Depending on the size and location of your organization, the proposed authentication system could have enough duplication to be exploited by a hacker. There could easily be two, or more, people both having a common last name, like "Smith," as their mother's maiden name, and both born in the same city. If your organization is located in a large city, these duplicate combinations could be even more common than expected.
It would be trivial for an attacker to write a script to iterate over a list of common last names and city names to crack this password system. The last four digits of the social security number, which aren't likely to be duplicated, still pose a problem, privacy issues aside. There are only 10,000 iterations between 0000 and 9999, which a script can run over in a fraction of a second. So, four digits of the social security number is no barrier to the determined intruder.
If the intruder was a clever social engineer and had done his or her homework and was able to get a list of your employee's names, before even writing a script, this would be lethal. The attacker could then write a finely honed script with those user names and narrow down their search for passwords and have unfettered access to your systems.
These types of attacks that use scripts iterating over common words and names are called dictionary attacks because the information can be acquired from a dictionary.
I recommend using something less common and more cryptic to identify your users for a password system. Look for some combination of internal employee numbers that aren't used outside the company mixed with other less common identifiers than names (mother's maiden name or otherwise) and cities. And, of course, make sure that whatever you use is longer than eight characters and contains a mix of letters and numbers, and no easily recognizable words or common names.
There isn't a magical formula that provides a secure password system with employee identifiers. However, the proposed system is weak, at best.
Dig Deeper on Password management and policy
Related Q&A from Joel Dubin
Ensuring authenticity of online communications is critical to conduct business. Learn how to use a public key and private key in digital signatures ... Continue Reading
Learn about the purpose of CAPTCHA challenges that enable websites to differentiate bots from authentic users to stop spammers from hijacking forums ... Continue Reading
Proper planning is at the top of the list for single sign-on best practices, but it's important to get enterprise SSO implementations off to a good ... Continue Reading