Educause Security Discussion mailing list archives

Re: Use of Partial SSN as Authenticator

From: Randy Marchany <marchany () CANDI2 CIRT VT EDU>
Date: Thu, 22 Feb 2007 11:34:22 -0500

I thought ANY part of the SSN would be considered a FERPA violation.

Having said that, anything that asks for the last 4 digits of an SSN is BAD. I
can go to the ssa.gov site, find a description of the SSN fields
(xxx-xx-xxxx), realize the first 3 digits are by state (001-001 for NH, etc.),
make a reasonable guess for the middle 2 digits (again fully explained in the
SSN guide) and wait for someone to provide the last 4 digits.

See http://members.tripod.com/%7Egene_pool/3invssn2.htm for a description of
the SSN fields.


I have seen applications that ask for the last digits of your driver's license
number for a PIN code. Here in VA, DL #'s aren't SSNs so I suppose it's a
little safer.

I do understand the developers are probably trying to think of a number that
most people would know but using any part of the SSN is not good. Have I said
that enough? :-))))

        -Randy Marchany

Current thread:

Use of Partial SSN as Authenticator Gary Flynn (Feb 22)
- <Possible follow-ups>
- Re: Use of Partial SSN as Authenticator Charlie Reitsma (Feb 22)
- Re: Use of Partial SSN as Authenticator Randy Grimshaw (Feb 22)
- Re: Use of Partial SSN as Authenticator Steve Worona (Feb 22)
- Re: Use of Partial SSN as Authenticator Gary Flynn (Feb 22)
- Re: Use of Partial SSN as Authenticator Randy Marchany (Feb 22)
- Re: Use of Partial SSN as Authenticator Pace, Guy (Feb 22)
- Re: Use of Partial SSN as Authenticator Brad Judy (Feb 22)
- Re: Use of Partial SSN as Authenticator Jimmy Kuo (Feb 22)