The audit’s wordy title was not kind:
P@s$w0rds at the U.S. Department of the Interior: Easily Cracked Passwords, Lack of Multifactor Authentication, and Other Failures Put Critical DOI Systems at Risk
The audit, which used a list of “more than 1.5 billion words” and only cost around $15,000 to achieve with a dedicated cracking rig, tested the words against cryptographic hashes for the department’s active directory accounts. The words were a combination of public password lists, pop culture and government terminology, and various dictionaries written in several languages.
How well did the 86,000 or so hashes hold up? The answer is, sadly, not hugely encouraging.
A poor show of security practices
According to the results:
- 21 percent of the 85,944 hashes tested were cracked
- Close to 300 accounts had elevated privileges as opposed to simply being “regular” accounts
- 362 accounts belonged to senior employees.
Perhaps more worryingly, multi-factor authentication (MFA) is not being used as widely as it could be. This may not be a surprise to regular readers. We’ve often talked about low MFA adoption rates, and this is despite large organisations like Google doing everything possible to drive people toward such setups.
25 out of 29 so-called high value assets were not protected by MFA. According to the audit, these accounts had the potential to “severely impact agency operations”.
4.75 percent of all active user accounts were based on the word “password”, and the department’s complexity requirements meant that variations of “password” combined with “1234” fulfilled the criteria despite being easy to crack.
The report makes several recommendations for better security practices, but Ars Technica notes that at least one of these is itself perhaps not the best of advice. The audit takes the Department of the Interior to task for not sticking to password changes every 60 days. Some folks insist that this practice just leads to weak password alterations. (If your staff think password1 is a decent password they’ll just change it to password2 after 60 days.)
Tackling your password problems
If you’re worried about your organisation’s password routine, there are steps you can take to hopefully makes a lot more secure.
- Multi-factor authentication (MFA). MFA renders password cracking almost useless, no matter how weak your password. The best form of MFA is a FIDO2 device, like a hardware key, although almost any form of MFA is better than none.
- Strong passwords. Most humans are terrible at coming up with just one strong password, and most of us need about 100 of them. Password managers solve this problem by creating and remembering strong passwords. The key part here is to ensure that the master password is also strong, and that the password manager access itself is also gated behind an additional layer of login security.
- Password requirements. If your complexity requirements sound good on paper, but allow for passwords like “p@ssw0rd123”, then you need to set about revising them. Research suggests that forcing users to make a password that passes a formula doesn’t help much. It’s better to simply block common passwords and have users focus on choosing long passwords rather than shorter, more complex ones.
- Rate limit login attempts. For as long as the login requires an online component of some kind, you can make life very difficult for attackers by only allowing 3 or 4 logins before shutting them down for a period of time.
Stay safe out there!
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.