This comment just showed up on an old blog post, and I wanted to give it better blog visibility. I sometimes rant at the weak 4 digit PIN numbers libraries usually use (even libraries that loudly talk about the sanctity of patron privacy). I do not know if any or all of this comment is accurate, but post it here for others to confirm or deny.
The SIRSI automation of our public library system allows a password (termed PIN) to comprise up to ten characters; in the preceding DRA system the requirement was four numeric characters, or so we were told. Applicants are still told that the library system would like you to compose a PIN of four numeric characters, despite the option (stated, unbeknownst to many, in the library system's web site) to use up to ten characters.
The behavior described above occurs in a large, award-winning county public library system located in metropolitan Atlanta.
I am not confident that this comment will survive transmittal. If so, I may later comment on risks.
[comment by tenode on this old blog entry about privacy and library elf]
As to Mary's reasonable uncertainty of the accuracy of my assertion, which was that a public library system is capable of ten-character PIN passwords while attempting to restrict each user PIN to four numeric characters, I should offer the means of proving the assertion.
You may go to www.cobbcat.org . Click on My Account. Under "Detailed Information About:", click on USER PIN CHANGE. The instructions state that the new PIN is to be "no longer than 10 characters."
The Customer Service phone number for the library system is 770/528-2326. The library system's PIN preference may be learned there. It is not necessary to announce from where one is calling, of course
If the moderator deems that the phone number I gave should be edited out, that may be done. If there is a policy against editing comments by permission, the moderator may allow the comment unedited or not at all.
Library professionals can say better than I how widespread is password-setting conduct such as I've briefly described.
Posted by: tenode | July 10, 2006 at 05:27 PM
While a 4-digit pin is weak, there's nothing strong about a 6-8 character password. For the latter, people tend to use actual words, which are then easy to break using the "brute force" method of a dictionary of terms. If people chose 6-8 random numbers and letters, then 8 would be much more secure than 4. Yet we know that generally the human mind can handle 5-7 individual items in memory (numbers, letters) at most. We need mnemonics for our memory to work, and that's the weakness of passwords. If we can remember it, someone else can break it.
Posted by: Karen Coyle | July 07, 2006 at 09:02 AM