According to a recently published security audit of the US Department of the Interior, more than a fifth of the passwords designed to protect network accounts at the agency—including Password1234, Password1234!, and ChangeItN0w!—were vulnerable enough to be cracked using standard methods.
The audit was carried out by the department’s Inspector General, who gained cryptographic hashes for 85,944 employees’ active directory (AD) accounts. Auditors then used a list of over 1.5 billion words, which included:
- Multiple-language dictionaries
- The terminology used by the US government
- Pop culture references
- Password lists made public from previous data breaches in both the public and private sectors
- Common keyboard layouts (for example, “qwerty”).
The findings were not encouraging. Overall, the auditors cracked 18,174 (or 21% of the 85,944 cryptographic hashes tested); 288 of the affected accounts had elevated privileges, and 362 belonged to senior government employees. Auditors cracked the hashes for 16% of the department’s user accounts in the first three hours of testing.
An audit found that the US Department of Health and Human Services failed to perform multi-factor authentication (MFA) for more than 90% of its high-value assets. The failure affected 25 (89 percent) of the agency’s 28 high-value assets. These assets “have the ability to significantly impact agency operations” if they are breached.
The audit’s findings were previously reported by TechCrunch. According to the publication, auditors spent below $15,000 to build a password-cracking rig. It went on to quote a department representative:
The vast majority (99.99 percent) of passwords cracked by auditors met the department’s password complexity requirements, which require a minimum of 12 characters and at least three of four character types (uppercase, lowercase, digits, and special characters). The audit confirmed what Ars has been telling for nearly a decade: such guidelines are typically meaningless.
This is because the guides presume attackers will use brute force methods, which involve methodically trying every possible combination in alphanumeric order. It is far more common for attackers to use publicly available lists of previously cracked passwords.
The most commonly used password was Password-1234, whereas Br0nc0$2012 was observed to be “very weak”. Ars has long advocated for the use of a password manager to generate and store random passwords.