89% of the department's high-value assets didn't use multi-factor authentication:
More than a fifth of the passwords protecting network accounts at the US Department of the Interior—including Password1234, Password1234!, and ChangeItN0w!—were weak enough to be cracked using standard methods, a recently published security audit of the agency found.
[...] The results weren't encouraging. In all, the auditors cracked 18,174—or 21 percent—of the 85,944 cryptographic hashes they tested; 288 of the affected accounts had elevated privileges, and 362 of them belonged to senior government employees. In the first 90 minutes of testing, auditors cracked the hashes for 16 percent of the department's user accounts.
The audit uncovered another security weakness—the failure to consistently implement multi-factor authentication (MFA). The failure extended to 25—or 89 percent—of 28 high-value assets (HVAs), which, when breached, have the potential to severely impact agency operations.
(Score: 5, Informative) by bzipitidoo on Tuesday January 17, @10:40PM (14 children)
I'm so tired of hearing "they didn't use MFA!" as if that's a magic bullet that prevents 99.9999% of mis-authentications.
Browsers now all have password vaults, and they are heavily used. A nice feature relatively recently added is the option to let the browser generate a good password for you. Good passwords are what's really needed. On that front, it would be a great help if services weren't so insistent on making users create passwords. Just create the password for the user! Stop with all the nagging to include a "special character", an upper and lowercase letter, and a number. One of the most aggravating things about the "special character" are these systems that won't accept all the special characters, for no good technical reason. If the system is vulnerable to SQL injection through the password, then, dammit, that's a serious security bug and it should be fixed, not put on the users to avoid the special characters that trigger SQL injection.
We know that users, when faced with hundreds of accounts that have to be created over the years, will reuse passwords. Just make passwords for the users! Integrate this password creation with browser password vaults, and there you go, the Internet will be a lot more secure,
(Score: 2) by stormreaver on Tuesday January 17, @11:50PM
That's a really good idea.
I think all major browsers already save passwords for websites, so that should already be taken care of.
(Score: 2) by RS3 on Wednesday January 18, @01:18AM (2 children)
I agree, good passwords are all we need. I'm surprised that any technologically "competent" person would require caps, smalls, numbers, symbols, etc., as passwords. They all need to read this xkcd [xkcd.com].
I don't reuse passwords, but I might be an exception.
I hate MFA. All it does is: 1) force me to have passwords and other MFA written down, and in multiple places; and 2) make it more difficult for me to log in.
I've used some online password generators.
My email provider (yahoo!/AOL/Verizon) changed some rules a year or so ago. All the verbiage didn't make sense, nor did the "tech support" people. I forget the phrase they kept using, but I finally figured it out: the password you chose and use for web mail will no longer work for pop3 / imap. IIRC, you had to do something when logged in to web mail to cause them to generate a password for pop3 / imap access. Sigh. My password was better (longer).
(Score: 2, Interesting) by shrewdsheep on Wednesday January 18, @12:23PM (1 child)
That was good for its time. Cracking software has started using dictionary words as the base unit. Always add a number to your password, even if it is only your own street number.
(Score: 3, Interesting) by RS3 on Wednesday January 18, @06:22PM
Yes, very good advice.
I'm well aware of "dictionary attacks", and they're usually the scenario of someone guessing one dictionary word (or proper name) as a password. The xkcd example uses four words, so the possible combinations, someone help me here, should be (number of words in a dictionary)^4 ??
A guesser has no idea how many words you're using, or even if they are dictionary words. The guesser will start with single plain dictionary words, but after that fails, they have no idea how many words, or if it's even words.
Fairly obviously, using some numbers or anything else mixed in would push the number of possible combinations to, well, more than the number of stars in the entire universe? Maybe the number of electrons? :) I don't know, I'm not enough of a probability mathematician to give you numbers. That's for the experts.
The point of the xkcd comic: it's all about password length. You have theoretically 256 bit combinations per character in a password, so each added character multiplies the total number of calculations by 256.
I won't mention software names, but there's been password cracking software out there for at least 20 years, and you can supplant it with common word databases that are also out there for download.
The servers I admin run software that watches the security log files. Any failed passwords, ssh, https, ftp, whatever, the software logs your IP and watches for more failed attempts over a settable length time. It's very effective. I know it's fairly easy to change IP addresses, but it's doing a great job of locking out thousands of password guesses per day (maybe per hour!) Most of the failures are guessed usernames. Yes, I've locked myself out many times, but it's a simple matter to either change my IP, or ssh into a different server and from there ssh into the one locking me out and remove the block.
Bottom line: the longer the password the better. If you can keep track of long passwords with mixed case, characters, etc., there's really no downside.
(Score: 3, Interesting) by MIRV888 on Wednesday January 18, @02:39AM (4 children)
I am not a software person, but wouldn't you just have to compromise the browser and it's integrated password vault in order to gain access to all passwords? I know that's easier said than done. Compromising the machine always seems to be the first step though. From there passwords don't mean much of shit. That seems to be the purpose of MFA to me.
(Score: 2) by Mykl on Wednesday January 18, @03:00AM (2 children)
I've often wondered the same thing. It's a bit of an "all your eggs in one basket" type of situation.
The other question I had from TFS is that, in order to compromise so many hashes, I assume that the password hashes were not salted by username (i.e. the password itself is the only input to the hashing algorithm). If you found someone in the data with the same hash, you know their password matches yours. Why would you not hash the password by including the username itself as an input to the algorithm? That way someone who uses the same password as you will still have a different hash due to your usernames being different.
(Score: 2) by bzipitidoo on Wednesday January 18, @04:51AM (1 child)
Salting and hashing, and the use of https (or ssh), are standard operating procedure today. I saw the stunningly naive lack of security measures firsthand on PC LANs in the late 1980s. There was only /etc/password, no /etc/shadow, no salt, and no hashing. Any one with root access could view /etc/password and see everyone's passwords in plaintext. There was also only telnet, no ssh, so any packet sniffer could also see passwords. Further, there was no wiping of the memory used to check the validity of a password, so that a memory scan could also reveal passwords. PCs and mainframes, and I'd guess every computer system from those days, were vulnerable to memory scans.
It is of course possible some large organizations are still using hardware that dates to the 1980s or earlier. You hear things such as that the computers in the nuclear missile silos are still using floppy disks. I know some of these government bureaucracies were still using telnet in 2001, 6 years after ssh was released.
As to "all your eggs...", the favorite term for that is, I'd guess, still "Single Sign On".
(Score: 2) by MIRV888 on Wednesday January 18, @11:17AM
I remember people would share their C:\ drive on limewire.
Good times. Good times.
(Score: 2) by RS3 on Wednesday January 18, @06:33PM
My one browser's password vault needs my Windows user's password before it'll expose the passwords.
My older (OLD Opera (not chrome-based)) won't give up passwords, but there's 3rd-party software that easily decodes it. But you'd have to have physical access to my machine.
(Score: 2) by PiMuNu on Wednesday January 18, @08:33AM (2 children)
The problem is that a browser password vault cannot easily be moved from one PC to another without using some cloud service provider. Said provider is a single point of failure, high value asset, run by some guy who I don't know.
Most folks have many devices that need to access resources remotely (I have about 10 or 20 devices that I regularly use, running multiple operating systems and browsers).
(Score: 1) by shrewdsheep on Wednesday January 18, @12:26PM (1 child)
In fairness, Firefox allows you to use any WebDAV resource, last time I checked.
(Score: 2) by PiMuNu on Thursday January 19, @08:54AM
Interesting - I never looked, assuming that one has to use their Pocket thing. Nonetheless, on my android devices I use DuckDuckGo browser (whatever that is at the backend, they are shockingly tight-lipped but I guess some Chromium derivative).
(Score: 2) by darkfeline on Wednesday January 18, @09:22AM
What is mis-authentication?
I don't know of a single case of someone using 2FA (FIDO et al) being compromised that doesn't involve physical theft or breach of the service itself.
SMS is not 2FA, even if it is sold as such. Flushable wipes are not flushable.
Join the SDF Public Access UNIX System today!
(Score: 2) by Freeman on Wednesday January 18, @06:16PM
Our insurance requires MFA for off-campus logins to on-campus services. Otherwise, no insurance. Guess what we get to enjoy now?
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 3, Interesting) by dwilson98052 on Wednesday January 18, @04:28AM (1 child)
I used to work at a large non-profit and a lot of the passwords staff used were things like godisgreat or jesussaves or the name of their kid or something else stupid and easy to guess.
We started running the passwords on the domain controller against a dictionary of simple passwords and locking accounts that failed a few at a time.
The staff would have to come to the IT department, review and sign a form explaining the password policy, and choose a new password.
Before we let them leave we'd try and crack their password again.
At least half totally ignored the policy the tried another stupid password, sometimes even the same one.
We had a few elderly(septu/octogenarians) managers and execs who could barely spell their name let alone learn a new password... they were exempt from the requirements but surprisingly only one of them was caught in dictionary we used for cracking... and that password was "password".
(Score: 2) by RS3 on Wednesday January 18, @06:45PM
I know of many companies and organizations that force employees to sign an agreement that among many things says you will use passwords of at least [whatever their minimum definition], which usually includes some minimum length, caps, numbers, symbols, etc., or, you'll be fired immediately. That might be a bit too harsh, but if I was a boss I'd consider some kind of mandatory unpaid leave or some such. But even then I'd consider the person- elderly, disabled, etc., would get more help, leeway, etc.
For the people who have trouble, I recommend a password generator, but then require them to change some of the characters from what the generator creates.
(Score: 2) by looorg on Wednesday January 18, @07:56AM (1 child)
Is there any reason to believe that federal employees should be better at picking passwords then any other company or organization? This seems to be very common across the board really. I'm fairly certain if they ran this over at the FBI, CIA, NSA etc those people would pick horrible passwords to if they are used and they just don't use tokens and cards or whatever to unlock their systems.
(Score: 2) by Spook brat on Wednesday January 18, @06:12PM
I can confidently say that the Uniformed Services don't have problems anymore with poorly-chosen account passwords for logins on NIPRNET [wikipedia.org] systems. Department of Defense has standardized on the Common Access Card (CAC) [cac.mil] as the hardware token for two-factor authentication. This eliminates weak passwords, and moves the problem over to potentially-weak user-selected PINs. As part of DoD, the NSA is certainly doing this. FBI and CIA may be doing their own thing, I'm not in that circle to say either way.
Travel the galaxy! Meet fascinating life forms... And kill them [schlockmercenary.com]
(Score: 2) by SomeRandomGeek on Wednesday January 18, @05:14PM
So, shall we blame the legions of ordinary users for choosing poor passwords, or the system administrators for making poor passwords one of the available options? I know what my sysadmin will vote for!
(It was a trick question. We should blame top executives for not insisting that it be done right.)