21% of US Dept. of Interior Passwords Crackable

Inspection by US Dept. of Interior reveals 21% of 85,944 passwords used by employees could be cracked. ‘Password1234’ used by 479 accounts.

21% of US Dept. of Interior Passwords Crackable

According to an internal audit, 16% of passwords used by Dept of the Interior staff could be cracked in less than 90 minutes. Photo credit: Adobe Stock

The U.S. Department of the Interior is to be applauded for the transparency it has demonstrated for publishing its report on January 3,2023, entitled “P@s$w0rds at the U.S. Department of the Interior: Easily Cracked Passwords, Lack of Multifactor Authentication, and Other Failures Put Critical DOI Systems at Risk.”

The report and accompanying remediation recommendations, follows an inspection and reveals problems with department employees using passwords found on breached password lists available on the internet, the use of single-factor authentication, and inactive accounts not being disabled.

During the inspection 18,174 (21%) of 85,944 active user passwords were able to be cracked, with 16% in the first 90 minutes. This included 288 accounts with elevated privileges and 362 accounts of senior U.S. Government employees. Furthermore, password complexity requirements were found to be ‘outdated and ineffective’, with 4.75% of passwords being based on the word ‘password’. With no rules preventing unrelated staff using the same weak password, it was discovered that 478 active accounts used ‘Password-1234’.

This report comes hot on the heels of new updated guidelines from the National Institute of Standards and Technology (NIST – Part of the Department of Commerce) which has drafted updated guidelines to help the U.S. combat fraud and cybercrime. NIST is widely regarded as having set out the worldwide gold standard for password management and its new “Digital Identity Guidelines” are intended to support the administration’s governmentwide efforts to ‘strengthen identity verification for government systems used by the American public while balancing privacy, equity and accessibility’. The update includes detail on the use of biometric information for identity proofing, as well as authentication methods that are more resistant to phishing attacks, and recommendations for sharing and exchanging identity information between different systems.

The eight-point improvement plan detailed within the Department of the Interior report, advises that NIST regulations (notably NIST SP 800–63 and NIST SP 800–53) be adhered to, and would be valuable reading for any organization questioning how well they are protected from phishing, other forms of attack and data breach.Steven Hope

In publishing this report the U.S. Government is shining a light on the problems that face other public sector organizations, large enterprises and small businesses around the world in managing passwords and administering appropriate levels of multi-factor authentication.

In fact, you can begin your journey today,  by discovering  the breach status of your organization, with a confidential Password Security Report from Authlogics (an Intercede Group Company). This report will identify users with weak and non-compliant passwords; the extent to which compromised passwords are being shared with third-party websites and organizations, and accounts sharing the same password. Furthermore, experts are available to help facilitate the necessary improvements from passwords to PKI and all points in between.

Steven Hope is Product Director, MFA at Intercede.

 

If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!

About the Author

Contact:

Jason Knott is Chief Content Officer for Emerald Expositions Connected Brands. Jason has covered low-voltage electronics as an editor since 1990, serving as editor and publisher of Security Sales & Integration. He joined CE Pro in 2000 and serves as Editor-in-Chief of that brand. He served as chairman of the Security Industry Association’s Education Committee from 2000-2004 and sat on the board of that association from 1998-2002. He is also a former board member of the Alarm Industry Research and Educational Foundation. He has been a member of the CEDIA Business Working Group since 2010. Jason graduated from the University of Southern California. Have a suggestion or a topic you want to read more about? Email Jason at [email protected]

Security Is Our Business, Too

For professionals who recommend, buy and install all types of electronic security equipment, a free subscription to Commercial Integrator + Security Sales & Integration is like having a consultant on call. You’ll find an ideal balance of technology and business coverage, with installation tips and techniques for products and updates on how to add to your bottom line.

A FREE subscription to the top resource for security and integration industry will prove to be invaluable.

Subscribe Today!

Leave a Reply

Your email address will not be published. Required fields are marked *

Get Our Newsletters