A security education tool that enumerates all 40,000,000 valid Singapore NRIC and FIN numbers to make one point: an NRIC number alone must never be used for authentication or authorisation.
NRIC numbers follow a publicly known format with a deterministic check digit. The full space of valid NRICs is finite and enumerable — as demonstrated by this page. Knowing someone's NRIC tells you nothing that couldn't be guessed. It is an identifier, not a secret.
Format: [Prefix][7 digits][Check letter]
| Prefix | Series |
|---|---|
| S | Citizen, born before 2000 |
| T | Citizen, born 2000 onwards |
| F | Foreigner, older series |
| G | Foreigner, newer series |
The check letter is derived from a weighted checksum of the 7 digits (weights: 2 7 6 5 4 3 2), with a +4 offset applied for T and G prefixes, mapped to one of 11 letters via a lookup table.
4 prefixes × 10,000,000 digit combinations × 1 deterministic check letter = 40,000,000 valid NRICs.