatrickcaldwell is my username. Imagine what a dip stick you'd think me to be if my password was also dpatrickcaldwell. I invite you to try it . . . it's not dpatrickcaldwell (nor is it the last four digits of my social security number).

I know there are several readers (and judging by my statistics . . . about 3) who are now thinking, "well, what should I do then? Everybody wants it!" Tell them no. Say, "I cannot allow you to use my social security number as my password. I will alternatively provide a PIN or a pass phrase." Eventually, they'll understand that you're serious and they'll use something else or I'd recommend you find yourself another financial institution. Hell, if enough of us walk into our banks, sing a bar of Alice's Restaurant, change our authentication method to something other than our socials, and walk out . . . they just might think it's a movement . . . and friends, that's just what it is. The Anti Security Massacre Movement.

Please insist on using something other than your social security number for authentication and you'll find that your risk of identity theft will drop considerably.

Security Liars! Don't Email My Password to Me. WTF?

I have 3 levels of security when it comes to my passwords. The first level is the one I use for all of my banking institutions. It is long and complex and I change it relatively frequently. The second is the middle tier password and I use it for websites that I really don't want people getting into like my email. The third is the password I use for all of that crap that I don't really care that much about like facebook and sites with security I feel can't be trusted.

Today, I signed up for a new site. It qualified as a middle tier site with regard to the personal information they'd undoubtedly be storing. It also passed the other tests leaving me relatively certain that they'd be protective over my security. They use HTTPS, they have the VeriSign approved logo, and all appears well and good. I signed up, created a username, and put my middle tier password in the box. I hit submit and about 30 seconds later, my confirmation email appeared in my inbox.

It was the standard confirmation email. Welcome Patrick. We're glad to have you. Keep your username filed away for future reference. Your password is . . . WTF? My password? Why in the name of all things holy and good did they email my password to me? I typed the damned thing in there twice? I obviously knew what it was. What kind of idiots do they have workin' over there?

As my brain flooded with questions, a few important things stood out. If they emailed my password, did they email it before they stored it (not likely) or are they storing it in plain text (likely . . . and stupid)? How am I ever supposed to trust this company with my credit card information if I can't trust them with my password? And why did they even bother going through all of the effort to get an SSL certificate to secure my HTTP post if they were just going to send my damned password out in an email?

As a programmer, I know that there are two potential cases: first, they're too dumb to know any better or second, they're liars. By virtue of the fact that they actually did bother to get an SSL cert, I can only presume that they're just security liars. They know they need to secure the site and I'm sure they believe that they should protect your password, but they obviously aren't. I am very disappointed and I wish I could have my password back before some rogue developer over there decides he (or she) wants to publish the entire password database on the internet.