Even some of the biggest US federal agencies are terrible at passwords

password manager security
(Image credit: Passwork)

An audit of the user accounts at the US Department of the Interior found that over 20% of passwords could be cracked due to a lack of security. 

The password hashes for nearly 86,000 active directory (AD) accounts were obtained, and over 18,000 of them were cracked using fairly standard hacking methods. Most were cracked within the first 90 minutes. 

What's more, over 300 of the cracked accounts belonged to senior employees, and just under 300 had elevated privileges.

Easy guesses

To crack the hashes, the auditors used two rigs costing less than $15,000, comprised of 16 GPUs in total - some a few generations old - and worked through a list of over a billion words that would likely be used in the accounts' passwords. 

Such words included easy keyboard inputs such as "qwerty", terminology related to the US government and references to popular culture. Passwords obtained from publicly available lists of private and public organization data leaks were also used. 

The most popular password was "Password-1234", which was used by nearly 500 accounts, and its variations, such as "Password1234", "Password123$" "Password1234!", were also used by hundreds of other accounts. 

Another concern revealed by the audit was the lack of multi-factor authentication (MFA) to bolster account security. Nearly 90% of high-value assets (HVAs) - which are vital to agency operations - failed to implement the feature.

In the report following the audit, it was noted that should a threat actor gain access to the department's password hashes, they would have a similar success rate of that achieved by the auditors.

Alongside their success rate, other areas of concern highlighted in the report were "the large number of elevated privilege and senior government employee passwords we cracked, and the fact that most of the Department’s HVAs did not employ MFA.”

Another concern is that virtually all of the passwords complied with the department's requirements for strong passwords - a minimum of 12 characters with a mix of cases, digits and special characters. 

As the audit shows, however, following these requirements do not necessarily result is passwords that are hard to crack. Hackers usually work from lists of passwords that people commonly use, so they don't have to brute force every single word to try and break them. 

The report itself gave the example of the second most common password found in the audit, "Br0nc0$2012": 

"Although this may appear to be a ‘stronger’ password, it is, in practice, very weak because it is based on a single dictionary word with common character replacements.”

The General Inspector also stated passwords were not changed every 60 days, as is mandatory for employees to do. However, such advice is not recommended by security experts today, as it only encourages users to generate weaker passwords in order to remember them more easily.

The NIST SP 800–63 Digital Identity Guidelines recommend using a string of random words in passwords instead, as these are much harder to crack with computers. 

What's more, with the advent of password managers and their integrated password generators (there are also standalone versions), it is now easier than ever to create very strong and random passwords that take the trouble out of remembering them.

Lewis Maddison
Reviews Writer

Lewis Maddison is a Reviews Writer for TechRadar. He previously worked as a Staff Writer for our business section, TechRadar Pro, where he had experience with productivity-enhancing hardware, ranging from keyboards to standing desks. His area of expertise lies in computer peripherals and audio hardware, having spent over a decade exploring the murky depths of both PC building and music production. He also revels in picking up on the finest details and niggles that ultimately make a big difference to the user experience.