[somewhat OT] Re: [TriLUG] Linux Lab

Tom 'spot' Callaway tcallawa at redhat.com
Mon Nov 4 22:39:52 EST 2002


On Mon, 4 Nov 2002, Mike Johnson wrote:

> > 100 freshmen SSNs may seem like immaterial, but not if they are passwords.
> > Makes for a nasty ddos.
> 
> Um, I gotta step in here.  You point out that one hundred social
> security numbers, complete with names and addresses, are easy to come
> by, and you're worried about access to some silly accounts that could be
> used as a ddos?

Well, sarcasm doesn't flow terribly well across email. Obviously, there 
are far worse crimes to be committed with SSNs and corresponding 
identifiers. There are also easier ways to get SSNs.

My point was mostly that they make terrible passwords, since a large 
percentage of people only change their password if forced to, and the 
passwords themselves are in wide use, especially in a University 
environment.
 
> Social security numbers are -supposed- to be secure, they are supposed
> to be -very- protected.  While some people don't treat them as
> preciously as they should be, those people are wrong.  Now, that doesn't
> mean they should be used as passwords.  Banks can mail out PIN numbers,
> why couldn't a university mail out a password?

NCSU is notoriously bad about SSN use. An example: The student IDs still 
have the owners SSN on the barcode.

> Mail them out.  Or, hand them out with the student ID.

Valid, however, you suffer from the "but, i lost mine" issues. There 
should also be a fallback system where a user with ID can 
acquire/re-randomize their password.

All systems can be circumvented, you just don't want to make it easy to do 
so.

Hey, we should just move to biometrics. That will solve all the issues. ;)

~spot
---
Tom "spot" Callaway <tcallawa(a)redhat*com> Red Hat Sales Engineer
Sair Linux and GNU Certified Administrator (LCA)
Red Hat Certified Engineer (RHCE)
GPG: D786 8B22 D9DB 1F8B 4AB7  448E 3C5E 99AD 9305 4260

The words and opinions reflected in this message do not necessarily
reflect those of my employer, Red Hat, and belong solely to me.

"Immature poets borrow, mature poets steal." --- T. S. Eliot




More information about the TriLUG mailing list