Xerratus
Happily stressed out, since 1974


 
Wednesday, December 21, 2005
<< Teaching Intelligent Design in Public Schools Ruled Unconstitutional
What is on FIRE? >>

Why SSN should NOT be stored as an integer in a database
Recently, with an aging application created by an employee who no longer works here, I ran into a problem with SSN’s being stored in the database as integers.  Now the person who designed this, from what I gathered from another employee that worked with him, was very adamant about doing it this way.  To store it as a string or varchar in the database was a no-no due to size and allocation issues.  Honestly, this isn’t a problem, storing it as an integer.  It does however become a problem when you don’t solve for zeros.  

Yes, zeros, they exist in social security numbers and they can even show up at the beginning of one.  Take mine for instance; the first 3 digits are 093 (I was born in N.Y.).  So the problem we had recently was just that.  The number went in minus the leading zero but when the number was taken out of the database, it wouldn’t validate correctly.  Duh, I wonder why?  At no time should you add to the number (i.e., prefix zeros if the number is smaller) because it takes away from the integrity of the number.  Perhaps somebody keyed the number in leaving out a digit, prefixing a zero will do more harm than good.

So what is the harm storing it in the database as a varchar?  I truly believe, with the size of hard-drives and RAM becoming ever larger, that size is not nearly the issue it was for data storage 5 years ago.  Personally, I believe in encrypting before storing it in a database but as a string not an integer.  Again, size should no longer be an issue.  Now a number that is 093-XX-XXXX will be encrypted as “093-XX-XXXX” instead of 93-XX-XXXX and stored as either a varchar or varbinary in the database (personally, I do varchar).  The number’s integrity is intact and decrypting it will keep the leading zero, as it should.

Is this really a problem worth mentioning?  Do developers really do this?  Apparently so.  For a while now, I would try to log in to one of my online banks (which will remain nameless) and on top of asking for a pin they ask rotating questions for extra security.  A nice touch if you ask me.  The problem is that every 3rd or 4th time I try and log in, it throws an error stating that the input does not match.  You want to guess what question it asks me each and every time that error gets thrown?  If you guessed “enter the first 3 digits of your social security number”, you are correct.  My speculation is that it is trying to compare my “093” with 93 from the database.  But in order for this to happen, they need to be converting the database value to a string, not the other way around.  You see, if they converted “093” to an int and compared, 93 would equal 93.  But, if you converted the database value to a string, “93” would not equal “093”.  That’s my guess at least.

In short, you should always encrypt SSN’s as strings in the database to be sure that the integrity of the number is never compromised for decrypting and comparing later.

UPDATE:
This comment, left by whatever43 from digg, hits the nail on the head. 

Most of the commentators, while perhaps excellent programmers, DBAs and the like, obviously don't understand the data about which they're commenting, which is most likely the source of all of the derision.
An SSN is not a number. It's a string made up of three distinct numbers, and only the third one (comprised of the last four digits) is serial. It can be treated like a number, but in most if not all cases it shouldn't be.
It's not a question of mathematical operations, storage space or anything else that's been mentioned here; it's a matter data integrity.
Thought not perfect by a long shot, SSNs are much more sophisticated than most people think. If you do any type of database programming and deal with SSNs, please go to www.ssa.gov and learn a little about them.
(No, I don't work for the Social Security Administration, but I have a lot of experience in data storage, validation and integrity, and I've encountered almost every question one can think of about SSNs.)

Wednesday, December 21, 2005 @ 11:37 AM (-08:00) Pacific Standard Time
Comments (11)
tags: General | Programming | Technical
 
Site Navigation

 About Me
 Calendar
 Disclaimer
Site Search
Sponsored Links
Calendar
<December 2005>
SunMonTueWedThuFriSat
27282930123
45678910
11121314151617
18192021222324
25262728293031
1234567
Monthly Archives
August, 2008 (1)
July, 2008 (1)
March, 2008 (2)
January, 2008 (3)
December, 2007 (3)
October, 2007 (1)
September, 2007 (1)
August, 2007 (5)
July, 2007 (5)
June, 2007 (3)
April, 2007 (5)
February, 2007 (2)
January, 2007 (2)
December, 2006 (9)
November, 2006 (15)
October, 2006 (19)
September, 2006 (3)
August, 2006 (5)
July, 2006 (4)
June, 2006 (6)
May, 2006 (12)
April, 2006 (20)
March, 2006 (11)
February, 2006 (14)
January, 2006 (14)
December, 2005 (23)
November, 2005 (23)
October, 2005 (42)
September, 2005 (4)
Categories
Alert (14) Community Server (2) Daily Quote (1) Did you know (7) Dumb Searches (1) Dumbass (15) General (133) Haiku (6) Holiday (5) Movie quote (8) Paladin (4) Paris (1) Parody (1) Photo (24) Political (2) Priceless (7) Programming (35) Pytheus (2) Rant (23) Screen capture (15) SQL (3) Technical (39) Video (4) Vista (8) Visual Studio 2005 (2) Wifey (33) XP (1)
Feeds
 RSS
 Atom
Good Reading
 Code Better
 Coding Horror
 Computer Zen
 Daily WTF
 Days Bush Has Left
 Dooce
 Fargg
 Me-Nikk
 Post Secret
 Rory Blythe
 TechCrunch
© Copyright 2005-2009 Xerratus
Page rendered: Tuesday, January 06, 2009 2:00:41 AM (Pacific Standard Time, UTC-08:00)