"Government Watchdog Cracks Thousands of Passwords at US Federal Agency in Minutes"
The Inspector General of the Department of the Interior (DOI) conducted a security audit of the agency's password management policies and has now released a report stating that they were able to crack more than 18,000 of the department's Active Directory accounts, representing 21 percent of the entire user base. The report criticizes the DOI, stating that the department's dependence on passwords as the sole method of protecting critical systems and employee user accounts undermines the government's long-standing cybersecurity guidelines recommending stronger two-factor authentication (2FA). The watchdog said that department employees used passwords found on Internet-accessible lists of compromised credentials, the department employed single-factor authentication, and inactive accounts were not terminated. During the inspection, 18,174 of 85,944 active user credentials, or 21 percent, were cracked, including 288 accounts with elevated privileges and 362 accounts of top US government personnel. This article continues to discuss findings from the security audit of the password management policies used at the agency.