Original: The list came via the Anonymous twitter handle OpsLastResort in protest of the NSA domestic spying revelations. The document claims to have the "current valid credentials" of more than 2,000 people. But, out of the kindness of their hearts, they "HAVE REMOVED SOME OF THE PASSWORDS AND SHUFFLED THE ORDER OF THE REMAINING ONES." Even without knowing who chose what password, it's certain that Hill people need a lesson in Internet security, assuming the list is genuine. Update: It seems the people at iConstituency are the ones that need a lesson. But, even if the list is fake, it's never too late to brush up on the rules. So, free of charge, here are some tips and tricks for you guys. You're welcome.
Lesson 1: Don't use "congress" in your password. Putting a series of numbers, an exclamation point, or other symbols after the word "congress" does not make it a smart choice. And, yet, 20 people on this list used some iteration of "congress" to protect their government emails. Considering every single person on the list works for Congress and has a house.go or senate.gov email address, the word "congress" is the most obvious choice any reasonably smart hacker would think to search.
Lesson 2: "Republican" or "democrat" is dumb, too. For the same reason as above, the two people on the list who chose their party as their password need to change that. Especially the guy who picked "TX32republican!" Do you happen to work for Pete Sessions, the Republican congressman for Texas's 32nd district? See how easy that was.
Lesson 3: States with numbers are also incredibly obvious. Quite a few people on the list decided to use the state they worked for plus the congressional district number. That's only slightly less obvious than "congress" and makes matching the username to the password even easier, since "California20th" can match up with a very particular House member and all he or she's particular staffers.
Lesson 4: Never, ever use any part of your name. Hey Justine Sessions, is your password #JustineSessions83? On that note, were you born in 1983?
Lesson 5: The 36 people who used "password" as their password probably shouldn't be working for Congress. You guys! Password is the number one most popular, most hackable password on all the Internet. The cardinal rule of password picking is to choose anything but "password" and 12345 — putting numbers after the word doesn't make it much harder to guess, either.
Lesson 6: Any real words are a bad idea. To the three people who chose "Starbucks," that's incredibly easy to hack. Hackers often use custom-compiled dictionaries of popular words to guess passwords. If three whole people picked the coffee chain, then it's probably on a hacker list somewhere. To be safe, any real words are bad ideas.
Lesson 7: All your passwords are way too short. To be safe, pick something with 11 or more characters; at that point it gets much, much harder to hack.
Or just keep your terrible passwords; it's not like government email accounts contain any important information or anything.
This article is from the archive of our partner The Wire.