Latest News

PDPC & Cyber Security Agency issue advisory against using NRIC numbers for authentication

Featured image by MS News and adapted from natasaadzic on Canva, for illustration purposes only.

Singapore agencies issue advisory against use of NRIC numbers or personal data for authentication

The Personal Data Protection Commission (PDPC) and Cyber Security Agency of Singapore (CSA) issued a joint advisory today against using NRIC numbers for authentication.

They aimed the advisory at private sector organisations doing so or intending to do so.

“Organisations that are using full or partial NRIC numbers to authenticate persons should stop this practice as soon as possible,” they said.

Personal data such as NRIC numbers should not be used in passwords

Authentication means making sure someone is really who they say they are before allowing them to access services or information meant just for them.

One way of authenticating a person is through passwords.

The joint advisory highlighted that NRIC numbers should not be used in passwords.

This is because NRICs are issued to uniquely identify a person. As such, NRICs must be assumed to have been disclosed to at least a few others.

Contrarily, users should never share passwords with anyone else.

PDPC and CSA also said that passwords should not contain information that can be guessed.

 

This includes easily obtained personal data, such as names, NRIC numbers, or birth dates.

The government agencies thus advised organisations not to set NRIC numbers as default passwords.

Source: Leung Cho Pan on Canva, for illustration purposes only

They also urged against using full or partial NRIC numbers together with other personal data to create passwords for authentication.

Organisations urged to use tokens or biometric authentication instead

Instead, PDPC and CSA recommended the following examples of better authentication:

  • Something only the person knows, such as a strong password.
  • Something only the person owns, such as a security token or smart card.
  • Something only the person has, such as their fingerprints, face, or irises (i.e., biometrics).

The advisory showed a preference for the latter two options for stronger phishing resistance.

Source: ar130405 on Canva, for illustration purposes only

For passwords, the agencies suggested a long series of random words for ease of remembrance, such as “LearntoRIDEabikeat5”.

“Do set up two-factor authentication for an additional layer of security,” they stated.

The Ministry of Digital Development and Information (MDDI) had also previously discouraged using NRIC numbers for authentication.

They classified NRIC numbers as being used for identification, not authentication.

Even so, most people felt uncomfortable with the government’s intention to unmask the numbers.

Also read: MS Polls: ‘It bothers me’: 80% of people polled not comfortable with unmasking NRIC number

Have news you must share? Get in touch with us via email at news@mustsharenews.com.

Featured image adapted from MS News and adapted from natasaadzic on Canva, for illustration purposes only.

Ethan Oh

Ethan will forget your name because his mind is already full with useless trivia.

Share
Published by
Ethan Oh
26 Jun 2025, 4:08 pm 4:08 pm

About Us

MUSTSHARENEWS.COM

We aim to be the news providers for today's social media savvy generation. We do not cover all news, but instead focus on covering the news you want to read.


ADVERTISE/CONTACT

hello@mustsharenews.com