Government Watchdog Cracks Federal Agency Passwords in Minutes for $15,000

The U.S. Department of the Interior, responsible for managing billions of dollars and overseeing national parks, has gone against nearly 20 years of government cybersecurity guidance by relying on passwords as the sole protection for its most important systems and user accounts, according to a report from its Office of Inspector General.

The poor password policies of the department leave it vulnerable to a breach that could cause immense disruption.

The Inspector General’s office initiated an investigation following a test of the Department of the Interior’s cybersecurity defenses which revealed weak password policies and requirements across its dozen-plus agencies and bureaus. The aim was to determine whether the department had sufficient security measures in place to prevent stolen or recovered passwords from being used.

Passwords are typically scrambled and stored unreadable to humans (as a string of seemingly random letters/numbers) via password hashing, so that those stolen by malware/data breach can’t be used for further hacks. Complexity of the password (and strength of the hashing algorithm used) determines how long it takes for a computer to unscramble it; usually, longer & more complex passwords take longer to recover.

Staffers at the watchdog cautioned that the department’s confidence in its password security, largely based on software needing over 100 years to crack passwords meeting minimum requirements, was unfounded; computing power available commercially today is far too powerful for this assumption.

The watchdog spent just $15,000 to build a password-cracking rig – a powerful computer or network of computers designed for complex mathematical tasks, like unlocking hashed passwords. In only 90 minutes they recovered 14,000 employee passwords – 16% of all the accounts! Among them were ‘Polar_bear65’ and ‘Nationalparks2014!’

The watchdog uncovered hundreds of accounts belonging to senior government employees and other accounts with privileged access to sensitive data/systems. Further, they cracked 4,200 hashed passwords in 8 weeks’ testing.

Password cracking rigs are nothing new, but they take a lot of computing power and energy to run. Even building a simple setup can cost thousands of dollars (White Oak Security spent around $7K on hardware for an averagely powerful rig in 2019).

Password-cracking rigs use massive amounts of human-readable data to compare with scrambled passwords. Open source software like Hashcat can match lists of words and phrases to hashed passwords; for example, ‘password’ converts to its associated hash ‘5f4dcc3b5aa765d61d8327deb882cf99’, which a computer can confirm in less than a microsecond.

The Department of the Interior gave watchdog their users’ password hashes and, per their own policy, waited 90 days for them to expire before attempting to crack them.

The watchdog discovered that nearly 5% of all active user passwords were derived from “password” or a variation thereof, and 6,000 inactive accounts remained open to exploitation due to the department’s failure to close them promptly.

The report blasted the Department of the Interior for failing to implement or enforce two-factor authentication. Nearly 90% of high-value assets weren’t protected by any form of second-factor security, disregarding 18 years of federal mandates and its own internal policies. When asked for a detailed report on two-factor authentication use, the department said none existed.

“Single-factor authentication persisted due to the lack of priority placed on a key security control,” the watchdog found.

The Department of the Interior concurred with most of the inspector general’s findings and is committed to fulfilling Biden’s executive order for improved federal cybersecurity.

Read further to discover more about this fascinating topic! Dig deeper into the details and explore all that there is to learn. You won’t regret it!

Dig deeper for more fascinating