The Worst Password Ever Created
Daniel Solove
Professor, GW Law School + CEO, TeachPrivacy + Organizer, Privacy+Security Forum
People create some very bad passwords. In the list of the most popular passwords of 2014, all of them are terrible. Just look at the top 10:
- 123456
- password
- 12345
- 12345678
- Qwerty
- 123456789
- 1234
- baseball
- dragon
- football
But these don't hold a candle to the very worst password. What is the worst password ever created?
The answer is:
The Social Security number
This is the worst password ever created, and it was made by the U.S. government and various organizations and businesses that use it.
The Social Security number (SSN) is a password because it continues to be used to authenticate identity. If you know your SSN, the assumption goes, then you must be you.
This use of the SSN is a password. As a password, the SSN is just a nine-digit number, no better than the 6th most popular password: 123456789. Here it is as an SSN: 123-45-6789. Just having numbers in one's password is not adequate, as good passwords also need upper and lower case letters as well as special characters -- or else they can be readily cracked.
Armed with your SSN, identity thieves can gain access to various accounts you have, open up new accounts in your name, and engage in fraudulent transactions and attribute them to you. All of this is possible because they have in essence obtained your password -- the SSN.
Anyone can find out your SSN. It is often on various public documents; it is in countless record systems; and it has been involved in countless data breaches. It's perfectly legal for someone to sell your SSN -- and companies do. Anyone can buy your SSN online.
But what makes an SSN a worse password than, say, the password "123"? Why is the SSN the worst password ever?
There are two reasons:
1. The SSN is something that identity thieves know is used as a password, and they can readily find people's SSN. At least with the password 123, others don't know that it is your password.
2. The SSN is hard to change. With other passwords, if they are compromised, you can quickly change them. Not so with a SSN, which is a tremendous time-consuming hassle to change. As Jon Neiditz aptly notes, whenever there's a data breach involving your SSN, you now have a potentially life-long increased risk because SSNs are so difficult to change.
Why is the SSN still being used as a password? It shouldn't be. The SSN was created in 1936 as part of the Social Security System. It wasn't designed to be a password. It was designed to be used in conjunction with a person's name to make sure that information about people with the same name wouldn't get mixed up.
Over time, businesses and government agencies began to use the SSN to authenticate identity.
The irony is that SSNs were designed to be part of a user name, and now they're being used as a password!
There are ample tools in the law to stop the use of SSNs as passwords. I wrote a while ago how the FTC already has the legal authority to halt the use of SSNs as passwords. And certainly the government can simply pass a law banning such a use. There were proposals to do this more than 40 years ago.
Quite simply: The SSN should never be used as a password to authenticate identity. Never. Such a use is the paragon of inadequate data security.
So thanks to the government, which has given all of us the worst password ever. We can't change it. And the government won't protect us by limiting its use.
* * * *
Daniel J. Solove is the John Marshall Harlan Research Professor of Law at George Washington University Law School, the founder of TeachPrivacy, a privacy/data security training company, and a Senior Policy Advisor at Hogan Lovells. Along with Paul Schwartz, Solove is a Reporter on the American Law Institute’s Restatement Third, Information Privacy Principles. He is the author of 9 books including Understanding Privacy and more than 50 articles. Follow Professor Solove on Twitter @DanielSolove.
The views here are the personal views of Professors Solove and not those of any organization with which they are affiliated.
Please join one or more of Professor Solove's LinkedIn groups:
Privacy and Data Security
HIPAA Privacy & Security
Education Privacy and Data Security
Click below to sign up for Professor Solove's newsletter. It is free and is only sent out occasionally, so it will not clog your inbox.
Group Quality Assurance Manager at Woodstream Corporation
10 年Almost 20 years ago, I was arguing with my health insurance provider because they used my social security # as my ID. The SSN is ONLY supposed to be used by the Social Security Administration, I told them. Issue me a different ID. They hemmed, hawed, finally assented, and then I entered into a hell of having to explain myself every time I used my insurance. Eventually, some CSR told me that they were STILL using my SSN in their system; they just applied a secondary ID to shut me up, and the unusual nature of my situation just caused unnecessary complications. Argh! Since then, I've given up, but in the past few years, I've felt vindicated on the one hand ... and even more powerless than before to change the system on the other. Not even the IRS "should" be using SSNs, but I don't think anyone believes that's a battle to pick. What's the alternative? The government has already suggested a "Universal ID" a few times over the past decade or so, and privacy advocates have claimed the impending apocalypse should it be enacted. I don't know enough to determine if they're right or succumbing to conspiracy theories (or the book of Revelations).
Program Coodinator at Universityof Washington Dept of Pharmacy
10 年I think my favorite is "Password"
Project accountant at The Church of Jesus Christ of Latter-day Saints
10 年Amazing piece
Operations Manager | Legal Consultant| Process Optimization Expert| EMBA
10 年Interesting and realistic piece.