You shouldn’t use an easily guessable password such as “Password1234” – even more so if you’re an employee at an important US federal agency. But that’s exactly what quite a few people at the Department of the Interior (DOI) did, a watchdog says in a scathing report.
The Inspector General at the DOI carried out a security audit of the password management policies used at the agency and has now published a damning report saying that they were able to crack more than 18,000 of the department’s Active Directory accounts – a whopping 21% of the entire user base.
The report then scolds the DOI by saying that the department’s reliance on passwords only as the single way of protecting important systems and employee’s user accounts contradicts the government’s long-standing cybersecurity guidance of mandating stronger two-factor authentication.
“Specifically, Department employees used passwords found on breached password lists available on the internet, the Department used single-factor authentication, and inactive accounts were not disabled,” the watchdog said.
“The Department did not fully implement MFA (Multi-factor authentication) requirements that have been in place for more than 15 years. In addition, when we asked the Department to provide a detailed status of MFA across the agency, it told us that information did not exist.”
Too easy to crack
Even though MFA implementation might also not be safe, the numbers are impressive – and frightening. Over the course of the inspection, 18,174 of 85,944—or 21 percent of active user passwords, including 288 accounts with elevated privileges and 362 accounts of senior U.S. Government employees – were cracked.
The Inspector General also said that the password complexity requirements at the DOI were so outdated and ineffective that employees were able to select easy-to-crack passwords, such as “Changeme$12345”, “Polar_bear65”.
Some of the users were probably irritated by regular prompts to change their passwords, and, out of spite, selected combinations like “ChangeIt123” or “ChangeItN0w!”
In fact, 4.75 percent of all active user account passwords were based on the word “password.” The most commonly reused password, “Password-1234”, was used on 478 unique active accounts – and, by the way, this combination actually met the DOI’s requirements.
What’s more, the report says that the researchers were able to crack the passwords for 16% of the DOI user accounts within the first 90 minutes of testing, and the cost of building a password-cracking rig only cost less than $15,000 – it wouldn’t seem too heavy a financial burden for a large threat actor or a rival country full of bad intentions.
In its response included in the report, the DOI said it concurred with most of the inspector general's findings and said it was "committed" to the implementation of the President Biden administration's executive order directing federal agencies to improve their cybersecurity defenses.
Choose a strong password
Late last year, Cybernews Research team completed an examination of 56 million breached and leaked passwords over the course of the year and concluded that shockingly high numbers are still using easily guessable passwords. “123456” has long been the most popular one, for example.
“It is important for customers not to rely solely on developers to protect their credentials and personal data by adopting new internet safety habits, starting with strong password generation and cybersecurity awareness,” said Martynas Vareikis, Cybernews security researcher.
“Due to many services being interconnected, even one leaked password could lead to many accesses, potential damages, and time-consuming recoveries."
More from Cybernews:
Subscribe to our newsletter