Password Management Errors Discovered at U.S. Department of the Interior

The Office of Inspector General of the U.S. Department of the Interior (DOI OIG) has observed poor password management and enforcement procedures at the Department of the Interior resulting in heightened risk for its critical IT systems. These fundamental password blunders are very typical in the healthcare sector and make it overly easy for threat actors to acquire initial access to systems to launch ransomware attacks as well as other nefarious functions.

A check up was performed on the password difficulty required by the department to know whether its password management and enforcement procedures were useful and could possibly stop malicious actors from employing brute force tactics to acquire unauthorized account access. The DOI OIG discovered a number of password management weak spots and a lot of weak passwords. 4.75% of accounts were protected utilizing variations of ‘password’, which can be cracked immediately by a threat actor. Password-1234 was employed to secure 478 different, unrelated accounts. Five of the 10 most reused passwords have the term password and the number string 1234.

Although the DOI had followed minimum requirements for password difficulty, these guidelines were outdated and not fit anymore for its purpose. There were additionally numerous cases of users using passwords that satisfied those requirements yet were nevertheless quite weak, for example, Changeme$12345 and P@s$w0rd. Without time limits set on passwords, even somewhat complex passwords are weak to brute force attacks. Moreover, with unused accounts that were not deactivated promptly, 6,000 accounts were put at risk.

DOI OIG conducted tests to crack passwords and was able to do so within 90 minutes. DOI rightly guessed about 16% of the passwords. Overall, the test were conducted on 85,944 department passwords. 18,174 passwords or 21% were guessed correctly, which include 288 passwords for accounts with elevated privileges and 362 accounts owned by senior government staff. Besides these password management problems, the DOI did not regularly use multi-factor authentication. The DOI OIG inspection showed 89% of high-value assets didn’t use multi-factor authentication even though it is required for 15 years now. Additionally, when told to show records of which accounts had implemented multi-factor authentication, there was no list presented.

The DOI OIG stated that the ransomware attack on Colonial Pipeline in 2021, which led to the shutdown of the gas pipeline to the Eastern Seaboard of the U.S. creating substantial disruption to nearly half of the country’s fuel source, happened because of the compromise of one password. The password management errors discovered by DOI OIG are very prevalent throughout federal, state, and local governments as well as public and private companies.

The DOI OIG made a number of suggestions for enhancing password management and enforcement, such as

  • monitoring MFA
  • making sure it is used for all accounts
  • establishing new minimum prerequisites for password difficulty consistent with the most recent password suggestions of the National Institute of Standards and Technology (NIST SP 800-63)
  • applying controls to track, limit, and avoid setting often used, expected, or exposed passphrases and passwords
  • making sure to disable inactive accounts promptly