Depending on the size and location of your organization, the proposed authentication system could have enough duplication...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
to be exploited by a hacker. There could easily be two, or more, people both having a common last name, like "Smith," as their mother's maiden name, and both born in the same city. If your organization is located in a large city, these duplicate combinations could be even more common than expected.
It would be trivial for an attacker to write a script to iterate over a list of common last names and city names to crack this password system. The last four digits of the social security number, which aren't likely to be duplicated, still pose a problem, privacy issues aside. There are only 10,000 iterations between 0000 and 9999, which a script can run over in a fraction of a second. So, four digits of the social security number is no barrier to the determined intruder.
If the intruder was a clever social engineer and had done his or her homework and was able to get a list of your employee's names, before even writing a script, this would be lethal. The attacker could then write a finely honed script with those user names and narrow down their search for passwords and have unfettered access to your systems.
These types of attacks that use scripts iterating over common words and names are called dictionary attacks because the information can be acquired from a dictionary.
I recommend using something less common and more cryptic to identify your users for a password system. Look for some combination of internal employee numbers that aren't used outside the company mixed with other less common identifiers than names (mother's maiden name or otherwise) and cities. And, of course, make sure that whatever you use is longer than eight characters and contains a mix of letters and numbers, and no easily recognizable words or common names.
There isn't a magical formula that provides a secure password system with employee identifiers. However, the proposed system is weak, at best.
Related Q&A from Joel Dubin
After a server room door has been compromised, finding a more secure solution is of utmost importance. Learn how to choose a server room door that ...continue reading
In the IAM world, what's the difference between access control and identity management. This IAM expert response explains how the two relate as well ...continue reading
When working with PeopleSoft and Unix, which single sign-on (SSO) vendors offer the most effective products? Learn how to choose an SSO product in ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.