Forgot your Equifax password? You’ll need to reveal your whole social security number

We live in the 21st century, a magical age where computers are teeny tiny and cars can fly and and any information can be stored remotely in a beautiful place called “the cloud”–or in our DNA. You would think that good operational security practices would go hand in hand with this new digital era, but alas, no, that is not the case.

Look no further than Equifax, which was the victim of a huge security breach that may have impacted the personal data of hundreds of millions of Americans. Not only is this hack proof that the company’s security protocol is not up to snuff, but it’s everyday login practices highlight just how out of touch the company is.

If a customer forgets their password, the only way to reset it is to enter their full social security number and birthday. That is, the company that owned up to a massive breach–which may have given hackers access to almost half of the U.S.’s social security numbers–asks users to fill in private and unchangeable information as its first line of defense.

Equifax asks for both SSN and birthdate to reset a forgotten password.

Equifax isn’t the only company doing this. TransUnion, for instance, also asks users to enter their social security number–not once but twice–if they forget their screen name. 

TransUnion asks users for SSN if they forget their username.

While companies like Equifax and TransUnion likely already have your social security number, having to type out your whole number, especially when you’re still reeling from news that your personal data has been breached, can be hard to stomach. It’s also bad security hygiene to ask users to enter information that cannot be changed as a way of verification. Safer than a social security number would be more personal security questions, and ones that can be changed periodically and that don’t have an objectively “right” answer that someone else might already have–thanks to a breach just like this one.

Meanwhile, those seeking to find out if they were impacted by the hack at the post-breach website Equifax set up were also asked to submit part of their social security number and last name. The company did not respond to a request for comment.

Perhaps this saga could also begin a wake-up call not just for Equifax but for all the companies that have reams of people’s personal data. It’s time to rethink best practices for protecting people’s identities. And, at the very least, don’t ask us to risk more of our privacy in exchange for your help.