Have you ever been challenged by a commercial web site for creating a password its algorithms deemed too weak? Of course, it’s happened to everyone. A cybersecurity grail for some time now has been elimination of passwords altogether. But, they persist.
Ergo, organizations enforce tough password rules.
Except at the Interior Department. An investigation by its Office of Inspector General found password policies and practices that would do justice to AOL circa 1989 when grandpa first got email to send church newsletter bloopers. The IG found scads of easy passwords like “password-1234.” Multiple people with the same password. No password expiration. Inactive user accounts not closed. One-factor authentication.
The skies above the nation seem alive with weird, vaguely menacing “objects” on which the Air Force can try out its hardware. They’d shoot down Herbie the Love Bug at this point. The situation makes passwords seem like a prosaic concern. In reality, an instance of department-wide cyber weakness is most definitely a non-trivial threat. And I’d bet money Interior is not the only department rife with crummy passwords.
In an interview, IG Mark Lee Greenblatt said his staff was able to crack 18,000 passwords of Interior’s 86,000 user accounts. Nearly 300 of the cracked passwords were associated with elevated privileges accounts. Nearly 400 belonged to senior executives. It’s a situation that’s both hilarious and totally unfunny. Sort of like solemn Washington figures talking about “Chinese balloons.”
The IG staff ran its test with cooperation from the department’s technical people. The latter provided hashed versions of every account password. The IG used a cracking technique called evil twin to obtain clear text versions of the passwords from the hashes. This is important because typing in the hash won’t let someone log on. But there are ways outsiders can get hashes, and discover a password itself. Or 18,000 passwords. The simpler the passwords, the faster the hashes crack.
Here’s how the IG did the analysis, in its words: “We built a system designed specifically to
crack password hashes using open-source software and a custom wordlist made up of
dictionaries from multiple languages, U.S. Government terminology, pop culture references, and publicly available password lists harvested from past data breaches across public and private sectors.” Basically, a refinement of the brute force method, which, if everyone had solid passwords, would take as long as the combined ages of Donald Trump and Joe Biden. This refinement of the brute force approach quickly floats bad passwords to the surface.
Interior found 15,000 passwords within an hour of launching its program.
The total cost was $15,000. And, man oh man, did Interior have bad passwords. The IG reported that 99.99 percent of Interior’s passwords met its complexity standard from 2016, namely, “a minimum length of 12 characters and contain at least 3 of 4 character types consisting of uppercase, lowercase, digits, and special characters.” But if people use common phrases with that rule, they still end up with weak passwords.
Password-1234 was Interior’s most popular password — and it meets the standard. Second most popular: Br0nc0$2012. Looks strong, but it’s a pushover for an open source guessing program. Don’t think you can get away with 1qaz2wsx#EDC either. It looks random but in reality it’s made up of a set of three, adjacent, diagonal columns of keys on a QWERTY keyboard. The open source cracker is a step ahead of you on that one, too.
I chuckled at the IG report title, P@s$w0rds at the U.S. Department of the Interior. Nearly 5% of Interior passwords were in fact made from the word “password.”
Even weak passwords can do if the agency also imposes multi-factor authentication. But, the IG found, Interior “allowed single-factor authentication (username and password) on
an indeterminate number of its applications.” The department’s CIO office, the IG found, lets bureaus self-report to the Office of Management and Budget on their multi-factor authentication, so no one knows how common it actually is.
The Interior Business Center, which handles financial services for many other agencies throughout the government, had the highest percentage of cracked passwords, at 63%. Yikes!
The Bureau of Indian Affairs had the highest percentage of senior employees cracked, at 42%. That’s surprising for an agency that once was ordered off the internet by a federal judge because of cybersecurity weakness.
I don’t know how Darren Ash, the CIO at Interior and to whom the IG report was addressed, reacted personally. The report made eight recommendations to strengthen password strength requirements and boost oversight. The department concurred with them all. Ash has only been on the job for three months. I think we can safely presume this will be a priority.
In the meantime, if, wherever you work, you use a weak password, nothing’s stopping you from making a new one. Balloon!overAlaskA23 won’t do.