1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • Even some of the biggest US federal agencies are terrible at pass

    From TechnologyDaily@1337:1/100 to All on Wed Jan 11 13:00:03 2023
    Even some of the biggest US federal agencies are terrible at passwords

    Date:
    Wed, 11 Jan 2023 12:44:24 +0000

    Description:
    Audit at the US Department of the Interior reveals easily cracked passwords and lack of MFA implementation.

    FULL STORY ======================================================================

    An audit of the user accounts at the US Department of the Interior found that over 20% of passwords could be cracked due to a lack of security.

    The password hashes for nearly 86,000 active directory (AD) accounts were obtained, and over 18,000 of them were cracked using fairly standard hacking methods. Most were cracked within the first 90 minutes.

    What's more, nearly over 300 of the cracked accounts belonged to senior employees, and just under 300 had elevated privileges. Easy guesses

    To crack the hashes, the auditors used two rigs costing less than $15,000, comprised of 16 GPUs in total - some a few generations old - and worked through a list of over a billion words that would likely be used in the accounts' passwords.

    Such words included easy keyboard inputs such as "qwerty", terminology
    related to the US government and references to popular culture. Passwords obtained from publicly available lists of private and public organization
    data leaks were also used.

    Among the most popular passwords was "Password-1234", which was used by
    nearly 500 accounts, and subtle variations, such as "Password1234", "Password123$" "Password1234!", were also used by hundreds of other accounts.

    Another concern revealed by the audit was the lack of multi-factor authentication (MFA) to bolster account security. Nearly 90% of high-value assets (HVAs) - which are are vital to agency operations - failed to
    implement the feature.

    In the report following the audit, it was stated that should a threat actor gain access to the departments password hashes, they would have a similar success rate of that achieved by the auditors.

    Alongside their success rate, other areas of concern highlighted in the
    report were "the large number of elevated privilege and senior government employee passwords we cracked, and the fact that most of the Departments HVAs did not employ MFA.

    Another concern is that virtually all of the passwords complied with the departments requirements for strong passwords - a minimum of 12 characters with a mix of cases, digits and special characters. read more

    We need to start taking our passwords seriously, come on



    Apple, Google and Microsoft join forces to try and kill off passwords



    Exclusive: most people still reuse their passwords despite years of hacking

    As the audit shows, however, following these requirements doesn't necessarily result is passwords that are hard to crack. Hackers usually work from lists
    of passwords that people commonly use, so they don't have to brute force
    every single word to try and break them.

    The report itself gave the example of the second most common password they found in the audit, "Br0nc0$2012":

    "Although this may appear to be a stronger password, it is, in practice, very weak because it is based on a single dictionary word with common character replacements.

    The General Inspector also stated passwords were not changed every 60 days,
    as stipulated for their employees. However, such advice is not recommended by security experts today, as it only encourages users to generate weaker passwords in order to remember them more easily.

    The NIST SP 80063 Digital Identity Guidelines recommend using a string of random words in your passwords instead, as these are much harder to be
    cracked by computers.

    What's more, with the advent of password managers and their integrated password generators (there are also standalone versions), it is now easier than ever to create very strong and random passwords that take the trouble
    out of remembering them yourself. This is our guide to the best business password managers



    ======================================================================
    Link to news story: https://www.techradar.com/news/even-some-of-the-biggest-us-federal-agencies-ar e-terrible-at-passwords


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)