A fifth of the passwords used by federal agencies was compromised during a security audit

January 11, 2023 By Raulf Hernes

(Image Credit Google)

According to a recently published security audit of the US Department of the Interior, more than a fifth of the passwords designed to protect network accounts at the agency—including Password1234, Password1234!, and ChangeItN0w!—were vulnerable enough to be cracked using standard methods. The audit was carried out by the department's Inspector General, who gained cryptographic hashes for 85,944 employees' active directory (AD) accounts. Auditors then used a list of over 1.5 billion words, which included:

Multiple-language dictionaries
The terminology used by the US government
Pop culture references
Password lists made public from previous data breaches in both the public and private sectors
Common keyboard layouts (for example, "qwerty").

The findings were not encouraging. Overall, the auditors cracked 18,174 (or 21% of the 85,944 cryptographic hashes tested); 288 of the affected accounts had elevated privileges, and 362 belonged to senior government employees. Auditors cracked the hashes for 16% of the department's user accounts in the first three hours of testing. [caption id="attachment_68502" align="aligncenter" width="1200"] Secure Your Passwords

Image credit: canva[/caption] An audit found that the US Department of Health and Human Services failed to perform multi-factor authentication (MFA) for more than 90% of its high-value assets. The failure affected 25 (89 percent) of the agency's 28 high-value assets. These assets "have the ability to significantly impact agency operations" if they are breached. The audit's findings were previously reported by TechCrunch. According to the publication, auditors spent below $15,000 to build a password-cracking rig. It went on to quote a department representative: The vast majority (99.99 percent) of passwords cracked by auditors met the department's password complexity requirements, which require a minimum of 12 characters and at least three of four character types (uppercase, lowercase, digits, and special characters). The audit confirmed what Ars has been telling for nearly a decade: such guidelines are typically meaningless. [caption id="attachment_66960" align="aligncenter" width="1200"]

Image - canva[/caption] This is because the guides presume attackers will use brute force methods, which involve methodically trying every possible combination in alphanumeric order. It is far more common for attackers to use publicly available lists of previously cracked passwords. The most commonly used password was Password-1234, whereas Br0nc0$2012 was observed to be "very weak". Ars has long advocated for the use of a password manager to generate and store random passwords.

By Raulf Hernes

If you ask me raulf means ALL ABOUT TECH!!

A fifth of the passwords used by federal agencies was compromised during a security audit

Walmart's GenAI Search Engine: Challenging Google's Dominance in Retail Search

Introducing the MSI Claw Handheld: Your Ultimate Gaming Companion

Uber Increases In-App Ads, Prompting Mixed Reactions from Customers

Apple's iOS 18: A Leap into the AI Era

Google's Regular Pixel 8 Won't Get Gemini Nano AI

MacBook Air M3 Makes Amends for M2's Storage Blunder

Samsung Unveils the Galaxy M15 5G

Elon Musk's xAI to Open-Source Chatbot Grok

Contra: Operation Galuga - A Modern Run-and-Gun Classic

Musk Confirms X's TV App Arrives This Week

Tech Titan Elon Musk Unveils XMail, Challenging Gmail's Dominance

WhatsApp Stories Get a Makeover: Easier to Catch Up with Friends' Updates!

Cash App Heats Savings Game with 4.5% APY, But Watch the Catches!

Shazam Gets Mind-Reading Headphones?

Artisse AI raises $6.7 million for its 'more realistic' AI photography app.

How to search the web with ChatGPT?