Tweet
An audit of the user accounts at the US Department of the Interior found that over 20% of passwords could be cracked due to a lack of security.
The password hashes for nearly 86,000 active directory (AD) accounts were obtained, and over 18,000 of them were cracked using fairly standard hacking methods. Most were cracked within the first 90 minutes.
Whatâs more, over 300 of the cracked accounts belonged to senior employees, and just under 300 had elevated privileges.
[HEADING=1]Easy guesses[/HEADING]
To crack the hashes, the auditors used two rigs costing less than $15,000, comprised of 16 GPUs in total - some a few generations old - and worked through a list of over a billion words that would likely be used in the accountsâ passwords.
Such words included easy keyboard inputs such as âqwertyâ, terminology related to the US government and references to popular culture. Passwords obtained from publicly available lists of private and public organization data leaks were also used.
The most popular password was âPassword-1234â, which was used by nearly 500 accounts, and its variations, such as âPassword1234â, âPassword123$â âPassword1234!â, were also used by hundreds of other accounts.
Another concern revealed by the audit was the lack of multi-factor authentication (MFA) to bolster account security. Nearly 90% of high-value assets (HVAs) - which are vital to agency operations - failed to implement the feature.
In the report following the audit, it was noted that should a threat actor gain access to the departmentâs password hashes, they would have a similar success rate of that achieved by the auditors.
Alongside their success rate, other areas of concern highlighted in the report were "the large number of elevated privilege and senior government employee passwords we cracked, and the fact that most of the Departmentâs HVAs did not employ MFA.â
Another concern is that virtually all of the passwords complied with the departmentâs requirements for strong passwords - a minimum of 12 characters with a mix of cases, digits and special characters.
read more
> We need to start taking our passwords seriously, come on
As the audit shows, however, following these requirements do not necessarily result is passwords that are hard to crack. Hackers usually work from lists of passwords that people commonly use, so they donât have to brute force every single word to try and break them.
The report itself gave the example of the second most common password found in the audit, âBr0nc0$2012â:
"Although this may appear to be a âstrongerâ password, it is, in practice, very weak because it is based on a single dictionary word with common character replacements.â
The General Inspector also stated passwords were not changed every 60 days, as is mandatory for employees to do. However, such advice is not recommended by security experts today, as it only encourages users to generate weaker passwords in order to remember them more easily.
The NIST SP 800â63 Digital Identity Guidelines recommend using a string of random words in passwords instead, as these are much harder to crack with computers.
Whatâs more, with the advent of password managers and their integrated password generators (there are also standalone versions), it is now easier than ever to create very strong and random passwords that take the trouble out of remembering them.
[ul]
[li]Here is our guide to the best business password managers[/li][/ul]
Continue readingâŚ
The password hashes for nearly 86,000 active directory (AD) accounts were obtained, and over 18,000 of them were cracked using fairly standard hacking methods. Most were cracked within the first 90 minutes.
Whatâs more, over 300 of the cracked accounts belonged to senior employees, and just under 300 had elevated privileges.
[HEADING=1]Easy guesses[/HEADING]
To crack the hashes, the auditors used two rigs costing less than $15,000, comprised of 16 GPUs in total - some a few generations old - and worked through a list of over a billion words that would likely be used in the accountsâ passwords.
Such words included easy keyboard inputs such as âqwertyâ, terminology related to the US government and references to popular culture. Passwords obtained from publicly available lists of private and public organization data leaks were also used.
The most popular password was âPassword-1234â, which was used by nearly 500 accounts, and its variations, such as âPassword1234â, âPassword123$â âPassword1234!â, were also used by hundreds of other accounts.
Another concern revealed by the audit was the lack of multi-factor authentication (MFA) to bolster account security. Nearly 90% of high-value assets (HVAs) - which are vital to agency operations - failed to implement the feature.
In the report following the audit, it was noted that should a threat actor gain access to the departmentâs password hashes, they would have a similar success rate of that achieved by the auditors.
Alongside their success rate, other areas of concern highlighted in the report were "the large number of elevated privilege and senior government employee passwords we cracked, and the fact that most of the Departmentâs HVAs did not employ MFA.â
Another concern is that virtually all of the passwords complied with the departmentâs requirements for strong passwords - a minimum of 12 characters with a mix of cases, digits and special characters.
read more
> We need to start taking our passwords seriously, come on
Apple, Google and Microsoft join forces to try and kill off passwords
Exclusive: most people still reuse their passwords despite years of hacking
The report itself gave the example of the second most common password found in the audit, âBr0nc0$2012â:
"Although this may appear to be a âstrongerâ password, it is, in practice, very weak because it is based on a single dictionary word with common character replacements.â
The General Inspector also stated passwords were not changed every 60 days, as is mandatory for employees to do. However, such advice is not recommended by security experts today, as it only encourages users to generate weaker passwords in order to remember them more easily.
The NIST SP 800â63 Digital Identity Guidelines recommend using a string of random words in passwords instead, as these are much harder to crack with computers.
Whatâs more, with the advent of password managers and their integrated password generators (there are also standalone versions), it is now easier than ever to create very strong and random passwords that take the trouble out of remembering them.
[ul]
[li]Here is our guide to the best business password managers[/li][/ul]
Continue readingâŚ