Government Passwords Are Incredibly Easy to Hack

Shutterstock via Jirsak

AA Font size + Print

Some of the federal government's most sensitive data are protected by passwords that wouldn't pass muster for even the most basic civilian email account, according to a report. By Alex Brown

Some of the federal government’s most sensitive data are protected by passwords that wouldn’t pass muster for even the most basic civilian email account, according to a new congressional report.

Passwords like “password,” “qwerty,” and users’ names have left Homeland Security Department data vulnerable, says a report released Tuesday by the Republican staff of the Senate Homeland Security and Governmental Affairs Committee.

And the password fiasco, the report says, is only the tip of the iceberg—plenty of other agencies have lost sensitive data as well.

The Nuclear Regulatory Commission left nuclear-plant security details on a shared drive with no protection. Hackers swiped Information on the nation’s dams—including their weaknesses and catastrophic potential if breached—from an Army Corps of Engineers database.

All that’s too much for Sen. Tom Coburn of Oklahoma, the panel’s top Republican. “Weaknesses in the federal government’s own cybersecurity have put at risk the electrical grid, our financial markets, our emergency-response systems, and our citizens’ personal information,” he said.

So far, the security failings have been more comedic than catastrophic (in one instance, hackers used the Emergency Broadcast System to warn TV viewers of a zombie outbreak). But the report warned we may not be so lucky in the future—and the problem appears to be widespread:

In addition, hackers have penetrated, taken control of, caused damage to, and/or stolen sensitive personal and official information from computer systems at the Departments of Homeland Security, Justice, Defense, State, Labor, Energy, and Commerce; NASA; the Environmental Protection Agency; the Office of Personnel Management; the Federal Reserve; the Commodity Futures Trading Commission; the Food and Drug Administration; the U.S. Copyright Office; and the National Weather Service.

These are just hacks whose details became known to the public,” the report added.

At the Nuclear Regulatory Commission—responsible for safeguarding the nation’s nuclear plants—faith in IT is so bad that employees have started buying their own computers and setting up separate networks, which creates a whole new series of security concerns.

Things aren’t much better at the Department of Homeland Security. “To take just one example, weaknesses found in the office of the Chief Information Officer for ICE included 10 passwords written down, 15 FOUO (For Official Use Only) documents left out, three keys, six unlocked laptops—even two credit cards left out,” the report stated.

NRC spokesman Eliot Brenner said many of that agency’s safety issues have already been addressed. All 44 security recommendations in reports cited by the committee have been closed or resolved pending final implementation, he said. “The NRC takes information security very seriously and works continuously toward improvements,” Brenner said.

Close [ x ] More from DefenseOne

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

  • Military Readiness: Ensuring Readiness with Analytic Insight

    To determine military readiness, decision makers in defense organizations must develop an understanding of complex inter-relationships among readiness variables. For example, how will an anticipated change in a readiness input really impact readiness at the unit level and, equally important, how will it impact readiness outside of the unit? Learn how to form a more sophisticated and accurate understanding of readiness and make decisions in a timely and cost-effective manner.

  • Cyber Risk Report: Cybercrime Trends from 2016

    In our first half 2016 cyber trends report, SurfWatch Labs threat intelligence analysts noted one key theme – the interconnected nature of cybercrime – and the second half of the year saw organizations continuing to struggle with that reality. The number of potential cyber threats, the pool of already compromised information, and the ease of finding increasingly sophisticated cybercriminal tools continued to snowball throughout the year.

  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

  • Information Operations: Retaking the High Ground

    Today's threats are fluent in rapidly evolving areas of the Internet, especially social media. Learn how military organizations can secure an advantage in this developing arena.


When you download a report, your information may be shared with the underwriters of that document.