Problem solve Get help with specific problems with your technologies, process and projects.

How to create a secure password system

In this Ask the Expert Q&A, Joel Dubin examines the security risks associated with using a password system that includes employee identifiers.

I am a senior information security director. My company wants to use the last four digits of an employee's social security number, mother's maiden name and city of birth for a project's password authentication system. What security issues should I be concerned with, if any, when we use this information (particularly the last four digits of the SSN)?
There are some huge security risks in the system you describe. The least of which is the use of part of the social security number.

Depending on the size and location of your organization, the proposed authentication system could have enough duplication to be exploited by a hacker. There could easily be two, or more, people both having a common last name, like "Smith," as their mother's maiden name, and both born in the same city. If your organization is located in a large city, these duplicate combinations could be even more common than expected.

It would be trivial for an attacker to write a script to iterate over a list of common last names and city names to crack this password system. The last four digits of the social security number, which aren't likely to be duplicated, still pose a problem, privacy issues aside. There are only 10,000 iterations between 0000 and 9999, which a script can run over in a fraction of a second. So, four digits of the social security number is no barrier to the determined intruder.

If the intruder was a clever social engineer and had done his or her homework and was able to get a list of your employee's names, before even writing a script, this would be lethal. The attacker could then write a finely honed script with those user names and narrow down their search for passwords and have unfettered access to your systems.

These types of attacks that use scripts iterating over common words and names are called dictionary attacks because the information can be acquired from a dictionary.

I recommend using something less common and more cryptic to identify your users for a password system. Look for some combination of internal employee numbers that aren't used outside the company mixed with other less common identifiers than names (mother's maiden name or otherwise) and cities. And, of course, make sure that whatever you use is longer than eight characters and contains a mix of letters and numbers, and no easily recognizable words or common names.

There isn't a magical formula that provides a secure password system with employee identifiers. However, the proposed system is weak, at best.

More Information
  • Find out why using IE's password manager might be a bad idea.
  • Learn more about cracking passwords in our resource center.

  • This was last published in November 2005

    Dig Deeper on Password management and policy