Federal Agencies are regularly using unsecure passwords, including some as basic as ‘Password-1234', and many aren't using mutli-factor authentication.
A new audit from the Department of the Interior has shown some alarming gaps in security, with not even basic best practice being followed.
A poor password can be a hacker's easy gateway to a wealth of personal data and sensitive information, but with many of us using tools such as password managers to stay safe, how are Federal Agencies getting it so wrong?
Poor Password Practice at Federal Agencies
A new report from the Department of the Interior has shown that many Federal Agencies are failing at the most basic level when it comes to password security.
The audit assessed nearly 86,000 accounts of Federal Agency workers, and used basic hacking techniques to attempt to crack the associated passwords. Of these, over 18,000 (21%) were able to be infiltrated, with 362 belonging to senior government employees.
In addition to this already worrying discovery, 89% of high value assets did not have multi-factor authentication implemented, which could lead to severe repercussions if they were accessed by a malicious threat actor.
The report also blamed constant requirement to update passwords for poor practice when it came for creating new passwords, with users more likely to simply change one letter or character, rather than create a whole new string.
“Frequent password change requirements, while crucial when weak passwords are permitted, tend to encourage users to continue to use passwords that are easy to crack. When frequent password changes are required, users are most likely to change a single character, or append a character to the end of an existing password” – Department of the Interior report
Password-1234 Most Popular Password
Here on Tech.co we've covered popular passwords before, with ‘password' topping the public's most used (and easily hackable) choice. It seems that Federal Agency staff are only slightly less complacent, with the most used password uncovered in the Department of the Interior's audit being Password-1234.
While this has a little more imagine put into it, the report posits that this is likely due to the requirements of the internal systems, as it includes a capital letter, special character, and numbers. In other words, it's the bare minimum needed to actually appease the password requirements, but it's still easily hackable. In fact, the audit discovered that nearly 5% of all passwords were some variation of the term ‘password'.
The most common passwords discovered in the audit were:
Ensuring Passwords are Secure
The report on Federal Agency password usage is perhaps shocking, but not unexpected. We've know for a long time that people tend to use easy to remember passwords (and even write them down), and while we'd hope government employees would be a little more cautious, it seems as though they're just as fallible as the rest of us.
One of the easiest ways to make sure your passwords are secure is with a password manager. These tools take all the headache out of remembering passwords, and even creating them. The best password managers will create secure, hard to crack passwords for you at the click of a button, and will even let you know if they become compromised.
There are lots of good password manager options out there, and they'll only set you back a few dollars a month. We'd suggest that Federal Agencies treat themselves to one of our recommended password managers so they can stop relying on using Password-1234, and we'd suggest you do the same, too.