questionshey, security experts: should i be worried about…


I wouldn't be worried about it. I'm not sure what kind of system they are using (internal only versus both internal/external), but it is only the last 4 digits of your SSN. You still need the other digits. Back when I was in college they used to have our entire SSN as our student ID. The first thing we were asked for was our student ID (they changed it the year before I graduated).

Be more worried about the website/program/CPA you are using to file your taxes :)


If the site doesn't list everyone's username, then it essentially means nothing. The fact that you have to type it into the box makes it almost like a password. Unless someone's standing over your shoulder, that is. Probably doesn't hide what you're typing.


If it's only the last 4, I wouldn't be too worried.

Like the comment above, when I was in college, our ID numbers were our Soc numbers. So many people saw them. In hindsight, it's crazy, but it was common then, and that was not that many years ago!


I wouldn't worry about it. It wasn't too many years ago when our SSN was our DL number and was printed on our personal checks.


Like the others wrote, not really that big of an issue. I know that one of the largest banks use a combo of birthday+last 4 SSN as an ID.


The only thing I would be worried about it someone else in your company seeing your W-2. If they know your name, there are only 1,000 possibilities for the last four digits of your SSN. So, someone who knows what the username "rule" is and your name, it would only be a matter of time before they found your username (assuming they really wanted to get it).


That fact that it is your username is the reason it isn't a big deal. You have no reason to give that out to anyone. The people who deal with your W2 already have your full SS#. Just don't write it down or have your browser remember it.

For those saying that it only being the last 4 means you are OK are fooling yourselves. Someone who knows what they are doing can probably figure out the first 3 since they are based on where you lived when you got the number which is usually where you were born. And since all zeroes is not valid in any of the three parts that leaves only 99 combinations


@benyust2: The entire SSN would be on the body of the W-2 itself. That's true for any W-2. This is just the login name. Now if someone were to hack the login page and get a dump of all usernames, then that might be bad. But if there's no password then the usernames could still be encrypted.

I'm not sure if it's a username as a password or if there's also a password. They didn't say.


@omnichad: The last 4 digits are part of the username, and then there's a separate password. The password WAS my last 4 digits for the first login, but then the site immediately made me change my password to something else. The username is not changeable, I was told by admin (which is why I'm asking this question).


@rayray8822: It's been well covered, but you're just fine. I hope you set a good strong password when it made you change it.

j5 j5

@omnichad: A lot of the payroll companies don't show the entire number on the w-2 itself. It is definitely on the one sent to the SSA but often the number is masked on the W-2. But, I was more talking about the general issue of coworkers seeing how much money he made. Or, it is also possible that someone could file a tax return using the info on the w-2 (if the entire ssn is there) and get his refund. I don't think this was what the OP was concerned about though - I think it was the SSN getting into the wrong hands.


I'd make sure the site is SSL encrypted when you enter in your username (i.e. it begins with "https://"). If the form is submitted on an SSL encrypted channel, the username and password can't be snooped.


@benyust2: Actually, the more I think about that, the less sense it makes. I think I must have received client's duplicate W-2 or something because, at least for paper-filed tax returns, the IRS should be matchin SSN's. But, I can say for sure that I have seen W-2's with the SSN masked (I just can't think of how that would be acceptable now).


@j5: Oh yeah ... I let Lastpass generate a random password for me. :)


My company has paychecks and W2's online and they automatically force everyone to use the online system. I had to go out of my way to request paper copies. Not sure how many people did that but I didn't want it online. I have an accountant do my taxes so it would need to be on paper eventually.

Regarding the paychecks, they say that they keep them online for historical purposes but they don't tell you they only keep a year of them. Also, I only discovered after I asked but if you leave the company for any reason (quit, fired), you cannot access the site and do not get a history of your pay checks.

When I get the paper copy, I then have all of them for my entire tenure with the company.


@rayray8822: I've wondered about that too, so you're not alone in the wondering (although everyone seems to say it's ok). I haven't had to use it as a username before though. Thanks for asking!