Don’t feel bad about forgetting to change your password to something more complex—the U.S. Department of the Interior isn’t doing any better. A security audit published earlier this month has revealed some pretty startling password security flaws within the department, the most glaring of which is that over one-fifth of DOI passwords were easily cracked.
The report was published by the Office of the Inspector General for the U.S. Department of the Interior, and it describes the multitude of security flaws surrounding the DOI’s password management. Overall, the security auditors were able to crack 18,174 of the department’s 85,944 passwords—that’s 21%—while the team was able to hack 13,924 of those passwords in less than 90 minutes. The office also reported that 288 passwords belonging to accounts with high privileges and 362 passwords for senior government employees were also cracked.
“We also learned that the Department’s password complexity requirements implicitly allowed unrelated staff to use the same inherently weak passwords and that the Department did not timely disable inactive accounts or enforce password age limits,” wrote Kathleen Sedney, the Assistant Inspector General for Audits, Inspections, and Evaluations, in the report. “It is likely that if a well-resourced attacker were to capture Department AD password hashes, the attacker would have achieved a success rate similar to ours in cracking the hashes.”
The audit says that half of the top 10 most commonly reused passwords all contained some variation of the word “password” and “1234,” like Password1234!, Password123$, or even just Password-1234. Other commonly reused passwords include Br0nc0$2012, Summ3rSun2020!, and ChangeItN0w!.
The Department of the Interior has also failed to implement multi-factor authentication on 89% of systems with high-value assets, which are “assets that could have serious impacts to the Department’s ability to conduct business if compromised,” per the report. Multi-factor authentication is defined by the Office of the Inspector General as a known metric, like a PIN, a physical object, like an access card, or a biometric, like a fingerprint or retinal pattern.
“It is likely that if a well-resourced attacker were to capture Department AD password hashes, the attacker would have achieved a success rate similar to ours in cracking the hashes. The significance of our findings regarding the Department’s poor password management is magnified given our high success rate cracking password hashes, the large number of elevated privilege and senior Government employee passwords we cracked, and the fact that most of the Department’s [high-value assets] did not employ [multi-factor authentication],” Sedney wrote.
The audit’s methodology reveals that the Department of the Interior’s passwords were tested using a system that cost less than $15,000 to build using open-access software and a custom wordlist. The recommendations Sedney and the Office recommended to the Department of the Interior include prioritizing the implementation and validation of multi-factor authentication across the department’s systems, and to revamp password security standards for users who are setting a new password.