While conducting tests for a report on password management with US Department of Interior (DoI) systems, DoI Office of Inspector General (OIG) staff were able to crack 16 percent of DoI passwords within an hour-and-a-half. According to the DoI OIG report, five percent of active credentials within the department’s network used the word “password.” The report also notes that DoI has not consistently implemented multi-factor authentication.
Note
- In 2019, SANS recognized Jefferson Gilkeson, Director of Information Technology Audit, U.S. Department of the Interior, with a SANS Difference Makers award and it is good to see DoI keeping up the good work in making Office of Inspector General audits include active testing rather than just be data call/review exercises. Not all the results were negative – the audit pointed out that 99% of DoI admin privileged accounts required MFA and the DoI says that is now 100%. Can you make the same claim?
- Make sure that you’re rolling out/requiring MFA wherever possible. You will likely still have places which still need reusable passwords. Users need all the help you can provide to select good passwords. You need policy, training, and technical measures to help them out. You can get services that integrate with your AD to check passwords against data breach notification; where the checks are made locally, they use a fraction of the password hash to collect possible matches from their database. Also, tools exist to help us configure password rules to modern (NIST 800-63-3) guidance. Trade-off long passphrases, which only have to be changed when breached, with shorter (weaker) passwords which require frequent update.
Read more in
