January 13, 2023 By Christopher Boyd
It's bad news for the US Department of the Interior—a Government watchdog’s security audit has revealed its passwords are simply not up to the job of warding off cracking attempts.
The audit's wordy title was not kind:
P@s$w0rds at the U.S. Department of the Interior: Easily Cracked Passwords, Lack of Multifactor Authentication, and Other Failures Put Critical DOI Systems at Risk
The audit, which used a list of “more than 1.5 billion words” and only cost around $15,000 to achieve with a dedicated cracking rig, tested the words against cryptographic hashes for the department’s active directory accounts. The words were a combination of public password lists, pop culture and government terminology, and various dictionaries written in several languages.
How well did the 86,000 or so hashes hold up? The answer is, sadly, not hugely encouraging.