Regex for US Social Security Number
This regex matches US Social Security Numbers in the standard XXX-XX-XXXX format with dashes. It includes negative lookaheads to exclude invalid SSNs: area numbers 000, 666, and 900-999 are never assigned, group numbers 00 and serial numbers 0000 are also invalid. This pattern follows the SSA's actual assignment rules for realistic validation.
^(?!000|666|9\d{2})\d{3}-(?!00)\d{2}-(?!0000)\d{4}$ What is the regex pattern for US Social Security Number?
The regex pattern for US Social Security Number is ^(?!000|666|9\d{2})\d{3}-(?!00)\d{2}-(?!0000)\d{4}$. This regex matches US Social Security Numbers in the standard XXX-XX-XXXX format with dashes. It includes negative lookaheads to exclude invalid SSNs: area numbers 000, 666, and 900-999 are never assigned, group numbers 00 and serial numbers 0000 are also invalid. This pattern follows the SSA's actual assignment rules for realistic validation. This pattern is commonly used for identity verification forms and data masking in logs.
Test Examples
123-45-6789 123-45-6789 001-01-0001 001-01-0001 000-12-3456 Common Uses
- ✓ Identity verification forms
- ✓ Data masking in logs
- ✓ PII detection in text
- ✓ Compliance scanning
Variations
Without dashes
^(?!000|666|9\d{2})\d{3}(?!00)\d{2}(?!0000)\d{4}$ Matches 9 consecutive digits
With optional dashes
^(?!000|666|9\d{2})\d{3}-?(?!00)\d{2}-?(?!0000)\d{4}$ Dashes are optional
Any format (simple)
^\d{3}-?\d{2}-?\d{4}$ No invalid range checks, format only
Frequently Asked Questions
Why are 000, 666, and 900-999 excluded?
The Social Security Administration has never issued SSNs with area number 000 or 666. Numbers in the 900-999 range were previously reserved for IRS Individual Taxpayer Identification Numbers and are not valid SSNs.
Should I use regex to validate SSNs?
Regex can check the format, but cannot verify an SSN is actually assigned to a person. For identity verification, use an authorized verification service through the SSA or a compliant third-party provider.
How should I handle SSNs in my application?
Treat SSNs as highly sensitive PII. Encrypt at rest, mask in UI (show only last 4 digits), transmit only over HTTPS, limit access, and follow applicable regulations like the Privacy Act.