How to create a secure password system
I am a senior information security director. My company wants to use the last four digits of an employee's social security number, mother's maiden name and city of birth for a project's password authentication system. What security issues should I be concerned with, if any, when we use this information (particularly the last four digits of the SSN)?

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

There are some huge security risks in the system you describe. The least of which is the use of part of the social security number.

Depending on the size and location of your organization, the proposed authentication system could have enough duplication to be exploited by a hacker. There could easily be two, or more, people both having a common last name, like "Smith," as their mother's maiden name, and both born in the same city. If your organization is located in a large city, these duplicate combinations could be even more common than expected.

It would be trivial for an attacker to write a script to iterate over a list of common last names and city names to crack this password system. The last four digits of the social security number, which aren't likely to be duplicated, still pose a problem, privacy issues aside. There are only 10,000 iterations between 0000 and 9999, which a script can run over in a fraction of a second. So, four digits of the social security number is no barrier to the determined intruder.

If the intruder was a clever social engineer and had done his or her homework and was able to get a list of your employee's names, before even writing a script, this would be lethal. The attacker could then write a finely honed script with those user names and narrow down their search for passwords and have unfettered access to your systems.

These types of attacks that use scripts iterating over common words and names are called dictionary attacks because the information can be acquired from a dictionary.

I recommend using something less common and more cryptic to identify your users for a password system. Look for some combination of internal employee numbers that aren't used outside the company mixed with other less common identifiers than names (mother's maiden name or otherwise) and cities. And, of course, make sure that whatever you use is longer than eight characters and contains a mix of letters and numbers, and no easily recognizable words or common names.

There isn't a magical formula that provides a secure password system with employee identifiers. However, the proposed system is weak, at best.

More Information
  • Find out why using IE's password manager might be a bad idea.
  • Learn more about cracking passwords in our resource center.

    • This was first published in November 2005