US Department of the Interior employees’ accounts easily hacked.

US Department of the Interior employees' accounts easily hacked.

The Insecure State of Passwords: A Serious Concern for Federal Employees



It’s a familiar refrain – special characters, regular changes, and avoiding suspicious links – these are the mantras repeated during workplace cybersafety training sessions. However, despite the warnings and precautions, password safety continues to be a significant challenge, even among federal employees. A recent report from the US Department of the Interior sheds light on this issue, revealing alarming statistics and highlighting the need for immediate action.

The Department of the Interior’s Password Problem

According to the report by Kathleen Sedney, assistant inspector general for audits, inspections, and evaluations, the most commonly used password among Department of the Interior employees in the past year was shockingly simple – “Password-1234”. It is clear that a lax approach to password security prevails within the department, which raises concerns about cybersecurity practices more broadly across the federal government, as well as in business offices and private homes nationwide.

The report revealed that Sedney’s team successfully hacked into 21% of the department’s active employee accounts, including 288 accounts with elevated privileges and 362 belonging to senior-level officials. More worrisome was the discovery that 478 employee accounts all shared the notorious “Password-1234” password.

A Plea for Action

In response to these troubling findings, Mark Lee Greenblatt, inspector general for the Department of the Interior and chair of the Council of the Inspectors General on Integrity and Efficiency, penned an op-ed in the Washington Post, urging readers to take the report’s warnings to heart.

Greenblatt expressed his concern that if the Interior Department employees are susceptible to such password vulnerabilities, it is likely that similar problems exist across the federal government, as well as in businesses and homes nationwide. The need for immediate action is paramount to mitigate the risks associated with weak passwords.

The Complexity Myth

The report also revealed a startling fact – 99.99% of the 18,000 compromised accounts, including those utilizing “Password-1234”, complied with the Department’s password complexity requirements. This highlights a significant flaw in the current approach to password security, where excessive reliance on complexity does not guarantee protection against hacking attempts.

Drawing Lessons from Ransomware Attacks

The Department’s investigation was a response to the May 2021 Colonial Pipeline ransomware attack, which caused considerable disruption and a major gas shortage in the eastern United States. Disturbingly, the hackers behind the attack only needed one stolen password to infiltrate and compromise the pipeline. This incident serves as a stark reminder of the potential consequences of weak password security.

The Way Forward: Multi-Factor Authentication and Passphrases

Amidst the grim findings and vulnerabilities, there is hope. The report offers clear recommendations to enhance individual and organizational password security. One such recommendation is the adoption of multi-factor authentication, an additional layer of protection beyond passwords that significantly reduces the risk of unauthorized access.

Furthermore, the report suggests implementing passphrases as an alternative to passwords. Passphrases consist of strings of unrelated words that are over sixteen characters long, making them remarkably more secure and harder to crack. Passphrases provide a powerful combination of security and usability and should be embraced by employees both at work and in their personal lives.


The US Department of the Interior’s report brings to light the urgent need for improved password security practices among federal employees. The prevalence of weak passwords, such as “Password-1234,” poses a significant risk not only to governmental organizations but also to businesses and individuals nationwide. The vulnerabilities exposed by the report underscore the importance of implementing stronger measures, such as multi-factor authentication and passphrases, to mitigate the risks associated with cyberattacks. It is essential for all individuals, whether in the public or private sector, to recognize the severity of this issue and take immediate steps to safeguard their digital identities and sensitive information.