The Department of the Interior “hacked” itself to test how easy it would be to crack employee passwords.
It was easier than it should’ve been, according to Jan. 3 report from its Office of Inspector General. In 90 minutes and with less than $15,000, the OIG’s system obtained clear-text passwords for 16% of user accounts.
Using open-source software and a custom list of words made using dictionaries from multiple languages, U.S. government terminology, pop culture references and publicly available password lists from past breaches, by the end of the test the department was able to crack 21% of active user passwords, including 288 accounts with elevated privileges and 362 accounts of senior employees.
According to the report, the most-reused password at the department was “Password-1234”.
The agency inspected its own password management and enforcement controls to determine whether they were strong enough to prevent a malicious cyberattack. In past projects, the department had been able to crack 20-40% of its captured passwords, so it followed up with a test.
It found serious deficiencies in best practices for password security, on top of other weaknesses that contradict current cybersecurity guidance handed down by the White House.
Password security is the most elemental building block of cybersecurity, but it has been reported to fell entire systems. The Interior’s OIG noted the ransomware attack on the Colonial Pipeline — which ”effectively [shut] down half of the country’s fuel supply chain,” Forbes reported — came down to one stolen password.
“We found that the Department’s computer system authentication mechanisms and account management practices exhibited weaknesses similar to those that were reportedly exploited in the Colonial Pipeline attack,” the OIG report said. “Specifically, Department employees used passwords found on breached password lists available on the internet, the Department used single-factor authentication, and inactive accounts were not disabled.”
The report said there was a high probability that the agency’s mission operations could be “significantly affected” if it was similarly attacked, though such a breach would likely not be as devastating.
The department declined to provide further comment to Federal Times.
The investigation revealed part of the risk came from outdated and ineffective password complexity requirements.
Easily guessable login keys like “Changeme$12345”, “Polar_bear65″ and “Nationalparks2014!” feebly guarded user accounts. In another example, 48 employees from several Interior offices selected “Winter2021!!” as their passwords.
Nearly 5% of all active user account passcodes were based on the word “password”, according to the report.
Passwords must be changed every 60 days as a common security measure, but users may have pacified the requirement by selecting weak passwords that were easily remembered.
Had more impenetrable controls been in place, the staged hack could’ve proved much harder, the report found. For example, a “brute force” attack against a password hash — the secure, unintelligible format stored by Microsoft Active Directory — that meets the department’s minimum requirements would take at least 136 years with a commercial off-the-shelf “hash-cracking system,” the report said.
“Any password that exceeds these password complexity rules could take a millennium or more to crack,” it added.
The department’s current requirements seemed to encourage complex passwords with a mix of special symbols and character limits, but in reality users relied on single dictionary words, patterns or slightly modified existing passwords.
Another issue was the department’s failure to clean out active accounts unused for more than 45 days, per its own policy. It instead “left implementation and enforcement of this policy to the bureaus and offices,” the report read. The test cracked 23% of these accounts.
Inconsistent use of multifactor authentication was another weak spot for the department, the report said. Despite 18 years of requirements, the department did not have multifactor authentication on 89% of its high-value assets.
An executive order issued in May 2021 mandated the widespread implementation of multifactor authentication by November of that year. Since then, the extra security step has become mandatory on all federal systems where possible; exceptions can be made through the Cybersecurity and Infrastructure Security Agency.
The department said in its response to the report that “a vast majority of all authentications occurring on DOI systems are multi-factor based.”
Among other proposed solutions, the department said in the report it has written new password complexity and length policies, which it aims to implement in May.
Still, cyberattacks will remain a threat even with the help of new technologies if there isn’t a workforce to use them, according to the interagency Federal Cyber Workforce Management and Coordinating Working Group. For years the government at large has struggled to compete for tech talent needed to modernize and secure its systems.
As one way of beefing up cybersecurity talent, the Interior and Defense departments are collaborating with the group to create cyber career interest quizzes that match possible candidates to federal job openings.
Molly Weisner is a staff reporter for Federal Times where she covers labor, policy and contracting pertaining to the government workforce. She made previous stops at USA Today and McClatchy as a digital producer, and worked at The New York Times as a copy editor. Molly majored in journalism at the University of North Carolina at Chapel Hill.