Getty Images
More than one-fifth of the passwords protecting U.S. Department of the Interior network accounts (such as Password1234, Password1234!, and ChangeItN0w!) are weak enough to be cracked using standard methods, according to the Department’s recently published security Found out in an audit.
The audit was performed by the Department’s Inspector General who obtained cryptographic hashes of 85,944 employee Active Directory (AD) accounts. The auditor then used her list of over 1.5 billion words, including:
- Dictionaries in multiple languages
- U.S. Government Terminology
- pop culture references
- Publicly available password lists gleaned from past data breaches in both the public and private sectors
- A common keyboard pattern, such as “qwerty”.
The results were not encouraging. Overall, the auditor cracked his 18,174 (or 21%) of the 85,944 cryptographic hashes he tested. 288 of the affected accounts had elevated privileges, 362 of which belonged to government officials. In his first 90 minutes of testing, the auditor cracked hashes of her 16% of the department’s users’ accounts.
The audit revealed another security weakness. It doesn’t consistently implement multi-factor authentication (MFA). Outages spanned 25 (89%) of 28 high-value assets (HVA), which, if compromised, could severely impact agency operations.
“If an attacker with sufficient resources had obtained the Department AD password hashes, they could have achieved similar success rates to ours in cracking the hash,” the final inspection report states. . “The significance of the Department of Defense’s findings on poor password management is the high success rate of cracking password hashes, the large number of elevated privilege and senior civil servant passwords cracked, and the fact that most of his HVAs in the State Department have MFA. It’s even bigger when you consider the fact that we’re not hiring.”
The most commonly used passwords and user numbers are:
- Password-1234 | 478
- Br0nc0$2012 | 389
- Password123$ | 318
- Password 1234 | 274
- Summ3rSun2020! | | 191
- 0rlando_0000 | 160
- Password 1234! | | 150
- ChangeIt123 | 140
- 1234 password $|138
- Change It N0w! | | 130
TechCrunch previously reported the results of the audit. According to the publication, the auditor spent less than $15,000 to build the password-cracking device. Quoting a representative from the department, it continued:
Our setup consists of 2 rigs with 8 GPUs each (16 total) and a management console. The rig itself runs multiple open source containers where you can launch 2, 4 or 8 GPUs and assign tasks from the open source work distribution console. 240GH testing NTLM via a 12-character mask, and 25.6 GH fields via a 10 GB dictionary and 3 MB rules file using GPU 2 and 3 generations behind currently available products Achieved the NTLM combined benchmark before work. Actual speed varied across multiple test configurations during engagement.
The majority (99.99%) of passwords cracked by auditors complied with departmental password complexity requirements. It mandated a minimum of 12 characters and contained at least 3 of the 4 character types consisting of uppercase letters, lowercase letters, digits and special characters. An audit reveals what Ars has been saying for almost a decade. Such guidelines are usually meaningless.
This is because the guide assumes the attacker will use a brute-force method. This method systematically tries all possible combinations in alphanumeric order. It is much more common for attackers to use lists of previously cracked passwords available on the Internet. The attacker then connects the list to a rig containing dozens of super-fast GPUs that try each word in order of popularity for each string.
“Even though it’s a password [such as Password-1234] It contains uppercase letters, lowercase letters, numbers and special characters, so it meets our requirements but is very easy to crack,” notes the final report. “The second most frequently used password was Br0nc0$2012. While this may look like a ‘stronger’ password, it is actually a single dictionary word containing common character substitutions. It’s very fragile because it’s based on ”
The report points out that the NIST SP 800–63 Digital Identity Guidelines recommend long passphrases made up of multiple unrelated words. Ars has long recommended using a password manager to create and store random passphrases.
Sadly, even the Department’s Inspector General can’t count on completely reliable password advice. The auditor accused the department that he did not change the password every 60 days as required. Most password security experts conclude that they only encourage weak password choices, but many government and corporate policies continue to mandate such changes. Better advice is to use a unique, randomly generated, strong password for every account, and only change it if you have reason to believe it may have been compromised.
