Loading...

A fifth of passwords used by federal agency cracked in security audit

A fifth of passwords used by federal agency cracked in security audit<br />
<b>Warning</b>:  Undefined array key /var/www/vhosts/lawyersinamerica.com/httpdocs/app/views/singleBlog/singleBlogView.php on line 59
">
Biz & IT
Jan 2023




More than a fifth of the passwords protecting network accounts at the US Department of the Interior--including Password1234, Password1234!, and ChangeItN0w!--were weak enough to be cracked using standard methods, a recently published security audit of the agency found.
The audit was performed by the department's inspector general, which obtained cryptographic hashes for 85,944 employee active directory (AD) accounts. Auditors then used a list of more than 1.5 billion words that included:
Dictionaries from multiple languages
US government terminology
Pop culture references
Publicly available password lists harvested from past data breaches across both public and private sectors
Common keyboard patterns (e.g., "qwerty")
The results weren't encouraging. In all, the auditors cracked 18,174--or 21 percent--of the 85,944 cryptographic hashes they tested; 288 of the affected accounts had elevated privileges, and 362 of them belonged to senior government employees. In the first 90 minutes of testing, auditors cracked the hashes for 16 percent of the department's user accounts.
The audit uncovered another security weakness--the failure to consistently implement multi-factor authentication (MFA). The failure extended to 25--or 89 percent--of 28 high-value assets (HVAs), which, when breached, have the potential to severely impact agency operations.
"It is likely that if a well-resourced attacker were to capture Department AD password hashes, the attacker would have achieved a success rate similar to ours in cracking the hashes," the final inspection report stated. "The significance of our findings regarding the Department's poor password management is magnified given our high success rate cracking password hashes, the large number of elevated privilege and senior government employee passwords we cracked, and the fact that most of the Department's HVAs did not employ MFA."
The most commonly used passwords, followed by the number of users, were:
Password-1234 | 478
Br0nc0$2012 | 389
Password123$ | 318
Password1234 | 274
Summ3rSun2020! | 191
0rlando_0000 | 160
Password1234! | 150
ChangeIt123 | 140
1234password$ | 138
ChangeItN0w! | 130
TechCrunch reported the results of the audit earlier. The publication said auditors spent less than $15,000 building a password-cracking rig. Quoting a department representative, it continued:
The setup we use consists of two rigs with 8 GPU each (16 total), and a management console. The rigs themselves run multiple open source containers where we can bring up 2, 4, or 8 GPU and assign them tasks from the open source work distribution console. Using GPU 2 and 3 generations behind currently available products, we achieved pre-fieldwork NTLM combined benchmarks of 240GHs testing NTLM via 12 character masks, and 25.6GHs via 10GB dictionary and a 3MB rules file. Actual speeds varied across multiple test configurations during the engagement.
The vast majority--99.99 percent--of passwords cracked by the auditors complied with the department's password complexity requirements, which mandates passwords must have a minimum of 12 characters and contain at least three of four character types consisting of uppercase, lowercase, digits, and special characters. The audit uncovered what Ars has been saying for almost a decade now--such guidelines are usually meaningless.

Further Reading
"Even though a password [such as Password-1234] meets requirements because it includes uppercase, lowercase, digits, and a special character, it is extremely easy to crack," the final report noted. "The second most frequently used password was Br0nc0$2012. Although this may appear to be a 'stronger' password, it is, in practice, very weak because it is based on a single dictionary word with common character replacements."
The report noted that NIST SP 800-63 Digital Identity Guidelines recommend long passphrases made up of multiple unrelated words because they're more difficult for a computer to crack. Ars has long recommended using a password manager to create random passphrases and store them.

Further Reading

Top