The U.S. Department of the Interior is to be applauded for the transparency it has demonstrated in publishing its report on 3rd January 2023, entitled ‘P@s$w0rds at the U.S. Department of the Interior: Easily Cracked Passwords, Lack of Multifactor Authentication, and Other Failures Put Critical DOI Systems at Risk’. The report and accompanying remediation recommendations follow an inspection and reveal problems with department employees using passwords found on breached password lists available on the internet, the use of single-factor authentication, and inactive accounts not being disabled.
During the inspection 18,174 (21%) of 85,944 active user passwords were able to be cracked, with 16% in the first 90 minutes. This included 288 accounts with elevated privileges and 362 accounts of senior U.S. Government employees. Furthermore, password complexity requirements were found to be ‘outdated and ineffective’, with 4.75% of passwords being based on the word ‘password’. With no rules preventing unrelated staff from using the same weak password, it was discovered that 478 active accounts used ‘Password-1234’.
This report comes hot on the heels of newly updated guidelines from the National Institute of Standards and Technology (NIST – Part of the Department of Commerce) which has drafted updated guidelines to help the U.S. combat fraud and cybercrime. NIST is widely regarded as having set out the worldwide gold standard for password management and its new ‘Digital Identity Guidelines’ are intended to support the administration’s governmentwide efforts to ‘strengthen identity verification for government systems used by the American public while balancing privacy, equity and accessibility’. The update includes detail on the use of biometric information for identity proofing, as well as authentication methods that are more resistant to phishing attacks, and recommendations for sharing and exchanging identity information between different systems.
The eight-point improvement plan detailed within the Department of the Interior report, advises that NIST regulations (notably NIST SP 800–63 and NIST SP 800–53) be adhered to, and would be valuable reading for any organisation questioning how well they are protected from phishing, other forms of attack and data breach.
In publishing this report the U.S. Government is shining a light on the problems that face other public sector organisations, large enterprises and small businesses around the world in managing passwords and administering appropriate levels of multi-factor authentication.
In fact, you can begin your journey today, by discovering the breach status of your organisation, with a confidential Password Security Report from Authlogics (an Intercede Group Company). This report will identify users with weak and non-compliant passwords; the extent to which compromised passwords are being shared with third-party websites and organisations and accounts sharing the same password. Furthermore, experts are available to help facilitate the necessary improvements from passwords to PKI and all points in between.