Comments on: How Notre Dame put my SSN on the Internet. http://atd.agranite.com/emerald-coast/education/how-notre-dame-put-my-ssn-on-the-internet/ Wed, 16 Dec 2009 01:51:44 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: Mark Silis http://atd.agranite.com/emerald-coast/education/how-notre-dame-put-my-ssn-on-the-internet/#comment-82 Mark Silis Thu, 08 Jan 2009 06:16:04 +0000 http://atd.agranite.com/emerald-coast/?p=36#comment-82 simsong is dead on about reliance in the SSN. There's nothing fundamentally wrong with authentication via "something you know". But since the SSN is used as an ID number so many places, and has been printed on so many documents, its value as a password has mostly been lost. It doesn't stop with SSNs. Many web sites ask me for my birthdate, presumably to determine whether I'm a minor, so they can comply with regulations on retaining personal data. But my bank also asks me for my birthdate as part of authentication. Other sites want my mother's maiden name as a password reminder -- and my insurance company uses that one, too, if I call in to change my policy. Fortunately, as yet, these organizations who depend on what is effectively public information as authentication credentials bear the brunt of the liability for their mis-use. Of course, they'd like to change that. Beware of their efforts to hold us responsible for their own lazy practice. So what could be done? simsong is dead on about reliance in the SSN. There’s nothing fundamentally wrong with authentication via “something you know”. But since the SSN is used as an ID number so many places, and has been printed on so many documents, its value as a password has mostly been lost.

It doesn’t stop with SSNs. Many web sites ask me for my birthdate, presumably to determine whether I’m a minor, so they can comply with regulations on retaining personal data. But my bank also asks me for my birthdate as part of authentication. Other sites want my mother’s maiden name as a password reminder — and my insurance company uses that one, too, if I call in to change my policy.

Fortunately, as yet, these organizations who depend on what is effectively public information as authentication credentials bear the brunt of the liability for their mis-use. Of course, they’d like to change that. Beware of their efforts to hold us responsible for their own lazy practice.

So what could be done?

]]>