The DotGov registrar has added a security feature to prevent the use of passwords that have been identified in various publicly known data breaches. All DotGov users will need to update their password – even if your password has not been re-used or breached – in order for your account to be protected.
Why is this change happening?
The secrecy of your password is crucial to account security, and password reuse is the most common threat to password secrecy. An attacker who breaches one system’s password can often pivot to another system using those credentials.
By ensuring that passwords found in data taken from past public breaches cannot be used, we minimize the threat of password reuse.
To do this, we have to ask all DotGov users to reset their passwords, because the only practical way for us to implement this check is to do it at the moment a user selects a password. After a user sets their password, it is stored in such a way that it cannot efficiently be checked against lists of known-breached passwords.
To be clear, this action is not being taken because of a breach on any DotGov-related system. The General Services Administration is proactively working to improve the security of the .gov zone for its users and administrators.
What should DotGov users do now?
We strongly recommend that you use a password manager to generate and store a long, complex, unique password used only for the DotGov service.
Change your password at https://domains.dotgov.gov. If it’s in a publicly known data breach, you will be asked to select a different one. If you get this alert and it’s a password you use anywhere else, we urge you to change your password in those applications, too.