A Government Watchdog Spent $15,000 To Crack a Federal Agency's Passwords In Minutes (techcrunch.com) 62
An anonymous reader quotes a report from TechCrunch: A government watchdog has published a scathing rebuke of the Department of the Interior's cybersecurity posture, finding it was able to crack thousands of employee user accounts because the department's security policies allow easily guessable passwords like 'Password1234'. The report by the Office of the Inspector General for the Department of the Interior, tasked with oversight of the U.S. executive agency that manages the country's federal land, national parks and a budget of billions of dollars, said that the department's reliance on passwords as the sole way of protecting some of its most important systems and employees' user accounts has bucked nearly two decades of the government's own cybersecurity guidance of mandating stronger two-factor authentication. It concludes that poor password policies puts the department at risk of a breach that could lead to a "high probability" of massive disruption to its operations.
The inspector general's office said it launched its investigation after a previous test of the agency's cybersecurity defenses found lax password policies and requirements across the Department of the Interior's dozen-plus agencies and bureaus. The aim this time around was to determine if the department's security defenses were enough to block the use of stolen and recovered passwords. [...] To make their point, the watchdog spent less than $15,000 on building a password-cracking rig -- a setup of a high-performance computer or several chained together -- with the computing power designed to take on complex mathematical tasks, like recovering hashed passwords. Within the first 90 minutes, the watchdog was able to recover nearly 14,000 employee passwords, or about 16% of all department accounts, including passwords like 'Polar_bear65' and 'Nationalparks2014!'. The watchdog also recovered hundreds of accounts belonging to senior government employees and other accounts with elevated security privileges for accessing sensitive data and systems. Another 4,200 hashed passwords were cracked over an additional eight weeks of testing. [...]
The watchdog said it curated its own custom wordlist for cracking the department's passwords from dictionaries in multiple languages, as well as U.S. government terminology, pop culture references, and other publicly available lists of hashed passwords collected from past data breaches. By doing so, the watchdog demonstrated that a well-resourced cybercriminal could have cracked the department's passwords at a similar rate, the report said. The watchdog found that close to 5% of all active user account passwords were based on some variation of the word "password" and that the department did not "timely" wind down inactive or unused user accounts, leaving at least 6,000 user accounts vulnerable to compromise. The report also criticized the Department of the Interior for "not consistently" implementing or enforcing two-factor authentication, where users are required to enter a code from a device that they physically own to prevent attackers from logging in using just a stolen password.
The inspector general's office said it launched its investigation after a previous test of the agency's cybersecurity defenses found lax password policies and requirements across the Department of the Interior's dozen-plus agencies and bureaus. The aim this time around was to determine if the department's security defenses were enough to block the use of stolen and recovered passwords. [...] To make their point, the watchdog spent less than $15,000 on building a password-cracking rig -- a setup of a high-performance computer or several chained together -- with the computing power designed to take on complex mathematical tasks, like recovering hashed passwords. Within the first 90 minutes, the watchdog was able to recover nearly 14,000 employee passwords, or about 16% of all department accounts, including passwords like 'Polar_bear65' and 'Nationalparks2014!'. The watchdog also recovered hundreds of accounts belonging to senior government employees and other accounts with elevated security privileges for accessing sensitive data and systems. Another 4,200 hashed passwords were cracked over an additional eight weeks of testing. [...]
The watchdog said it curated its own custom wordlist for cracking the department's passwords from dictionaries in multiple languages, as well as U.S. government terminology, pop culture references, and other publicly available lists of hashed passwords collected from past data breaches. By doing so, the watchdog demonstrated that a well-resourced cybercriminal could have cracked the department's passwords at a similar rate, the report said. The watchdog found that close to 5% of all active user account passwords were based on some variation of the word "password" and that the department did not "timely" wind down inactive or unused user accounts, leaving at least 6,000 user accounts vulnerable to compromise. The report also criticized the Department of the Interior for "not consistently" implementing or enforcing two-factor authentication, where users are required to enter a code from a device that they physically own to prevent attackers from logging in using just a stolen password.
Re:Password1234? (Score:5, Funny)
Only a fool would use "Password1234" as a password. You really need to skip a digit for maximum protection. That's why my password is "Password1235". Nobody will guess that.
[edit]
Oh... I see what I've done here. Damn, now I'll have to change *all* my passwords in case someone reads this.
Re:Password1234? (Score:4, Funny)
Ha! Nice try whoever edited the above post! Just so we think the OP changed all his passwords so we don't check and you get to all accounts to yourself!
[edit] /. to implement editing of posts!
It was about time for
Re: (Score:2)
Heheh, nice!
Incidentally, accepting a password like Password1234 is a complete failure on the side of the software people (will not call anybody that screws up this badly an "engineer"), because that is in both the "Have I been Pwned" and the Kali list of known bad passwords and needs to be rejected. Both lists can be checked offline, Have I been Pawned by downloading the hash file and Kali is an offline check in the first place.
That said, "Password1235" is also in both lists ;-)
References: https://haveibee [haveibeenpwned.com]
Polar_bear65 (Score:2)
Darned! They discovered my password.
Re:Password1234? (Score:5, Insightful)
Heheh, nice!
Incidentally, accepting a password like Password1234 is a complete failure on the side of the software people
Not really.
Making people try to remember passwords like "XshI&dgh654H*!edW" is stupidity incarnate. So is making them change their password every ten days. They're just going to write it on a sticker on their keyboard if you do that.
The real trick is to lock out the users if they fail to login three times. That way you can't try dictionary attacks.
The next step is two factor authentication so it doesn't matter if the password is leaked, you also need the special key fob or their cell phone (or whatever).
Re: (Score:2)
It is an utter and complete failure because they did not check against the list of known bad passwords. I certainly did not say anything about high-complexity or random passwords and I should have stated here multiple times that forced password changes decrease security. Incidentally, all locking out users does is overwhelm support when somebody repeatedly locke everybody with guessable user names.
Re: (Score:2)
You can unlock them automatically after an hour. That's still plenty of time to thwart a dictionary attack.
Re: (Score:2)
Or put in a captcha after three fails.
Re: (Score:2)
Or just delay login attempts by a few seconds (rate limiting). Dictionary guessing attacks require millions/billions of attempts.
Re: (Score:2)
Indeed. And that is what a competent person would do. For a somewhat increased level of usability, you can also do that IP-based so the attacker at least has to do a distributed guessing attack.
Well, in actual reality, nobody does massive guessing attacks on login-interfaces anyways. In basically all cases they already have delays and somewhat good passwords protect them nicely for medium security levels. For high security, you need 2FA anyways.
Re: (Score:2)
I foresee you getting fired if you ever manage to get a job as security engineer responsible for login parameters.
Re: (Score:2)
Suggesting that there are no options between passwords like "password1234" and passwords like "XshI&dgh654H*!edW" is a classic false dichotomy fallacy (as well a straw man, since the person you replied to didn't suggest that as a solution).
Re: (Score:2)
Fair point, but it's more the "must be complex" mentality that bothers me. I'm sick of idiots insisting that low-value passwords have to use twelve characters with at least two special symbols, two numbers and glub knows what else.
There's other, better solutions. As mentioned above.
Re: (Score:2)
Agreed, length is better than complexity. It's easy to memorize a long passphrase (should memorization be necessary, which is usually shouldn't be) and it works just as well as complexity.
Re: (Score:2)
The real trick is to lock out the users if they fail to login three times.
Three tries, seriously? Have you ever done production support? There's this button on user's keyboard labeled CAPS LOCK that keeps them from typing their password right the first five tries.
Re: (Score:1)
There's this button on user's keyboard labeled CAPS LOCK that keeps them from typing their password right the first five tries.
That's why you should have a big fat "caps lock down" warning pop up on your login page if someone is typing in their password with caps lock down. It's easy to do this in Javascript for webpages, and programming languages for desktop apps also generally have ways of detecting caps lock state.
Re: (Score:2)
>"Making people try to remember passwords like "XshI&dgh654H*!edW" is stupidity incarnate. So is making them change their password every ten days. They're just going to write it on a sticker on their keyboard if you do that."
I have been saying that for DECADES. I even had arguments with "security auditors" on this (and won).
Passwords need to be "reasonably" complex, not stupidly complex. And all aging does is piss off users and encourage them to write them down or pick worse passwords.
Ask for 8+ ch
Re: (Score:2)
Re: (Score:2)
That's probably the dumbest idea that ever worked.
Still a bad password, but probably moved it to the deep end of a dictionary attack.
Re: (Score:3)
Re: (Score:3)
Re: (Score:2)
SMS is probably the worst way to do 2FA.
OTP Generator Apps/Devices can hold and manage the umpteen secret keys for your website.
And even ignoring the completely new "better ways" currently being rolled out (FIDO, WebAuthn) we already have a quite good way to handle current 2FA: Password managers with good, really random passwords PER SITE and local generation of OTP with TOTP. Ideally on a separate device.
Re: (Score:2)
Re: (Score:2)
Yes. That's why it needs a certain level of protection on its own, too.
But on a larger scale: If it's required to physically steal something to gain access/passwords, that's the end of mass hacks when a database is leaked.
Rules for Thee and not for...Why again? (Score:1)
So the same Government agency that mandated and forced 3rd party civilian suppliers to implement strong password measures and MFA, has neither?
Why again? What, the civilian systems are somehow less important?
Re: (Score:1)
Re: (Score:2)
Civilian or government these agencies are still just made up of people sometimes falliable, and sometimes dumb people and they still inherit years of tech debt and bad practices that are hard to break ("it's always worked before, I'm not gonna be the guy who breaks everything") but again, just people showing up and trying to do their job.
Now those aren't excuses but just some explanations. Issues like this are the reason every major department has an inspector general. If you are saying we should give the
Re:Rules for Thee and not for...Why again? (Score:5, Insightful)
You are more than welcome and able to live a life with no government involvement and also pay $0 in taxes. It's quite feasible.
But you actually don't want that life, you want to enjoy the benefits of modern society but on "your" terms, which is frankly, childlike.
Re: (Score:1)
Civilian or government these agencies are still just made up of people sometimes falliable, and sometimes dumb people and they still inherit years of tech debt and bad practices that are hard to break.
Hard to break? You mean hard to swallow that excuse.
Government IT audits have been producing D-grade report cards since the fucking 90s.
And it's far from a "fallible" excuse when that same Government demands and mandates strong password validation and MFA to secure civilian systems. Let's stop pretending the Government has no money to spend to simply Do What They Mandate. A couple hundred million taxpayers would probably disagree.
They shouldn't be given any more resources right now beyond what it takes to
Re: (Score:3)
Government demands and mandates strong password validation and MFA to secure civilian systems.
Should they not? Is that not a good thing?
Let's stop pretending the Government has no money
Departments get the money they are assigned and almost always it's assigned to specific purposes. I would have lot's of money for projects if I just stopped paying my mortgage eh?
We get it, "government bad". That's the solution to all our problems after all...
Re: (Score:1)
Government demands and mandates strong password validation and MFA to secure civilian systems.
Should they not? Is that not a good thing?
Never said that. I'm criticizing the hypocrite in this case, not the logical process mandated. That whole "Rules for Thee" reference I made before wasn't clear?
Let's stop pretending the Government has no money
Departments get the money they are assigned and almost always it's assigned to specific purposes. I would have lot's of money for projects if I just stopped paying my mortgage eh?
We get it, "government bad". That's the solution to all our problems after all...
D-grade report cards are issued. And then ignored, except for all those screaming "Holy shit! We're insecure! Give us money!"
Lather, rinse, and repeat for Greed's overly predictable actions over the last decade or two. If Government spending were that reliable, 100 million citizens wouldn't be screaming daily for audits of the Fed.
Government isn'
Re: (Score:3)
Never said that. I'm criticizing the hypocrite in this case, not the logical process mandated. That whole "Rules for Thee" reference I made before wasn't clear?
Great, but to what end? What does pointing out the hypocrisy accomplish and do you really think the people at Interior are twirling their moustaches and thinking "Oh those poor peasants have to follow the rules while we get our poor passwords and continue working on early 2000's software. Muahahahaha"
100 million citizens wouldn't be screaming daily for audits of the Fed.
All that means is 230 million don't care or know the other 100m are just garnering for political points and 90m of those 100m probably don't know what the Fed actually does or why it's there (case in point why
Re: (Score:2)
Re: (Score:1)
Yeah. NIST 800-171. I thought government security standards are even more stringent than for contractors. 800-171 is a real pain with all the MFA and log checking daily, weekly, monthly, etc. Don't they have auditors for themselves? Wouldn't the "Government watchdog" report on the auditors as well as the individual agency departments? I'd like to know what admin is in charge of enforcing the password policies and how much are they paid?
I see you've been living in the same trenches I have for years now. And with all the same outstanding, obvious, and rather annoying questions. Really does make you wonder sometimes about the futility of it all.
Doubt CMMC will change a damn thing. It's been neutered quite a bit since conception.
Re: (Score:3)
I give credit to the DOI's IG office for sponsoring this audit into their own systems. At least the IG is taking previous failures seriously and looking at ways to prove to the suits in the DOI that their systems are STILL vulnerable.
According to the report, the Department of the Interior provided the password hashes of every user account to the watchdog, which then waited 90 days for the passwords to expire — per the department’s own password policy — before it was safe to attempt to crack them.
So this was not a white hat pen attempt. This was a specific proof-of-vulnerability to management that just because they had complex password requirements and only stored hashed values that their single factor authentication was NOT secure.
So, kudos to the IG team for continu
Re: (Score:2)
Re: (Score:2)
This is people with big egos and small skills because they think they _personally_ are important due to their positions. Hence, of course, _they_ do not need to follow the rules, they are to good for that. Kind of like the company where the C-Levels did not need to use 2FA when travelling but anybody else did. Squashed that with a "red" finding they did not like very much, but audit is really hard to touch.
how much crypto can that system mine? (Score:3)
how much crypto can that system mine?
fire executives who don't enforce good security? (Score:3)
how about fire all executives who don't enforce good security?
I mean, what's wrong with requiring basic security measures? with severe penalties for lax operations and enforcement.
ya know, expect decent levels of management. ... i know .. it's too much to ask for :(
The problem is cover your ass policies (Score:5, Interesting)
I got in a fight with the IT department at a security company I was working at over their password and login policies. They required:
One capital letter and one small
One number and one symbol
To change the password every 2 months
Most people will create a good work password once but when you ask them to change the password they eventually resort to common English word, first letter capitalized, followed by a symbol and then a number that they increment. I've surveyed employees and found 60% of people follow this pattern and another 20% follow it with a close variant.
Presented with this evidence IT did not change their policies. Why because this is the standard way of doing things. If they changed and were hacked then IT would be to blame but if they follow the same policies as pretty much everyone else then their asses are covered.
Side note: I did get in some trouble for using the term CYA and explaining it to them.
Re: (Score:3)
To change the password every 2 months
There are now numerous recommendations to _not_ do that, including from the well-known security standards like BSI and NIST because it _decreases_ security. (Why? Just try to come up with an attack where this actually helps. Then consider that people will invest less effort in a temporary password compared to a long-term one.)
Too many people are sticking with the meaningless and damaging ritual though. In one case I had to advise an audit-customer (I do internal audit as a service, among other things) to ge
Re: (Score:2)
>> To change the password every 2 months
> There are now numerous recommendations to _not_ do that, including from the well-known
> security standards like BSI and NIST because it _decreases_ security. (Why? Just try to
> come up with an attack where this actually helps.
I give the scenario of the audit given in the article in the OP. They waited 90 days from their hash dump to ensure none of the passwords they found will be the passwords in current use against the login/email IDs. If the Departm
Re: (Score:2)
Completely irrelevant artificial scenario. Stolen password hashes get used within hours of theft for attacks on other sites. Nobody spends 90 (or 30) days to crack password hashes, it is just not worth the effort. I also encourage you to find out what the reasoning behind the original "90 day" and then "30 day" recommendations were. Here is a hint: These reasons do not exist anymore. Anybody that still insists on forced, time-based password changes today is simply incompetent and no excuses.
Re: (Score:1)
Did they give them the password file? (Score:3)
Did they give the researchers the passwd files (or other equivalent)? That alone makes the process a lot easier. And they already have all the usernames?
More than 20 years ago there was some password cracker called something John that could quickly do a dictionary attack against the shadow file. But you had to have access to that file in the first place.
Re: (Score:3)
From TFA: "the Department of the Interior provided the password hashes of every user account to the watchdog, which then waited 90 days for the passwords to expire — per the department’s own password policy — before it was safe to attempt to crack them.".
So the study as-conducted assumes that the bad actor had already obtained access to some internal data, enough to get at all the hashes. I curious why the article doesn't say whether the Department also supplied all the salts or not. Whic
Re: (Score:2)
>"Did they give the researchers the passwd files (or other equivalent)? That alone makes the process a lot easier. And they already have all the usernames?"
Apparently yes.
If you can gain access to a hashed password file, then OF COURSE you are going to be able to crack passwords if there are enough user accounts in them. Even if the passwords are relatively strong.
In the real world, great security is and must be kept around the hash file. And you can't just get around that with brute force guessing of
It is not a policy failure (Score:2)
Password policies cannot qualify users to select good passwords. That is just not possible. It is a password quality testing failure. Things like "Password123" will be in both the "Have I been pawned" hash-list and the plaintext bad-password list from Kali. Not even checking a new password against one of these is an abject failure on the part of the software designers. Also remember that passwords selected by non-experts will very often not be very secure. In any application where you need more security, yo
"Polar_bear65" meets strong password defaults. (Score:2)
$15k? (Score:2)
You could crack those passwords in 10 minutes on a laptop with a publicly available dictionary, not sure why they spent $15k on a dedicated cracking box.
Re: (Score:1)
Re: (Score:2)
Depends on the hashing algorithm in use...
If it's NTLM or any other unsalted algo, then you just need to compute the hash once and then compare it against the 850k stored hashes.
You don't brute force all possible combinations of 12 chars, you take one of the existing dictionaries and then you apply rules which generate variations (eg if your dictionary contains "password" it will try "Password", "Password123!", "Password2023" etc and other common derivations.
You also seed your dictionary with words/terms re
Re: (Score:2)
I think it was more that the report was written to the government agency's rather to us. I can get plenty of used hardware off ebay not to mention used hashing rigs to do this work and just trolling though github to get the software. However saying "I can crack the government with junk and $100" is an easy to ignore report. I mean hell, for more than 10 years people HAVE been doing this stuff publicly and it hasn't done any kind of serious password policy change
So this report goes step by step on the kin
This is normal (Score:2)
Pointless endeavours (Score:2)
One-way hashes have never been a valid means of storing credentials. Passwords have insufficient entropy to survive brute force offline campaigns and there is very little an organization can do about it without pushing users to draw fulls of post-it notes.
For better outcomes what is needed are better architecture where authenticators are simple, physically secured, isolated formally verifiable single purpose systems.
Even more importantly secure authentication methods using zero knowledge proofs or similar