© 2023 CyberNews - Latest tech news,
product reviews, and analyses.

If you purchase via links on our site, we may receive affiliate commissions.

Government watchdog cracks thousands of passwords at US federal agency in minutes


You shouldn’t use an easily guessable password such as “Password1234” – even more so if you’re an employee at an important US federal agency. But that’s exactly what quite a few people at the Department of the Interior (DOI) did, a watchdog says in a scathing report.

The Inspector General at the DOI carried out a security audit of the password management policies used at the agency and has now published a damning report saying that they were able to crack more than 18,000 of the department’s Active Directory accounts – a whopping 21% of the entire user base.

The report then scolds the DOI by saying that the department’s reliance on passwords only as the single way of protecting important systems and employee’s user accounts contradicts the government’s long-standing cybersecurity guidance of mandating stronger two-factor authentication.

“Specifically, Department employees used passwords found on breached password lists available on the internet, the Department used single-factor authentication, and inactive accounts were not disabled,” the watchdog said.

“The Department did not fully implement MFA (Multi-factor authentication) requirements that have been in place for more than 15 years. In addition, when we asked the Department to provide a detailed status of MFA across the agency, it told us that information did not exist.”

Too easy to crack

Even though MFA implementation might also not be safe, the numbers are impressive – and frightening. Over the course of the inspection, 18,174 of 85,944—or 21 percent of active user passwords, including 288 accounts with elevated privileges and 362 accounts of senior U.S. Government employees – were cracked.

The Inspector General also said that the password complexity requirements at the DOI were so outdated and ineffective that employees were able to select easy-to-crack passwords, such as “Changeme$12345”, “Polar_bear65”.

Some of the users were probably irritated by regular prompts to change their passwords, and, out of spite, selected combinations like “ChangeIt123” or “ChangeItN0w!”

doi-lazy
Easy-to-crack password combinations at the DOI. Image by Cybernews.

In fact, 4.75 percent of all active user account passwords were based on the word “password.” The most commonly reused password, “Password-1234”, was used on 478 unique active accounts – and, by the way, this combination actually met the DOI’s requirements.

What’s more, the report says that the researchers were able to crack the passwords for 16% of the DOI user accounts within the first 90 minutes of testing, and the cost of building a password-cracking rig only cost less than $15,000 – it wouldn’t seem too heavy a financial burden for a large threat actor or a rival country full of bad intentions.

In its response included in the report, the DOI said it concurred with most of the inspector general's findings and said it was "committed" to the implementation of the President Biden administration's executive order directing federal agencies to improve their cybersecurity defenses.

Choose a strong password

Late last year, Cybernews Research team completed an examination of 56 million breached and leaked passwords over the course of the year and concluded that shockingly high numbers are still using easily guessable passwords. “123456” has long been the most popular one, for example.

“It is important for customers not to rely solely on developers to protect their credentials and personal data by adopting new internet safety habits, starting with strong password generation and cybersecurity awareness,” said Martynas Vareikis, Cybernews security researcher.

“Due to many services being interconnected, even one leaked password could lead to many accesses, potential damages, and time-consuming recoveries."


More from Cybernews:

Russia mulls legalizing pirated movie screenings

‘Love life’ at Oxford University shattered by data breach

Student accused of threatening activist on Instagram

Apple faces new privacy lawsuit

UK will offer cyber essentials to some small organizations helping vulnerable citizens

Subscribe to our newsletter



Leave a Reply

Your email address will not be published. Required fields are marked