Investigation Exposes DOI’s Poor Password Practices

The Department of Interior’s Office of Inspector General (DOI OIG) has discovered inadequate password management and enforcement practices at the Department of the Interior, putting essential IT systems in danger. These basic password mistakes, which are unfortunately common in the healthcare sector, provide malicious actors with a simple way to acquire initial access to networks, enabling them to conduct ransomware attacks and other criminal activities.

The DOI OIG conducted an inspection of the department’s password complexity requirements to assess the effectiveness of its password management and enforcement controls. Weaknesses in password management were identified, and many weak passwords were found. Shockingly, 4.75% of accounts were using variants of “password,” which could be cracked instantly by a malicious actor. Furthermore, “password-1234” was utilized to secure 478 different accounts and 5 of the top 10 most frequently used passwords contained the term “password” and the numerical sequence “1234”. The DOI had set minimum requirements for password complexity, however these rules had become outdated and were no longer effective. Unfortunately, some users were still setting weak passwords such as P@s$w0rd and Changeme$12345, which met the requirements, but were easy to guess. Additionally, there were no time limits set on passwords, making them more vulnerable to brute force attacks. To make matters worse, accounts that were no longer in use were not disabled in a timely manner, leaving 6,000 accounts at risk. The DOI OIG attempted to crack passwords and in the first 90 minutes of testing, 16% of them had been guessed accurately. After testing 85,944 department passwords, 21% of them had been cracked, including 288 accounts with increased privileges and 362 accounts of top government officials. Furthermore, the DOI had not obeyed the requirement of multi-factor authentication for 15 years as 89% of significant assets did not have it enabled. Moreover, no list of accounts that had multi-factor authentication enabled could be presented when asked for it.

The DOI OIG has suggested ways to improve password management and enforcement, such as tracking MFA and applying it to all accounts, following the NIST SP 800–63’s latest password recommendations for setting new minimum requirements for password complexity, controlling the use of commonly used, expected, or compromised passphrases and passwords, and disabling inactive accounts quickly.