Last 4 digits of SSN as encryption password for tax returns or financial documents? Completely unsafe.

Does your accountant, financial advisor, or bank encrypt your tax return or other financial document with the “last four digits of your SSN”? Many professionals do so with great intentions of protecting their client’s information. So far in the first few months 2016 we’ve seen every accountant and several bank send we’ve dealt with send information encrypted with the last four of the social security number – or request that you send it to them with it encrypted with the last four of your SSN. However, it is not providing any security if

someone has the document.

Accountants and other professionals are doing this so that if someone intercepts emailed documents between their computer and your computer the documents are password protected. The problem is that this provides essentially no protection. There are only 10000 combinations between 0000 and 9999 and there is nothing stopping someone from trying all 10000 and trying them quickly. For example, a low end computer from 2014 or 2015 can run through all 10000 possible combinations in just a few seconds.

In short, using a 4 digit password doesn’t do anything to protect the data and is essentially just security theater once your document has been obtained.

The real question is whether or not someone can obtain a copy of the document. If both your email providers (e.g. gmail.com, yahoo.com, live.com etc.) are using an encrypted connection (a SSL/TLS layer) then it is more difficult for someone to intercept the documents and a 4 digit password will do little to more to protect them.

If a professional wishes to use a password, a password should be exchanged by phone prior to sending them over the phone, by mail, or some other method.