SSNs make terrible passwords, because they're low-entropy, you can't change them, and you share them with a wide variety of corporations and private citizens whenever you get a job, open a bank account, or apply to rent a house.

What restrains those corporations and private citizens from making the SSN information they receive public? Can I start SSNsAreBadPasswords.com where I post people's names and SSNs that I know (or maybe that other people submit to me and I verify through normal SSN verification channels)? Or would the people whose SSNs I published have something to sue me over?

I'm thinking I might get sued for posting someone's SSN, which some third party then took as sufficient proof that some fourth, fraudulent party was actually the person whose SSN I posted, leading to a credit card being issued and a need to find someone to pay the fraudulent charges. But since many people already knew the SSN I had published (including anyone the person had ever tried to rent an apartment from), could I convincingly argue that the third party accepting knowledge of the SSN as proof of identity was the real cause of the fraud? (Secondary to the responsibility of the actual fraudster of course.) Or would I be likely to be found liable for the fraud, because I publicised information that other people (incorrectly) treat as proof of identity?