Congress Needs a Lesson in Passwords (Updated)

Anonymous claims to have hacked the user-names and passwords of a whole bunch of Congress persons and their staffers, which reveals that members of our esteemed government have terrible password habits.

This article is from the archive of our partner .

Anonymous claims to have hacked the emails and passwords of some Congress persons and a bunch of their staffers, revealing that the members of our esteemed government have terrible password habits.

Update 2:42 p.m.: The passwords on the list do not match Congress password credentials, a system administrator in the Senate told The Atlantic Wire. Here's the official e-mail the IT department sent out to Hill staffers confirming that the credentials aren't accurate:

Congress actually fosters decent password best practices, requiring a special character, an uppercase letter, a lowercase letter, and a number to make up a code between 6-10 characters. (That's still not ideal, as explained in lesson 7 below.)

The list, however, may have come from a third-party vendor Congress uses to send form letters to constituents called iConstituent. Earlier this week, the company sent the following email to certain clients on the Hill:

The system administrator we spoke with said the passwords on the Anonymous list didn't have his current iConstituent password, but maybe the default one they sent him. Former Hill staffer Justine Sessions, whose name does appear on the list adds:  "I did not create that password. It was created for me without my knowledge by a third party email vendor that many Hill offices use to send out emails to constituents (iConstituent)," she told The Atlantic Wire. "I don’t think I ever used it while I worked for Senator Dodd more than 5 years ago." Like her, many of the people on the list no longer work on the Hill.

Original: The list came via the Anonymous twitter handle OpsLastResort in protest of the NSA domestic spying revelations. The document claims to have the "current valid credentials" of more than 2,000 people. But, out of the kindness of their hearts, they "HAVE REMOVED SOME OF THE PASSWORDS AND SHUFFLED THE ORDER OF THE REMAINING ONES." Even without knowing who chose what password, it's certain that Hill people need a lesson in Internet security, assuming the list is genuine. Update: It seems the people at iConstituency are the ones that need a lesson. But, even if the list is fake, it's never too late to brush up on the rules. So, free of charge, here are some tips and tricks for you guys. You're welcome.

Lesson 1: Don't use "congress" in your password. Putting a series of numbers, an exclamation point, or other symbols after the word "congress" does not make it a smart choice. And, yet, 20 people on this list used some iteration of "congress" to protect their government emails. Considering every single person on the list works for Congress and has a house.go or email address, the word "congress" is the most obvious choice any reasonably smart hacker would think to search.

Lesson 2: "Republican" or "democrat" is dumb, too. For the same reason as above, the two people on the list who chose their party as their password need to change that. Especially the guy who picked "TX32republican!" Do you happen to work for Pete Sessions, the Republican congressman for Texas's 32nd district? See how easy that was.

Lesson 3: States with numbers are also incredibly obvious. Quite a few people on the list decided to use the state they worked for plus the congressional district number. That's only slightly less obvious than "congress" and makes matching the username to the password even easier, since "California20th" can match up with a very particular House member and all he or she's particular staffers.

Lesson 4: Never, ever use any part of your name. Hey Justine Sessions, is your password #JustineSessions83? On that note, were you born in 1983?

Lesson 5: The 36 people who used "password" as their password probably shouldn't be working for Congress. You guys! Password is the number one most popular, most hackable password on all the Internet. The cardinal rule of password picking is to choose anything but "password" and 12345 — putting numbers after the word doesn't make it much harder to guess, either.

Lesson 6: Any real words are a bad idea. To the three people who chose "Starbucks," that's incredibly easy to hack. Hackers often use custom-compiled dictionaries of popular words to guess passwords. If three whole people picked the coffee chain, then it's probably on a hacker list somewhere. To be safe, any real words are bad ideas.

Lesson 7: All your passwords are way too short. To be safe, pick something with 11 or more characters; at that point it gets much, much harder to hack.

Or just keep your terrible passwords; it's not like government email accounts contain any important information or anything.

This article is from the archive of our partner The Wire.