An audit of user accounts by the US Department of the Interior found that more than twenty percent of passwords could be cracked due to lack of security.
Password hashes of nearly eighty-six zero Active Directory (AD) accounts were obtained, and over eighteen zero of them were hacked using fairly standard hacking methods. Most of them broke in the first ninety minutes.
Additionally, nearly three hundred of the hacked accounts belonged to senior employees and just under three hundred had elevated privileges.
easy riddles
To crack the hashes, the auditors used two pieces of equipment costing less than €15,000, made up of 16 GPUs in total, some dating back a few generations, and worked on a list of more than a billion words likely to be used in the passwords. of the accounts.
These words included easy keystrokes like "qwerty," US government-related terminology, and references to popular culture. Passwords obtained from publicly available lists of data breaches from public and private organizations were also used.
Among the most popular passwords was "Password-1234", which was used by almost 500 accounts, and subtle variations, such as "Password1234", "Password123€", "Password1234!", were also used by hundreds of other accounts.
Another concern revealed by the audit was the lack of multi-factor authentication (MFA) to enhance account security. Nearly 90% of High Value Assets (HVAs), which are vital to agency operations, have not implemented this feature.
In the post-audit report, it was stated that if a threat actor were to gain access to the password hashes of the services, they would have a success rate similar to that achieved by the auditors.
In addition to its success rate, other areas of concern highlighted in the report were "the large number of high-level officials and high-privilege passwords we hacked, and the fact that most Department n' HVAs don't use MFA." '.
Another concern is that virtually all of the passwords met the ministry's requirements for strong passwords: a minimum of 12 characters with a mix of upper and lower case letters, numbers, and special characters.
However, as the audit shows, meeting these requirements does not necessarily translate into difficult-to-crack passwords. Hackers usually work from lists of passwords that people commonly use, so they don't have to brute force every word to try to crack them.
The report itself gave the example of the second most common password they found in the audit, "Br0nc0 euros2012":
"While this may seem like a 'more secure' password, in practice it is very weak because it is based on a single word from the dictionary with common character replacements."
The Inspector General also said that passwords were not changed every 60 days as stipulated for his employees. However, security experts do not currently recommend this type of advice, as it only encourages users to generate weaker passwords to make them easier to remember.
NIST SP 800–63 Digital Identity Guidelines (opens in a new tab) recommends using a string of random words in your passwords, as they are much more difficult for computers to crack.
Plus, with the advent of password managers and their built-in password generators (there are standalone versions, too), it's now easier than ever to create super-strong random passwords that prevent you from remembering them yourself.