Over 20% of passwords at the United States Department of the Interior could be broken, according to the latest analysis of user accounts.
Over 18,000 of the nearly 86,000 active directories (AD) accounts’ password hashes were cracked using fairly common hacking techniques. Within the first 90 minutes, most were broken.
Additionally, fewer than 300 compromised accounts had escalated access, and over 300 belonged to senior staff.
Simple Hunches
The auditors combed through a list of more than a billion phrases that would be used in the accounts’ passwords to crack the hashes using two rigs that combined 16 GPUs and cost less than USD 15,000.
Easy keyboard shortcuts like “qwerty” terms relating to the United States government and allusions to popular culture were among these words. We also used passwords from publicly accessible lists of private and public organisation data dumps.
Nearly 500 accounts used the most common password, “Password-1234”, and hundreds more used variations of it, including “Password1234”, “Password123$”, and “Password1234!”
The audit also raised concerns about the lack of multi-factor authentication (MFA), which would have improved account security. Almost 90% of high-value assets (HVAC), which are essential to how the agency works, didn’t use the feature.
A threat actor would have a similar success rate as the auditors if they could obtain the department’s password hashes, according to the report that followed the audit.
Other issues raised in the paper, in addition to their success rate, were “the significant number of passwords belonging to top government employees with enhanced privileges that we cracked, as well as the lack of MFA in the majority of the Department’s HVAC.
Another issue is that almost all the passwords met the department’s standards for secure passwords, which call for a minimum of 12 characters and a combination of case-sensitive, numeric, and special characters.
However, as the audit shows, following these rules don’t always lead to passwords that are hard to guess. To avoid having to brute force every single word to try and crack a password, hackers typically work from databases of passwords that people frequently use.
The second-most popular password discovered during the audit, “Br0nc0$2012”, was given as an example in the report itself: “Because it is built on a single dictionary term and uses frequent character replacements, this password, despite appearing to be stronger,’ needs to be stronger.”
In addition, the General Inspector said that passwords were kept the same regularly, every 60 days, as required by law. However, today’s security professionals do not endorse this advice because it merely encourages users to create weaker passwords to remember them more quickly.
As random word strings are far more difficult for computers to decipher, the NIST SP 800-63 Digital Identity Guidelines (opens in new tab) advise using them as passwords instead.
Additionally, the development of password managers and their built-in password generators (there are also independent versions) has made it simpler than ever to generate solid and random passwords that eliminate the hassle of remembering them.