Security Concerns Mount as DNI Tulsi Gabbard's Password Practices Come to Light

Breached Company

04 May 2025 — 7 min read

In an era where cybersecurity threats loom larger than ever, revelations about password practices of top government officials raise serious concerns about national security. A recent Wired investigation has uncovered that Tulsi Gabbard, the current Director of National Intelligence (DNI), repeatedly used the same weak password across multiple personal online accounts for years, potentially exposing herself to security vulnerabilities.

Repeated Password Usage

According to Wired's investigation, Gabbard used an "easily cracked" password across multiple email addresses and online accounts during her time in Congress from 2013 to 2021. Records show this password was used for several personal accounts, including her Gmail, Dropbox, LinkedIn, and an account tied to her personal website.

The investigation utilized databases of material leaked online from open-source intelligence firms District4Labs and Constella Intelligence. While there's no indication Gabbard used this password for government accounts, cybersecurity experts emphasize that password reuse across accounts represents a significant vulnerability that could be exploited by malicious actors.

The Personal Connection

The word "shraddha" was part of the password for all the affected accounts and seems to have personal significance for Gabbard. This significance may stem from her reported initiation into the Science of Identity Foundation, a group tied to her reported birth into the Hare Krishna movement and accused by former members of being a cult. The Wall Street Journal reported that former adherents believe Gabbard may have been given the name "Shraddha Dasi" when she allegedly joined the group.

Not Her First Security Incident

This revelation follows another security incident in March when Gabbard was part of a Signal group chat leak. The Atlantic's editor-in-chief, Jeffrey Goldberg, was inadvertently added to a text conversation among top Trump administration officials, including Gabbard and Defense Secretary Pete Hegseth, that discussed military operations in Yemen.

The Signal incident created significant controversy when Goldberg reported that he was sent sensitive information about impending military strikes against the Iran-backed Houthis in Yemen. Brian Hughes, a spokesman for the White House National Security Council, said the message thread revealed in Goldberg's report "appears to be authentic," and that administration officials were "reviewing how an inadvertent number was added to the chain."

According to Goldberg's article, he received his invitation from Waltz, the national security adviser, on Signal on March 11, and two days later found himself part of a private chat entitled "Houthi PC small group." There, some of the most senior officials in the US government appeared to be discussing an imminent attack on Houthi strongholds in Yemen.

When questioned by lawmakers, Director of National Intelligence Tulsi Gabbard told them that a journalist being "inadvertently added" to a Signal chat about military plans in Yemen was a mistake but continued to say the chat did not contain classified information. However, Senator Jon Ossoff, a Georgia Democrat, described the situation as "an embarrassment" and "utterly unprofessional," noting there had been "no apology" and "no recognition of the gravity of this error."

These consecutive security missteps have raised serious questions about the cybersecurity practices of America's top intelligence official, whose role involves overseeing agencies handling the nation's most sensitive information.

The Response

Olivia Coleman, a spokesperson for Gabbard, downplayed the significance of the password revelation, telling media outlets: "This is a non-story. As I told WIRED last week, these data breaches happened nearly a decade ago, and the passwords have changed countless times since."

Cybersecurity Best Practices

The incidents highlight critical gaps in following established security guidelines. The Cybersecurity and Infrastructure Security Agency (CISA) and other cybersecurity experts consistently emphasize several best practices that could have prevented such vulnerabilities:

Strong, Unique Passwords

At one time, the recommendation was to use complex passwords with random characters and numbers, but those can be hard to remember. Modern guidance suggests using passphrases - a series of random words that are easier to remember but still hard for cyber attackers to hack. CISA recommends passwords be at least 12-14 characters long.

Experts recommend using a password that is as complex as possible, made up of lowercase and uppercase letters, as well as numbers and special characters. More importantly, each password should be unique to each account.

Password Managers

Password managers can be a great resource, with many products offering free versions. With a password manager, you just need to remember one master password. They can help generate strong, long, random passwords automatically and store other sensitive information.

For greater security, cybersecurity experts recommend using a password manager for lower sensitivity accounts but not for sensitive accounts such as those with administrative privileges or banking credentials. They also recommend using a strong password and multi-factor authentication to secure the password manager itself.

Multi-Factor Authentication

Two-factor authentication has become a standard for managing access to organizational resources. In addition to traditional credentials like username and password, users confirm their identity with a one-time code sent to their mobile device or using a personalized USB token.

This practice ensures that even if a password is compromised, unauthorized access would still require the second authentication factor, significantly reducing the risk of account breaches.

Regular Password Updates

Password rotation is the process of periodically updating passwords to maintain their security. Regularly changing passwords ensures that even if a password is compromised, it will have a limited lifespan. Most security experts recommend changing passwords at least every three to six months.

Secure Communications for Government Business

The Signal group chat incident highlighted another crucial aspect of government security: using appropriate, secured channels for sensitive communications. Larry Pfeiffer, a former senior CIA and NSA official, noted that top administration officials like those involved in the group chat have U.S. government-approved communications with them 24 hours a day, even when traveling.

Government officials should use officially sanctioned, encrypted communication channels rather than consumer applications, especially when discussing sensitive national security matters.

Broader National Security Implications

As the chief of America's intelligence community, Gabbard's personal security practices inevitably face heightened scrutiny. The DNI position oversees 18 intelligence agencies, including the CIA and NSA, and has access to some of the nation's most classified information.

While there's no evidence of any government systems being compromised due to Gabbard's password practices, the incidents serve as a reminder that cybersecurity vulnerabilities often begin with basic security hygiene. As nation-state cyber threats continue to evolve, the personal security practices of government officials remain a critical component of national security.

The combination of weak password practices and improper use of messaging platforms raises legitimate concerns about information security at the highest levels of government. Security experts emphasize that good cybersecurity starts with individual practices, especially for those with access to sensitive information.

As cyber threats become more sophisticated and effective, proper security practices provide a critical defense against unauthorized access to systems, applications, and data. Security management helps organizations address and defend against careless behavior that leads to data breaches, such as sharing sensitive information through insecure channels.

Cybersecurity experts note that implementing safe cybersecurity best practices is important for individuals as well as organizations of all sizes. Using strong passwords, updating software, and thinking before clicking are fundamental steps in maintaining cybersecurity.

Looking Forward

These incidents highlight the need for comprehensive security training and adherence to best practices, even for officials at the highest levels of government. While Gabbard's spokesperson dismissed the password concerns as historical issues, security experts warn that password reuse can have long-term security implications, as credentials from old breaches are often used in newer attacks.

For government agencies tasked with safeguarding the nation's most sensitive information, these incidents serve as reminders of the importance of implementing robust security policies and ensuring that all personnel, regardless of rank, follow established security protocols.

As cyber threats continue to evolve in sophistication and frequency, the security practices of those with access to the nation's secrets must be held to the highest standards. Password security may seem like a basic concern, but it remains one of the most critical front-line defenses against increasingly sophisticated cyber threats targeting the United States and its officials.

This article represents reporting based on publicly available information as of May 7, 2025.