Facepalm: Studies show that most people still reuse weak passwords across multiple accounts despite years of warnings from cybersecurity experts against the practice. Recent leaks reveal that poor password discipline even occurs at the upper levels of the United States government.
Leaked passwords from past security breaches reveal that Tulsi Gabbard, who recently became the US Director of National Intelligence, reused a weak password on multiple accounts for email and other services. All of the breaches occurred several years ago, and a spokesperson claimed Gabbard changed the passwords multiple times since then, but the revelations might add to recent scrutiny of government cybersecurity discipline.
The accounts included Gmail, Dropbox, LinkedIn, MyFitnessPal, and other services. Although what information was shared using the accounts remains unclear, they were in use while Gabbard served on multiple congressional committees that granted her access to sensitive information.
Worryingly, Wired discovered the passwords because they appeared in multiple troves of leaked passwords that emerged between 2012 and 2019. The breaches that exposed the recycled passwords likely occurred even earlier.
Such situations are precisely why cybersecurity experts strongly discourage using the same password across multiple accounts. When attackers learn one password, they usually check it against every known account the target owns, potentially turning one breach into multiple.
Fortunately, Gabbard's password wasn't "1234," "password," or "admin," which remain troublingly common. A recent study of over 19 billion passwords revealed that default words still make up a large percentage, likely because users struggle to remember multiple unique passwords.
Instead, experts recommend using password managers, which automatically generate strong passwords with random strings of characters and lock them behind unique master passwords. Two-factor authentication brings additional security, and passkeys are an increasingly popular method to sidestep passwords entirely.
Passkeys use PINs and biometrics to turn physical devices into digital security keys that are easier to use than passwords. They also protect against phishing because they don't work on malicious cloned websites. Although passkeys aren't gaining traction as quickly as initially expected, Microsoft recently began directing users to employ them.
Gabbard, who now oversees the CIA, NSA, and other intelligence services, took part in a controversial Signal chat in which Pentagon chief Pete Hegseth, Vice President J.D. Vance, and other senior officials discussed classified military plans. The communications leaked because Atlantic editor Jeff Goldberg was accidentally invited into the chat. Later reports revealed that Hegseth also shared sensitive military information in at least one more Signal chat with his wife, brother, and personal lawyer.