[144572] in cryptography@c2.net mail archive
Re: Weakness in Social Security Numbers Is Found
daemon@ATHENA.MIT.EDU (dan@geer.org)
Thu Jul 9 11:30:19 2009
From: dan@geer.org
To: "Ali, Saqib" <docbook.xml@gmail.com>
cc: Cryptography <cryptography@metzdowd.com>
In-Reply-To: Your message of "Wed, 08 Jul 2009 07:25:31 PDT."
<addede3b0907080725l6e3f1086ra7167da44090ffbf@mail.gmail.com>
Date: Wed, 08 Jul 2009 20:46:28 -0400
I don't honestly think that this is new, but even
if it is, a 9-digit random number has a 44% chance
of being a valid SSN (442 million issued to date).
Similarly, with Chase and Citi each at about 100M
cards issued, and the 16-digit card number having
7 of those digits fixed-in-advance, a 16-digit
random number has a 10% chance of being a valid
card number. Amex cards are 15-digits and there
are 50M in play, so a random 15-digit number has
a 50% chance of being a valid card number. As such,
an attacker is better off holding the password
constant and cycling through account numbers than
holding the account number constant and cycling
through password guesses.
Yes, these are approximations for the purpose of
argument, but I don't see what the big deal is for
the "All The News That's Fit to Print" paper in
learning that there ain't much entropy in SSNs.
Hell, my brother and I have sequential numbers.
--dan
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
