Getty Images
More than a fifth of the passwords protecting network accounts at the US Department of the Interior, including Password1234, Password1234! and ChangeItN0w!, were weak enough to be cracked using standard methods, according to a recently published security audit by the agency.
The audit was conducted by the department’s inspector general, who obtained cryptographic hashes for 85,944 employee active directory (AD) accounts. Auditors then used a list of more than 1.5 billion words, including:
- Dictionaries from multiple languages
- US government terminology
- Pop culture references
- Publicly available password lists collected from previous data breaches in both the public and private sectors
- General keyboard patterns (e.g. “qwerty”).
The results were not encouraging. Overall, the auditors cracked 18,174 — or 21 percent — of the 85,944 cryptographic hashes they tested; 288 of the affected accounts had elevated privileges and 362 of those belonged to senior government employees. In the first 90 minutes of testing, auditors cracked the hashes for 16 percent of the department’s user accounts.
The audit revealed another vulnerability: failure to consistently implement multi-factor authentication (MFA). The breach expanded to 25 — or 89 percent — of 28 high-value assets (HVAs), which, when breached, have the potential to severely impact agency operations.
“It is likely that if a well-equipped attacker were to capture the AD department’s password hashes, the attacker would have achieved a similar success rate in cracking the hashes as we did,” the final inspection report said. “The significance of our findings regarding the department’s poor password management is magnified given our high success rate for cracking password hashes, the large number of elevated privileges and passwords of senior government employees we’ve cracked, and the fact that most The ministry’s HVAs did not use MFA. .”
The most commonly used passwords, followed by the number of users, were:
- Password-1234 | 478
- Br0nc0$2012 | 389
- Password123$ | 318
- Password1234 | 274
- Summ3rSun2020! | 191
- 0rlando_0000 | 160
- Password1234! | 150
- ChangeIt123 | 140
- 1234password$ | 138
- ChangeItN0w! | 130
TechCrunch previously reported the results of the audit. The publication said auditors spent less than $15,000 building a password-cracking rig. It quoted a department representative and continued:
The setup we use consists of two rigs with 8 GPUs each (16 in total) and a management console. The rigs themselves run multiple open source containers where we can call 2, 4 or 8 GPUs and assign tasks from the open source work distribution console. Using GPU 2 and 3 generations behind currently available products, we achieved pre-fieldwork NTLM combined benchmarks of 240GHs testing NTLM through 12 character masks, and 25.6GHs through a 10GB dictionary and 3MB rules file. Actual velocities varied during multiple in-combat test configurations.
The vast majority — 99.99 percent — of the passwords cracked by the auditors met the department’s password complexity requirements, which require a minimum of 12 characters and contain at least three of the four character types, consisting of uppercase, lower case letters, numbers and special characters. The audit revealed what Ars has been saying for nearly a decade: such guidelines are usually pointless.
That’s because the manuals assume that attackers will use brute force methods, where every possible combination is methodically tried in alphanumeric order. It is much more common for attackers to use lists of previously cracked passwords, which are available on the Internet. Attackers then plug the lists into rigs containing dozens of high-speed GPUs that try each word in the order of popularity of each string.
“Even a password [such as Password-1234] meets the requirements because it contains uppercase, lowercase, numbers and a special character, it is extremely easy to crack,” the final report said. “The second most used password was Br0nc0$2012. While this may seem like a ‘stronger’ password, in practice it is very weak as it is based on a single dictionary word with common character substitutions.”
The report noted that NIST SP 800–63 Digital Identity Guidelines recommend long passphrases consisting of multiple unrelated words because they are more difficult for a computer to crack. Ars has long recommended using a password manager to create and store random passphrases.
Unfortunately, not even the department’s inspector general can be trusted for completely reliable password advice. The auditors blamed the department for not changing passwords every 60 days as required. Numerous government and corporate policies continue to mandate such changes, even though most password security experts have concluded that they only encourage weak password choices. The better advice is to use a strong, randomly generated password that is unique to each account and only change it if there is reason to believe it has been hacked.
