LISTSERV - HP3000-L Archives

HP3000-L Archives

August 1998, Week 3

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L August 1998, Week 3

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Re[2]: "I forgot my password"
From:	toback2 <[log in to unmask]>
Reply To:	toback2 <[log in to unmask]>
Date:	Thu, 20 Aug 1998 15:38:17 -0700
Content-Type:	text/plain
Parts/Attachments:	text/plain (49 lines)

Chris Bartram writes:
>[Stan Sieler writes:]
>> (And I won't even comment on the inappropriateness of having a list of
user's
>> Social Security Numbers but, check out:
>>     http://www.cpsr.org/cpsr/privacy/ssn/ssn.faq.html
>> for info about SSN & privacy)
>
>SSN#s for security purposes (or at least driver's license #s) are not
>inappropriate (IMHO). Obviously privacy concerns need to be accomodated, and
>if that info is maintained, it should be for identification purposes *ONLY*.

They are inappropriate precisely because you believe them to be secure
when they're not. It's  easy to get hold of someone's SSN because it's
used for ID in so many applications. Universities use it for a student
ID. States use it for a driver's license number unless otherwise
requested (and most people don't bother). It's on employment records
which may or may not be secure. I get them faxed to me regularly because
my phone number is one digit different from the fax number at an auto
loan broker.

When I got my pilot's license, which also uses the SSN as the default ID,
I didn't supply my SSN but instead checked the box that said, "Assign a
number." The FAA assigned a number, all right: my social security number!
I have no idea where they got it, but that's just the point: it's
available.

The more places the SSN is used needlessly, the less secure it is as an
identifier. It's already next to worthless. The fact that people insist
on treating it as secure is one of the things that make it dangerous.

Do the same thing that alarm companies do when they need to recognize one
of their customers over the phone: have a prearranged pass phrase (the
person can provide it when they're hired) that they have to supply when
they request a password change over the phone.

-- Bruce

--------------------------------------------------------------------------
Bruce Toback    Tel: (602) 996-8601| My candle burns at both ends;
OPT, Inc.            (800) 858-4507| It will not last the night;
11801 N. Tatum Blvd. Ste. 142      | But ah, my foes, and oh, my friends -
Phoenix AZ 85028                   | It gives a lovely light.
btoback AT optc.com                |     -- Edna St. Vincent Millay
Mail sent to [log in to unmask] will be inspected for a
fee of US$250. Mailing to said address constitutes agreement to
pay, including collection costs.

ATOM RSS1 RSS2

RAVEN.UTC.EDU