Primary key, not shared secret

The blogosphere is a twitter with the news that a CMU researcher demonstrated that some SSN can be predicted with a person’s date and location of birth:

The nation’s Social Security numbering system has left millions of citizens vulnerable to privacy breaches, according to researchers at Carnegie Mellon University, who for the first time have used statistical techniques to predict Social Security numbers solely from an individual’s date and location of birth.

Big freaking deal. It’s not like you haven’t told hundreds of people your SSN already.

We have got to move past pretending that there is any security associated with a number that you give every medical, financial, and governmental institution you deal with. There is only one way that will happen; we have to make the entire DB of SSNs public records available to all. Otherwise companies just won’t stop using them for authentication.

We need to make the SSN only a primary key into a giant table of common names (if I could mix database and directory metaphors for a moment).

2 responses to “Primary key, not shared secret

  1. Can you imagine writing queries in your database/directory world? SQLDAP?

    select * from names where (&(dc=us)(surname=Gla*))

  2. Perhaps a virtual directory would be appropriate?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s