You guys thought this thread was dead, eh? It's baaaack!
Professionally I am a network administrator. Outside of work I moderate a few forums. Password security is a HUGE issue for me. Every day I am disappointed in the failures of my peers to keep their databases secure and to use safe practices. Every day I am disappointed in my users when I find out how awful their passwords are (because, even though I insist that they never tell me, they tell me anyway -- I DON'T WANT TO KNOW! Or, like today, someone had to speak it to be able to type it.
).
Keeping that in mind, your TLDR of this post is that tcomotcom is 100% right, you folks are misplacing your concern. Go ahead and give VM your PIN. I'll even go as far as to say you might as well email it; it's already far less secure than plaintext SMTP email in your account whose password is "password" anyway.
Your VM account PIN is not the same as a password for other types of accounts.
Let's face it folks, we're not with VM because they're a class act...we're with VM because we're short-budgeted.
I don't trust VM at all, and I wouldn't even if they had a decent security system instead of a single 6-digit numeric PIN that could be bruteforced in a scant few minutes.
With a postpaid carrier that'd be true, but Virgin Mobile doesn't require any of that and I'm sure not putting all that info in their system. If I do, I sure don't want a CSR to be able to see it.
Please do not misplace trust like that. It happens all the time, and even when encrypted there are failures often enough. VM is a most likely candidate, BTW.
No way, no how, will VM get my SSN. Yikes.
Anyone who didn't read this post, please click the link to go back and read it.
Off the top of my head, I can think of two: Before I had VM I had Sprint and they had a PIN that they needed to verify before they would talk to me (it was different from my web account access password but that's a null issue as tcomotcom explained), and Cox cable too.
...nor should there be enough data in your VM account to do any damage to you other than what can be done to your VM account.
That said, it shouldn't be downplayed too much.
Someone with access to your account can hijack your phone number. Your caller ID is used as security at plenty of other accounts who don't ask for a PIN, so then they can gain access to those accounts, as well as use all manner of social engineering tactics to gain access to other parts of your personal life by posing as you.
If a disgruntled network administrator wants to compromise your VM account he doesn't need you to send your PIN in email to do it. Any way that you access your VM account from work, he can compromise. If you are doing this stuff from work then you are trusting your IT staff. Information Technology department might as well be Information Gods department, given sufficient motivation and skills they can do anything. (They can also be blamed for anything, which really stinks, and which is why I avoid knowing others' passwords.) Go home to do your personal stuff; your ISP has less ability to abuse your trust than your IT department and is prevented from doing so by law, while your IT department is legally allowed and you probably signed for it too (the company owns the equipment and services and has the right to control them however they see fit).
Edit: To clarify - IT folks have the right to monitor/record, but certainly not the right to abuse the information. Besides legal ramifications for misuse of such data, they also have a career to worry about. Still it's best to do personal stuff from home, and avoid pissing off an IT guy whose morals you question.