The US Department of the Interior (DOI) checked almost 86.000 US government passwords during a security check. Over 18.000 were cracked, almost 14.000 of them in just 90 minutes. 362 High-level employee accounts are extremely insecure.
Many media report again and again that private users use passwords that are too simple, such as 12345 or Password123. While experts continue to find it hard to believe, there is now evidence that these passwords were even used within the US government. This is proven by the internal security check of the American Department of the Interior - DOI - Department of the Interior.
21 percent of almost 86.000 passwords easily cracked
In a study, Interior Ministry experts attacked all 85.944 accounts and their passwords using a hash cracking system. Millions of simple password combinations are tried out. For example, it was found that “Password-1234” was used in 478 accounts. Also, the US Department did not timely disable inactive (unused) accounts or enforce password age restrictions, leaving more than 6.000 additional active accounts vulnerable to attacks.
It was also found that the Department's administrative practices and password complexity requirements were not sufficient to prevent potential unauthorized access to the systems and data. During the course of the inspection, 18.174 out of 85.944—or 21 percent of active user passwords—were cracked. This included 288 accounts with elevated privileges and 362 accounts held by senior US government officials. Almost 14.000 of the 18.174 passwords were cracked within 90 minutes.
Missing or unused multifactor authentication
Actually, multi-factor authentication (MFA) with at least one factor has been required by the authority for 20 years. However, after the security check, it was determined that the instructions had not been implemented. Particularly tricky: MFA was not consistently implemented on 89 percent (25 of 28) of its high value assets (HVA), i.e. areas with very sensitive data. A breach of an HVA can significantly disrupt a government agency's operations and result in the loss of sensitive data.
Disabled security due to mobile use
Typically, departments use a smart card and PIN for authentication - known as SCRIL. However, the smart cards cannot be used with mobile devices, telephones or tablets without additional hardware. According to the Interior Ministry, SCRIL is currently disconnecting mobile devices. As a result, 94 percent of accounts, 80.740 out of 85.944, do not have security enabled.
The experts even give the ministry interesting recommendations in conclusion:
- Prioritize implementation of PIV – Personal Identity Verification or other Department-approved MFA methods that cannot be circumvented to enable single-factor authentication for all applications.
- Development and implementation of a process for tracking and validating MFA status for all information systems of the ministry.
Editor/sel
More at DOIOIG.gov