The US Office of the Inspector General audited the Department of the Interior to judge the security of its accounts. The results were not encouraging, as auditors found that more than 20% of passwords could be cracked using standard cryptographic methods.
“Our objective was to determine whether the Department’s password management and enforcement controls were effective enough to prevent a malicious actor from gaining unauthorized access to Department computer systems by capturing and ‘cracking’ user passwords,” states the report.
“Over the course of our inspection, we cracked 18,174 of 85,944—or 21 percent of active user passwords, including 288 accounts with elevated privileges and 362 accounts of senior US Government Employees,” the Office of the Inspector General explained.
Complex passwords that can’t be easily cracked are an essential component, but they’re part of a system that needs to work just as well. The audit found that the department used single-factor authentication, and inactive accounts were not disabled. Moreover, some employees used passwords that were on breached password lists available on the internet.
The audit found that 89 percent of its High-Value Assets lacked multifactor authentication, which would seriously impact how the Department would function if compromised. Also, employees used easy-to-crack passwords like Changeme$12345, Polar_bear65, Nationalparks2014! and so on. Even worse, 4.75 percent of all active user account passwords were based on the word “password.”
In just 16 minutes of testing, the auditors managed to crack 16% of all passwords tested. This was only possible because the department password requirement was only “technically” met by users.
“In fact, 5 of the 10 most reused passwords at the Department included a variation of ‘password’ combined with “1234”; this combination currently meets the Department’s requirements even though it is not difficult to crack,” the report explains.
Following the report, the US Department of the Interior agreed to implement MFA methods that cannot be bypassed to allow single-factor authentication for all applications and to revise password complexity and account management policies. The department also has to monitor, limit or prevent commonly used, expected, or compromised passphrases and passwords in the future.