Password hygiene might be going downhill for people with .gov email addresses, according to a new identity exposure report released by cyber crime analytics company SpyCloud.

SpyCloud uses recaptured data from the dark web to analyse and identify the latest trends in cyber crime and its impact on society. Researchers found 723 breaches containing .gov emails in 2023, an increase from 695 in 2022 and 611 in 2021.

"This is not a shock to me," said Trevor Hilligoss, vice president of SpyCloud Labs, SpyCloud's research team responsible for recapturing data and analysing patterns from the criminal underground. "We do have a lot of challenges in the government involving cyber hygiene at large. I think one of the things that the report really calls out is that it's not getting better."

Researchers suggest the persistent problem may be at least in part due to password reuse – the practice of using the same password for multiple accounts. Password reuse rates for .gov users increased in the last year, from 61% in 2022 to 67% in 2023.

"In those instances, while we might not have a breach of a government system, if there is password reuse going on, that password from a compromised source could potentially be used against a government source, even if that government asset was not necessarily itself the victim of a breach," said Hilligoss.

Additionally, the report exposed that many government agencies continue to struggle with bad password practices overall, as the most common passwords associated with .gov emails were “password”, “pass1” and “123456”.

The increase in .gov passwords exposed on the dark web may also be due to the growing number of state and local government agencies adopting .gov domains.

While SpyCloud's report doesn't specifically analyse the use of pop culture references in .gov passwords, researchers say people in general are still using pop culture references to inspire their passwords, a choice that could jeopardise their account security.

"You could craft a password using only pop culture references that use four distinct words and special characters and spaces and from a cryptographic perspective, that's uncrackable. But it's not unguessable," Hilligoss said. "Criminals are not dumb. They're human beings just like everybody else. They're thinking people, so they know what the password trends are. This is not news to them."

As conversations continue within tech communities about whether the password should die, SpyCloud researchers suggest that at minimum, users consider using password managers to protect their accounts from cyberattacks. – Government Technology/Tribune News Service