U.S. News


Government Employees Are Bad At Passwords, Commission Says

A Homeland Security committee report says IRS, DHS and Nuclear Regulatory Commission employees are worse at password security than the general public.
Posted at 8:28 PM, Feb 04, 2014

So it turns out some government agencies we trust with our most sensitive data have worse password habits than most of the general public. Which agencies, you ask? Oh, just the Department of Homeland Security, the IRS and the Nuclear Regulatory Commission. 

A study by the Homeland Security and Governmental Affairs Minority Committee suggests many agencies have incredibly poor cybersecurity — and a lot of that is because employees don't seem to understand password security.

The study found that employees are writing down passwords on sheets of paper or, in some cases, on the desk furniture itself, not password-protecting laptops and even using some of the most obvious password combinations known to man. 

The report says some of the "easily-guessed" passwords used by U.S. officials could be anything from the person's name or username, the agency's name, common keyword patterns like "qwerty" and, of course, the actual word "password."

​Yikes. According to a press release from Sen. Tom Coburn, a committee member, the federal government has spent $65 billion on securing its data and networks since 2006, but, he says, the most basic security measures are ignored.

The report found other seemingly obvious reasons for poor security, like lagging virus-protection updates, not encrypting data and even not trusting IT departments enough to let them work on and update computers. 

The Washington Post reports Coburn and other experts say many agencies are not hiring decent IT departments, and the ones that they do hire are not paid enough or given enough authority to make a difference. 


But even if efforts are made to enhance security and IT at these agencies, it still comes down to the individual employees. 

As a writer for Mashable puts it, "​Teaching cybersecurity best practices could help but, at the end of the day, the biggest weakness in the system is always the human who picks a bad password."