Mark Lee Greenblatt, the Inspector General for the Interior Department in the USA, recently reported in The Washington Post that they tested whether the department’s password controls were effective at preventing a malicious actor from gaining unauthorized access to its systems. They used a common technique designed to crack passwords using free, publicly available software and a custom word list.
They successfully cracked more than 18,000 — or 21 percent — of the department’s passwords, nearly 14,000 in the first 90 minutes of testing alone. The hacked passwords included those for hundreds of accounts belonging to senior department officials and hundreds belonging to employees with elevated privileges, such as system administrators.
Some of the findings were surprising, given that they were testing government systems containing potentially high-value information. For instance, “Password-1234” was the most commonly used password. In fact, five of the top 10 passwords included some variation of the word “password,” along with “1234.”
Even so, 99.99 percent of the hacked accounts met the department’s password complexity requirements, which included the string of letters, numbers and special characters that every computer user is so familiar with. In other words, 99.99 percent of the passwords the team hacked were considered strong enough to thwart a hacker.
Greenblatt makes two recommendations.
First, he recommended that computer users adopt multifactor authentication across all IT systems which cannot be bypassed. MFA is the gold standard for cybersecurity. It refers to the use of at least two factors to access computer systems. The factors usually fall into three categories: something you have (a digital token), something you know (a password) and something you are (a fingerprint or retinal scan). MFA requires at least two of those factors, such as a fingerprint plus a password.
Second, where MFA cannot be implemented, users should move away from passwords and toward passphrases.
Passwords are not only hard to remember but are ineffective as even complex passwords are remarkably easy for computers to hack. A computer can hack a password such as “5pr1ng*ish3re” relatively quickly.
The better choice is a more easily remembered passphrase that strings together several unrelated words totaling more than 16 letters, such as “DinosaurLetterTrailChance.” Though a computer can break a complex password in days, if not hours, it could take the same computer centuries to crack a passphrase.
It is counterintuitive, but passwords are hard to remember and easy for a computer to crack, while the opposite is true of passphrases.