Case Study – P@s$w0rds at the U.S. Department of the Interior

Your password has expired. To change your password, press CTRL + ALT + DELETE and then click “change a password” 

New Password: Password1234! 

Confirm New Password: Password1234! 

New Password: Password789!! 

Confirm New Password: Password789!! 

New Password: ThisIsStupid!@# 

Confirm New Password: ThisIsStupid!@# 

At this point, your head is about to explode. Do passwords really matter that much?  

YES. Password strength and management matter. A lot. 

In both the private and public sectors, password-based security breaches are wreaking havoc on organizations’ finances, reputation, and service delivery. In 2021, Colonial Pipeline experienced a ransomware attack the shut down a significant portion of the nation’s fuel supply. The event began with a single stolen password. 

The truth is weak passwords are one of the primary ways cybercriminals gain access to networks and databases. In a rather embarrassing press release, the Office of the Inspector General (OIG) reported that after investigating the Department of the Interior, the OIG “cracked 18,174 of 85,944 – or 21 percent of active user passwords.” The OIG detailed that of the accounts “hacked,” 288 accounts had elevated privileges while 362 of the accounts were tied to senior level government employees. 

How did this happen? 

The OIG cited inconsistent implementation of multifactor authentication and ineffective password complexity requirements as two of the primary vulnerabilities in the Department of the Interior’s security.  

But what constitutes a “weak password?” 

The most commonly used password at the DOI, “Password-1234” was tied to 478 active accounts. There were so many weak passwords that the Office of the Inspector General was able to crack 16% of the Department’s account passwords in the first 90 minutes of testing. It is important to note that the OIG did not utilize sophisticated “hacking” strategies; they created a system to crack passwords using open-source software and a custom word list. The total cost: $15,000. While that may sound like a significant sum, there are plenty of cybercriminal groups making three to ten times that amount on every ransomware attack.  

Is a password the only thing standing between my data and cybercriminals? 

Depending on the configuration of your security settings, the answer may be yes! An essential component of any security posture is deploying multiple levels of security. Even a “strong” password can be hacked so it’s important to have additional layers of security in place. The most widely used, and most affordable option, is multifactor authentication (MFA). MFA requires individuals to “prove” their identity through several channels. This serves as a second layer of protection because even if someone was able to secure your password, MFA would require multiple forms of identification that the cybercriminal is unlikely to possess.  

But wait, there’s more… 

In addition to weak passwords and single-factor authentication, the Department of the Interior failed to disable inactive (unused) accounts. Retaining inactive accounts is a common oversight made by many organizations, yet it’s one of the most likely to be exploited. An employee leaves after accepting a job at a different company and in the chaos of interviewing for a replacement and redistributing the workload to existing employees, no one disables this employees access.  

There are multiple dangers in this scenario but the two most common are the former employee logging back into the network to find client information, internal documents, and other pieces of information that would help them in their new role. The second danger comes from the account not being updated or checked for months (possibly years). 

If you cannot answer YES to all the following questions, your network and your data may not be secure. 

  • Have I been prompted to reset my password in the last six months? 
  • Must my password differ from my previous four passwords and contain at least 12 characters with at least one capital letter, lower case letter, number and symbol? 
  • Have I received training on cybersecurity best practices in the last year? 
  • Does our organization have a process to deactivate accounts promptly when an employee leaves? 
  • Is the responsibility of deactivating accounts assigned to a specific individual or team? 
  • Do I have to verify my identity through multiple channels when connecting to our network? 
  • Do I have to verify my identity through multiple channels when accessing company software, applications, and databases? 

Lesson –  

  • Set strict password requirements for all employees 
  • Enforce password age limits 
  • Configure settings in such a way that the same password cannot be utilized by more than one user 
  • Utilize multifactor authentication 
  • Delete or disable inactive accounts immediately 

Need ideas on creating strong passwords? Try the following: 

  • CAT (creature + address + time) 
  • Creature: Think of a creature that means something to you. It could be a pet or possibly your favorite animal from your childhood or one of your own children’s favorite animals. 
  • Address: DO NOT USE YOUR CURRENT ADDRESS; use part of a former address. Maybe you lived on Pinehurst Street growing up or your parents live on Broadway Street. Maybe you use the name of a street from your college or the biggest street from the town you grew up in. 
  • Time: Pick a time that is significant such as the time your child was born or a specific date that is easy to remember. 
  • Putting it all together: Dr@gonHurstAve07/21 
  • DOGS (destination + organization + game score) 
  • Destination: The name of a favorite place such as London or Aruba. 
  • Organization: The name of some organization that is important to you. This could be a child’s athletic/cheer/dance organization or a charity you support. 
  • Game Score: Think of a score that sticks out to you; your lowest golf score, the final score of the Superbowl your favorite football team (or lost), etc. 
  • Putting it all together: Pari$Champ!on35-38 

https://www.doioig.gov/sites/default/files/2021-migration/Final%20Inspection%20Report_DOI%20Password_Public.pdf