SSN/Personal Identity Code is NOT a password
fi
Social Security Number / Personal Identity Code (Henkilötunnus
or HETU in Finnish) is unsuitable as a password and using it as a
password should be forbidden.
A Finnish
citizen's initiative to forbid using the HETU for
authentication
Passwords
- It should be possible to change passwords. Changing your
HETU is very hard.
- A password should be hard to guess. A HETU consists of a
person's birth date and a serial number, less than 1000 per day
are available.
- It's good password hygiene to use different password for
different services. Everyone only gets one HETU.
- A password should be kept secret. HETUs are used in so many
places that the risk of it leaking is very high.
- The HETU is meant for identifying people, like a username.
Not for authenticating them, like a password.
How to authenticate people
- Use an official identification document, such as ID card or
passport. Online you should use strong electronic
authentication via the Finnish Trust Network (bank id, chip
card or mobile id).
- Username/email and password is better than just HETU.
- Two Factor Authentication is better than username and
password.
- When using HETU it should be combined with something
secret, i.e. not the person's name, address, phone number or
similar.
Links