An audit of the user accounts at the US Department of the Interior found that over 20% of passwords could be cracked due to a lack of security.
The password hashes for nearly 86,000 active directory (AD) accounts were obtained, and over 18,000 of them were cracked using fairly standard hacking methods. Most were cracked within the first 90 minutes.
What’s more, nearly over 300 of the cracked accounts belonged to senior employees, and just under 300 had elevated privileges.
Easy guesses
To crack the hashes, the auditors used two rigs costing less than $15,000, comprised of 16 GPUs in total – some a few generations old – and worked through a list of over a billion words that would likely be used in the accounts’ passwords.
Such words included easy keyboard inputs such as “qwerty”, terminology related to the US government and references to popular culture. Passwords obtained from publicly available lists of private and public organization data leaks were also used.
Among the most popular passwords was “Password-1234”, which was used by nearly 500 accounts, and subtle variations, such as “Password1234”, “Password123$” “Password1234!”, were also used by hundreds of other accounts.
Another concern revealed by the audit was the lack of multi-factor authentication (MFA) to bolster account security. Nearly 90% of high-value assets (HVAs) – which are are vital to agency operations – failed to implement the feature.
In the report following the audit, it was stated that should a threat actor gain access to the departments password hashes, they would have a similar success rate of that achieved by the auditors.
Alongside their success rate, other areas of concern highlighted in the report were “the large number of elevated privilege and senior government employee passwords we cracked, and the fact that most of the Department’s HVAs did not employ MFA.”
Another concern is that virtually all of the passwords complied with the departments requirements for strong passwords – a minimum of 12 characters with a mix of cases, digits and special characters.
As the audit shows, however, following these requirements doesn’t necessarily result is passwords that are hard to crack. Hackers usually work from lists of passwords that people commonly use, so they don’t have to brute force every single word to try and break them.
The report itself gave the example of the second most common password they found in the audit, “Br0nc0$2012”:
“Although this may appear to be a ‘stronger’ password, it is, in practice, very weak because it is based on a single dictionary word with common character replacements.”
The General Inspector also stated passwords were not changed every 60 days, as stipulated for their employees. However, such advice is not recommended by security experts today, as it only encourages users to generate weaker passwords in order to remember them more easily.
The NIST SP 800–63 Digital Identity Guidelines (opens in new tab) recommend using a string of random words in your passwords instead, as these are much harder to be cracked by computers.
What’s more, with the advent of password managers and their integrated password generators (there are also standalone versions), it is now easier than ever to create very strong and random passwords that take the trouble out of remembering them yourself.