SECURITY AUDIT EASILY CRACKS OVER 20% OF ALL FEDERAL AGENCY PASSWORDS
The US Department of the Interior has some serious egg on its face this week. Over 20% of all the password protecting network accounts there were so weak, a security audit cracked them using fairly standard methods. This news comes from a recently published account of the incredibly embarrassing audit this week. The Department of the Interior’s Inspector General ran the audit, and among some of the more common passwords the audit cracked included Password1234, Password 1234! And ChangeItNOw!. If you’ve even worked anywhere you needed to use a password, you know this is insanely worrisome news.
SECURITY AUDIT COVERED 85,944 FEDERAL EMPLOYEE ACCOUNTS, CRACKED 18,174 OF THEM
The security audit was performed on the active accounts of 85,944 department employees. The auditors used a list of more than 1.5 billion words that included Dictionaries from multiple languages, US government terminology, Pop culture references, Publicly available password lists harvested from past data breaches across both public and private sectors, and lastly Common keyboard patterns (e.g., “qwerty”). This list seems comprehensive, but the results proved just how standard the security audit was. It cracked 18,174 accounts, or 21% of the total in the audit.
16% OF THE ACCOUNTS WERE CRACKED IN THE FIRST 90 MINUTES OF SECURITY OF AUDIT
Even worse is he news that 288 of the affected accounts had “elevated privileges,” and 362 were from “senior government employees.” And 16% of the cracked accounts happened in the first 90 minutes of the security audit. And then there’s the fact that 90% of high value assets, if breached, had the potential to severely impact agency operations. And how much did the security audit spend on setting up its password-cracking operation? A total of $15,000. And yes, this means that the security audit was incredibly successful. It ran an operation that you or I could have run ourselves, even as amateurs.
Let’s hope the password guidelines at the United States Federal Government get updated immediately, hmmmm?