Weakness in Social Security Numbers Is Found

dan at geer.org dan at geer.org
Wed Jul 8 20:46:28 EDT 2009

I don't honestly think that this is new, but even
if it is, a 9-digit random number has a 44% chance
of being a valid SSN (442 million issued to date).

Similarly, with Chase and Citi each at about 100M
cards issued, and the 16-digit card number having
7 of those digits fixed-in-advance, a 16-digit
random number has a 10% chance of being a valid
card number.  Amex cards are 15-digits and there
are 50M in play, so a random 15-digit number has
a 50% chance of being a valid card number.  As such,
an attacker is better off holding the password
constant and cycling through account numbers than 
holding the account number constant and cycling
through password guesses.

Yes, these are approximations for the purpose of
argument, but I don't see what the big deal is for
the "All The News That's Fit to Print" paper in
learning that there ain't much entropy in SSNs.
Hell, my brother and I have sequential numbers.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list