301.519.9237 exdirector@nesaus.org
According to an internal audit, 16% of passwords used by Dept of the Interior staff could be cracked in less than 90 minutes. Photo credit: Adobe Stock

1.24.23 – SSI – By Steven Hope 

Inspection by US Dept. of Interior reveals 21% of 85,944 passwords used by employees could be cracked. ‘Password1234’ used by 479 accounts.

The U.S. Department of the Interior is to be applauded for the transparency it has demonstrated for publishing its report on January 3,2023, entitled “P@s$w0rds at the U.S. Department of the Interior: Easily Cracked Passwords, Lack of Multifactor Authentication, and Other Failures Put Critical DOI Systems at Risk.”

The report and accompanying remediation recommendations, follows an inspection and reveals problems with department employees using passwords found on breached password lists available on the internet, the use of single-factor authentication, and inactive accounts not being disabled.

During the inspection 18,174 (21%) of 85,944 active user passwords were able to be cracked, with 16% in the first 90 minutes. This included 288 accounts with elevated privileges and 362 accounts of senior U.S. Government employees. Furthermore, password complexity requirements were found to be ‘outdated and ineffective’, with 4.75% of passwords being based on the word ‘password’. With no rules preventing unrelated staff using the same weak password, it was discovered that 478 active accounts used ‘Password-1234’.

This report comes hot on the heels of new updated guidelines from the National Institute of Standards and Technology (NIST – Part of the Department of Commerce) which has drafted updated guidelines to help the U.S. combat fraud and cybercrime. NIST is widely regarded as having set out the worldwide gold standard for password management and its new “Digital Identity Guidelines” are intended to support the administration’s governmentwide efforts to ‘strengthen identity verification for government systems used by the American public while balancing privacy, equity and accessibility’. The update includes detail on the use of biometric information for identity proofing, as well as authentication methods that are more resistant to phishing attacks, and recommendations for sharing and exchanging identity information between different systems.

Steven Hope

The eight-point improvement plan detailed within the Department of the Interior report, advises that NIST regulations (notably NIST SP 800–63 and NIST SP 800–53) be adhered to, and would be valuable reading for any organization questioning how well they are protected from phishing, other forms of attack and data breach.

In publishing this report the U.S. Government is shining a light on the problems that face other public sector organizations, large enterprises and small businesses around the world in managing passwords and administering appropriate levels of multi-factor authentication.

In fact, you can begin your journey today,  by discovering  the breach status of your organization, with a confidential Password Security Report from Authlogics (an Intercede Group Company). This report will identify users with weak and non-compliant passwords; the extent to which compromised passwords are being shared with third-party websites and organizations, and accounts sharing the same password. Furthermore, experts are available to help facilitate the necessary improvements from passwords to PKI and all points in between.

Steven Hope is Product Director, MFA at Intercede.