Easy passwords like "Password 1 2 3 4." Multiple people with the same password. Inactive user accounts not closed. One-factor authentication. No password...
Easy passwords like “Password 1 2 3 4.” Multiple people with the same password. Inactive user accounts not closed. One-factor authentication. No password expiration. Sounds like the average agency cybersecurity posture of, say, 1989. But no, that’s the Interior Department right now. To get the disturbing details, the Federal Drive with Tom Temin talked with Interior Inspector General Mark Lee Greenblatt.
Interview transcript:
Tom Temin
In this day and age when one might have presumed the password situation was cleaned up by agencies, what prompted you to look at Interior Department password policies and practices?Mark Lee Greenblatt
Well, we have a robust IT audit team that has developed a strong track record, of probing the Department of the Interior’s infrastructure, with respect to IT. And this, particular, review started with our efforts a couple of years ago, to look at Wi Fi networks. And the ease with which we were able to crack into passwords related to the Wi Fi networks in the Department, led us to think, hey, maybe, there’s a bigger problem with passwords here. And so we developed this mechanism to explore the password complexity requirements inside the department.Tom Temin
And just briefly, to the extent that you can describe the methodology, how did you crack passwords and find out that people were using, in a widespread manner, pretty weak passwords?Mark Lee Greenblatt
Well, this is a fascinating question. And I love that our team was able to come up with this. But this is what is really happening out in the world, with malicious actors. So they replicated what hackers are trying to do, for less than $15,000, they put together a system, that was, specifically, designed to crack password hashes. So what happens is when you and I put in a password, the system that we use, tracks that as a 30 or more digit number. It’s not the actual text that you and I put in. And our system was able to, they commonly used words, they use dictionaries of different languages, they use the U.S. government terminology. And put this all into this system, pop culture references as well. And then they were able to crack the hashes, using all of these different words and different combinations. And the algorithms that they use were pretty remarkable.Tom Temin
Wow. And just give us a survey of the top line results. Because there are individual issues and then there are enterprise issues, from the way I look at it.Mark Lee Greenblatt
That’s exactly right. So first of all, we cracked more than 18,000 passwords per user accounts in the department, there are about 70,000 department employees. And so we cracked 21% or so, of the department employees passwords. There were 288 accounts that we cracked, their password were for elevated privileges, which means administrators, these are folks who can go behind the scenes into the systems, those are really sensitive passwords there. As well as, 362 senior government employee accounts. So that’s some of the top line figures. But some of the other stuff that we were talking about before, in what you used in your intro, we found that one in 21 passwords, use the word password. In fact, the number one password that we found, was Password-1234. And there were, nearly, 500 accounts with that. And then in the top four, you also had Password123$, Password1234. I mean, hundreds and hundreds of accounts like that. We also had in the top 10, Password1234!, you get my drift here. So we’re seeing a lot of those same types of, reliance on easy things. But that’s exactly what the malicious actors want. That’s one of the problems that we’re trying to identify with this report.Tom Temin
We’re speaking with Mark Lee Greenblatt, Inspector General of the Interior Department. And did you look at what their policy is for passwords? They must have a better policy, than perhaps, the widespread practice.Mark Lee Greenblatt
Well, that was something that was disconcerting is that, 99.99% of the passwords that we hacked, were compliant with the policy. So that’s one of the big problems here that we found. Was that the password complexity requirements, are no longer adequate. And this is where we get to the bigger, more systemic issues, that you were flagging earlier, Tom, that we need to make more robust policy requirements. For example, this reliance on passwords that are, incredibly complicated, where you have these symbols and they’re impossible to remember. Those are outdated. And we need to modernize. And the new best practice out in the field, right now, is using passphrases. So this is four words, random words, say that are combined. And there’s a much, greater, difficulty for a hacker to read your mind about four random words in your brain, as opposed to, Password1234. And so that’s where the modern best practices are gravitating towards. And that’s what we’re trying to urge the department to move toward passphrases, not passwords.Tom Temin
And then there’s the issue of more than one factor authentication to begin with.Mark Lee Greenblatt
That’s exactly right. That was another big problem that we found, with respect to the department’s policies here. We found that 89% of the high value assets, these are the sensitive data sets and sensitive computer systems, had not implemented, what’s called multifactor authentication. And this is what you’re talking about, Tom. So there are two kinds, there’s single factor authentication and multifactor authentication. And so, we are trying to move the department, than the rest of the federal government towards, MFA, multifactor authentication. What that is, is using, at least, two factors to access computer system. And there are, basically, three big buckets. One is something that the user knows, which is like a password or a PIN number. Something that the user has, like a PIV card or a token. And something that the user is, like a biometric measure, which is like fingerprints, or retinal patterns. And so a multifactor authentication, would use two or more of those buckets. Right now, using just passwords, we’re seeing now is just not sufficient to protect these systems.Tom Temin
And there’s even newer ways for the backup types of questions and challenges, because people can all put in, where were you born, everyone can write in New York. But now a lot of agencies are using, third-party data services, that the individual is, whether they know it or not, is enrolled in. And therefore if you were actually born in Podunk, the system knows that. So if you try to make your challenge question, New York, it won’t work. So it’s kind of a living way of challenge questions.Mark Lee Greenblatt
Certainly, that would add value, if we can make these systems more complex and more robust. Because malicious actors are, certainly, dedicating more resources than we did. We put in less than $15,000. There are other folks using, much more sophisticated means, just as you’re describing.Tom Temin
I imagined this might have been a, triggering type of report, to use a modern parlance for the Interior Department. Because there’s a history there. I mean, within my memory of following the Interior Department, they have been under court ordered data system shutdowns and internet disconnections, at one time, because of security practices. So what was the reaction?Mark Lee Greenblatt
Well, we have a good, constructive, appropriate relationship with the department. They have taken this very seriously, along with our other reports, I am heartened, I had a specific conversation with the CIO, the Chief Information Officer here. Very healthy, very constructive conversation with him and very senior leaders here in the department. I think they are taking this very seriously. And I’m gratified by that, ultimately, we are trying to help the department be more robust. And I think this response, is going to, hopefully, effectuate that and make the computer systems more robust, more resilient against hacking attacks.Tom Temin
So really, then there it at this point, the CIO staff and the tech staff, to establish a new password policy. And is that something, do you feel that they can promulgate quickly? And then within a couple of weeks, everybody has to have new passwords, or you can’t get your work done?Mark Lee Greenblatt
Yeah, well, that’s a question for them, in terms of timing. I expect that they will be moving quickly. The bigger issue, frankly, I think, is probably not so much the password, but implementing the multifactor authentication. That could take time, because we have some systems here that are older. And that can’t do that, sort of thing, very easily. Again, this is a question for the CIO and senior leadership. But I think, their hearts and minds are in the right place, trying to solve this system. But I don’t want to speak for them, in terms of their planning and how they’re going to attack it. But my sense is, from my conversations with them, that they are moving, hopefully, moving in the right direction.Tom Temin
I think that clicking sound I hear, is a technology modernization fund application. One way to get there a little bit quicker. And by the way, do you have the sense that this could be something governmentwide?Mark Lee Greenblatt
Absolutely. The Department of the Interior employees, I think are very similar to other Federal government employees, in the sense of how they’re using the passwords in their daily lives. I think, they’re no different from, the rest of the federal government. And in fact, I would argue, this is very similar to the rest of our society. And so I think, this is tapping into a larger issue, not only in the federal government, but in our society. We have to change the way we view passwords and shift away from these crazy concoctions that we have, with the word password and the special characters, which are absolutely impossible to remember. And shift into passphrases. That really is the societal shift that we need. And that includes, the federal government, as well, to answer your question. But I think, it’s actually, much bigger than just the government itself.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Tom Temin is host of the Federal Drive and has been providing insight on federal technology and management issues for more than 30 years.
Follow @tteminWFED