More than a fifth of the passwords protecting network accounts at the US Department of the Interior—including Password1234, Password1234!, and ChangeItN0w!—were weak enough to be cracked using standard methods, a recently published security audit of the agency found.
The audit was performed by the department’s Inspector General, which obtained cryptographic hashes for 85,944 employee active directory (AD) accounts. Auditors then used a list of more than 1.5 billion words that included:
- Dictionaries from multiple languages
- US government terminology
- Pop culture references
- Publicly available password lists harvested from past data breaches across both public and private sectors
- Common keyboard patterns (eg, “qwerty”).
The results weren’t encouraging. In all, the auditors cracked 18,174—or 21 percent—of the 85,944 cryptographic hashes they tested; 288 of the affected accounts had elevated privileges, and 362 of them belonged to senior government employees. In the first 90 minutes of testing, auditors cracked the hashes for 16 percent of the department’s user accounts.
The audit uncovered another security weakness—the failure to consistently implement multi-factor authentication (MFA). The failure extended to 25—or 89 percent—of 28 high-value assets (HVAs), which, when breached, have the potential to severely impact agency operations.
“It is likely that if a well-resourced attacker were to capture Department AD password hashes, the attacker would have achieved a success rate similar to ours in cracking the hashes,” the final inspection report stated. “The significance of our findings regarding the Department’s poor password management is magnified given our high success rate cracking password hashes, the large number of elevated privilege and senior government employee passwords we cracked, and the fact that most of the Department’s HVAs did not employ MFA .”
The most commonly used passwords, followed by the number of users, were:
- Password-1234 | 478
- Br0nc0$2012 | 389
- Password123$ | 318
- Password1234 | 274
- Sum3rSun2020! | 191
- 0rlando_0000 | 160
- Password1234! | 150
- ChangeIt123 | 140
- 1234password$ | 138
- ChangeItN0w! | 130
TechCrunch reported the results of the audit earlier. The publication said auditors spent less than $15,000 building a password-cracking rig. Quoting a department representative, it continued:
The setup we use consists of two rigs with 8 GPUs each (16 total), and a management console. The rigs themselves run multiple open source containers where we can bring up 2, 4, or 8 GPU and assign them tasks from the open source work distribution console. Using GPU 2 and 3 generations behind currently available products, we achieved pre-fieldwork NTLM combined benchmarks of 240GHs testing NTLM via 12 character masks, and 25.6GHs via 10GB dictionary and a 3MB rules file. Actual speeds varied across multiple test configurations during the engagement.
The vast majority—99.99 percent—of passwords cracked by the auditors complied with the department’s password complexity requirements, which mandate a minimum of 12 characters, and contain at least three of four character types consisting of uppercase, lowercase, digits, and special characters. The audit uncovered what Ars has been saying for almost a decade now—such guidelines are usually meaningless.
That’s because the guides assume attackers will use brute force methods, in which every possible combination is methodically tried in alphanumeric order. It’s far more common for attackers to use lists of previously cracked passwords, which are available on the Internet. Attackers then plug the lists into rigs that contain dozens of super-fast GPUs that try each word in the order of popularity of each string.
“Even though a password [such as Password-1234] meets requirements because it includes uppercase, lowercase, digits, and a special character, it is extremely easy to crack,” the final report noted. “The second most frequently used password was Br0nc0$2012. Although this may appear to be a ‘stronger’ password, it is, in practice, very weak because it is based on a single dictionary word with common character replacements.”
The report noted that NIST SP 800–63 Digital Identity Guidelines recommend long passphrases made up of multiple unrelated words because they’re more difficult for a computer to crack. Ars has long recommended using a password manager to create random passphrases and store them.
Sadly, even the department’s inspector general can’t be relied on for completely reliable password advice. The auditors faulted the department for failing to change passwords every 60 days as required. Plenty of government and corporate policies continue to mandate such changes, even though most password security experts have concluded that they just encourage weak password choices. The better advice is to use a strong, randomly generated password that’s unique for every account and change it only when there’s reason to believe it might have been compromised.