People create some very bad passwords. In the list of the most popular passwords of 2014, all of them are terrible. Just look at the top 10:
But these don’t hold a candle to the very worst password. What is the worst password ever created?
The answer is:
The Social Security number
This is the worst password ever created, and it was made by the U.S. government and various organizations and businesses that use it.
The Social Security number (SSN) is a password because it continues to be used to authenticate identity. If you know your SSN, the assumption goes, then you must be you.
This use of the SSN is a password. As a password, the SSN is just a nine-digit number, no better than the 6th most popular password: 123456789. Here it is as an SSN: 123-45-6789. Just having numbers in one’s password is not adequate, as good passwords also need upper and lower case letters as well as special characters — or else they can be readily cracked.
Armed with your SSN, identity thieves can gain access to various accounts you have, open up new accounts in your name, and engage in fraudulent transactions and attribute them to you. All of this is possible because they have in essence obtained your password — the SSN.
Anyone can find out your SSN. It is often on various public documents; it is in countless record systems; and it has been involved in countless data breaches. It’s perfectly legal for someone to sell your SSN — and companies do. Anyone can buy your SSN online.
But what makes an SSN a worse password than, say, the password “123”? Why is the SSN the worst password ever?
There are two reasons:
1. The SSN is something that identity thieves know is used as a password, and they can readily find people’s SSN. At least with the password 123, others don’t know that it is your password.
2. The SSN is hard to change. With other passwords, if they are compromised, you can quickly change them. Not so with a SSN, which is a tremendous time-consuming hassle to change. As Jon Neiditz aptly notes, whenever there’s a data breach involving your SSN, you now have a potentially life-long increased risk because SSNs are so difficult to change.
Why is the SSN still being used as a password? It shouldn’t be. The SSN was created in 1936 as part of the Social Security System. It wasn’t designed to be a password. It was designed to be used in conjunction with a person’s name to make sure that information about people with the same name wouldn’t get mixed up.
Over time, businesses and government agencies began to use the SSN to authenticate identity.
The irony is that SSNs were designed to be part of a user name, and now they’re being used as a password!
There are ample tools in the law to stop the use of SSNs as passwords. I wrote a while ago how the FTC already has the legal authority to halt the use of SSNs as passwords. And certainly the government can simply pass a law banning such a use. There were proposals to do this more than 40 years ago.
Quite simply: The SSN should never be used as a password to authenticate identity. Never. Such a use is the paragon of inadequate data security.
So thanks to the government, which has given all of us the worst password ever. We can’t change it. And the government won’t protect us by limiting its use.
* * * *
Daniel J. Solove is the John Marshall Harlan Research Professor of Law at George Washington University Law School, the founder of TeachPrivacy, a privacy/data security training company, and a Senior Policy Advisor at Hogan Lovells. Along with Paul Schwartz, Solove is a Reporter on the American Law Institute’s Restatement Third, Information Privacy Principles. He is the author of 9 books includingUnderstanding Privacy and more than 50 articles. Follow Professor Solove on Twitter @DanielSolove.