Why do we have a system that uses SSNs as passwords, rather than usernames? Wouldn't it make far more sense the other way around? That way, if your SSN is stolen, it would be equivalent to getting your email address leaked. Consequential, but not devastating. And then in that case you could update a password/PIN whenever you want to.