The Interior Department’s Office of Inspector General (OIG) has issued a scathing new report detailing the use of ineffective password protection strategies at the agency, and how the OIG was able to crack 16 percent of the passwords it examined after just 90 minutes of trying.
“We found that the Department’s management practices and password complexity requirements were not sufficient to prevent potential unauthorized access to its systems and data,” the OIG said in a blunt assessment.
And the agency watchdog provided plenty of data to back up that conclusion.
“Over the course of our inspection, we cracked 18,174 of 85,944 – or 21 percent of active user passwords, including 288 accounts with elevated privileges and 362 accounts of senior U.S. Government employees,” the OIG said.
“We found that the Department’s computer system authentication mechanisms and account management practices exhibited weaknesses similar to those that were reportedly exploited in the Colonial Pipeline attack” in 2021, the OIG said. The watchdog said it’s not claiming that the agency faced the same types of risk as did the hacked pipeline firm, although it did say that a “breach to the Department’s computer network could have a significant adverse effect on its operations.”
“Should the Department experience a similar attack, there is a high probability that bureau mission operations could be significantly affected,” the OIG said, adding, “we did not attempt to compromise the Department’s network by exploiting the vulnerabilities we found because such testing was out of scope.”
“Specifically, Department employees used passwords found on breached password lists available on the internet, the Department used single-factor authentication, and inactive accounts were not disabled,” the OIG said.
Other OIG findings were equally unsparing:
- “The Department did not consistently implement multifactor authentication, including for 89 percent of its High Value Assets (assets that could have serious impacts to the Department’s ability to conduct business if compromised), which left these systems vulnerable to password compromising attacks”;
- “The Department’s password complexity requirements were outdated and ineffective, allowing users to select easy-to-crack passwords (e.g., Changeme$12345, Polar_bear65, Nationalparks2014!). We found, for example, that 4.75 percent of all active user account passwords were based on the word ‘password.’”;
- “In the first 90 minutes of testing, we cracked the passwords for 16 percent of the Department’s user accounts”;
- “The Department’s password complexity requirements implicitly allowed unrelated staff to use the same inherently weak passwords – meaning there was not a rule in place to prevent this practice”;
- “For example, the most commonly reused password (Password-1234) was used on 478 unique active accounts. In fact, 5 of the 10 most reused passwords at the Department included a variation of ‘password’ combined with ‘1234’; this combination currently meets the Department’s requirements even though it is not difficult to crack”; and
- “The Department did not timely disable inactive (unused) accounts or enforce password age limits, which left more than 6,000 additional active accounts vulnerable to attack.”
The OIG said it undertook the inspection of password complexity requirements after finding during past projects that it was able to crack between 20 and 40 percent of the passwords it examined.
“For this project, we decided to perform a formal test of passwords throughout the Department,” the OIG said. “We did so after defining ‘rules of engagement’ with the Department to ensure that it was able to protect its IT systems and that any vulnerabilities could be addressed promptly.”
The report makes eight recommendations to the agency, and the Interior Department concurred with all of them:
- Prioritize implementing PIV or other Department -approved MFA methods that cannot be bypassed to allow single-factor authentication for all applications;
- Develop and implement a process to track and validate the MFA status for all Department information systems;
- Revise password complexity and account management policies to reflect the updated risk-based approach set forth in the NIST SP 800-63 document suite;
- Implement controls to monitor, limit, or prevent commonly used, expected, or compromised passphrases and passwords in accordance with NIST SP 800-63;
- Prioritize the inventory, monitoring, and enforcement of existing controls as well as the controls we recommended in this report for accounts belonging to senior government employees or account with elevated privileges;
- Revise account management policy to prohibit related accounts from using the same passphrases and passwords;
- Implement guidance requiring temporary passphrases and passwords to be unique and complex, rather than using a common variation or reusing the same passphrase or password; and
- Establish procedures and accountability mechanisms to ensure compliance with policies regarding account management monitoring and timely disabling of inactive accounts.