Getty Images
More than a fifth of the passwords protecting network accounts at the US Department of the Interior – including Password1234, Password1234! and ChangeItN0w! – were weak enough to be cracked using standard methods, according to a recently released security audit by the agency.
The audit was conducted by the department’s inspector general, who obtained cryptographic hashes for 85,944 employee Active Directory (AD) accounts. The examiners then used a list of more than 1.5 billion words, including:
- Dictionaries from several languages
- US Government Terminology
- Pop culture references
- Publicly available password lists collected from past data breaches in the public and private sectors
- Common keyboard patterns (e.g. “qwerty”).
The results were not encouraging. Overall, the examiners cracked 18,174 — or 21 percent — of the 85,944 cryptographic hashes they tested; Of the affected accounts, 288 had elevated privileges and 362 of them belonged to senior government officials. In the first 90 minutes of the test, auditors cracked the hashes for 16 percent of the department’s user accounts.
The audit uncovered another security flaw – the failure to consistently implement multi-factor authentication (MFA). The default extended to 25 — or 89 percent — of 28 high-value assets (HVAs), which, if breached, have the potential to seriously affect the agency’s operations.
“It is likely that if a well-equipped attacker were to capture department AD password hashes, the attacker would have had a similar success rate as ours in cracking the hashes,” the final inspection report reads. “The significance of our findings regarding the Department’s poor password management is underscored given our high success rate in cracking password hashes, the large number of elevated passwords and high-level government officials we cracked, and the fact that most of the Department’s HVAs have not used MFA, even more so.”
The most commonly used passwords, followed by the number of users, were:
- Password-1234 | 478
- Br0nc0$2012 | 389
- Password123$ | 318
- Password1234 | 274
- Somm3rSo2020! | 191
- 0rlando_0000 | 160
- Password1234! | 150
- ChangeIt123 | 140
- 1234Password$ | 138
- ChangeItN0w! | 130
TechCrunch earlier reported the results of the audit. According to the publication, reviewers spent less than $15,000 building a password-cracking rig. Citing a department representative, it said:
advertising
The setup we used consists of two rigs, each with 8 GPUs (16 total) and a management console. The rigs themselves run several open source containers where we can invoke 2, 4 or 8 GPUs and assign them tasks from the open source work distribution console. Using 2nd and 3rd generation GPUs behind currently available products, we achieved pre-fieldwork combined NTLM benchmarks of 240 GHs testing NTLM over 12 character masks and 25.6 GHs over 10 GB dictionary and a 3 MB rules file. Actual speeds varied across multiple test configurations during engagement.
The vast majority — 99.99 percent — of the passwords cracked by the examiners met the department’s password complexity requirements, which mandates at least 12 characters and contain at least three of four character types consisting of uppercase letters, lowercase letters, digits, and special characters. The audit uncovered what Ars has been saying for nearly a decade — such policies are usually meaningless.
That’s because the guides assume attackers will use brute force methods, methodically trying every possible combination in alphanumeric order. Far more commonly, attackers use lists of previously cracked passwords available on the internet. Attackers then plug the lists into rigs containing dozens of super-fast GPUs that try each word in order of each string’s popularity.
“Although a password [such as Password-1234] meets the requirements, because it contains upper and lower case letters, digits and a special character, it is extremely easy to crack,” says the final report. “The second most used password was Br0nc0$2012. Although this may seem like a “stronger” password, in practice it is very weak as it is based on a single dictionary word with common character substitutions.”
The report found that the NIST SP 800-63 Digital Identity Guidelines recommend long passphrases, made up of multiple non-contiguous words, because they are more difficult for a computer to crack. Ars has long recommended using a password manager to create and store random passphrases.
Unfortunately, you can’t even count on the department’s inspector general for rock-solid password advice. The auditors criticized the department for not changing passwords every 60 days as required. Many government and corporate policies continue to mandate such changes, although most password security experts have concluded that they only encourage weak password choices. The better advice is to use a strong, randomly generated password that is unique to each account and only change it if there is reason to believe it has been compromised.