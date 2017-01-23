from the Hunt3r_2 dept.
89% of the department's high-value assets didn't use multi-factor authentication:
More than a fifth of the passwords protecting network accounts at the US Department of the Interior—including Password1234, Password1234!, and ChangeItN0w!—were weak enough to be cracked using standard methods, a recently published security audit of the agency found.
[...] The results weren't encouraging. In all, the auditors cracked 18,174—or 21 percent—of the 85,944 cryptographic hashes they tested; 288 of the affected accounts had elevated privileges, and 362 of them belonged to senior government employees. In the first 90 minutes of testing, auditors cracked the hashes for 16 percent of the department's user accounts.
The audit uncovered another security weakness—the failure to consistently implement multi-factor authentication (MFA). The failure extended to 25—or 89 percent—of 28 high-value assets (HVAs), which, when breached, have the potential to severely impact agency operations.
(Score: 2) by bzipitidoo on Tuesday January 17, @10:40PM
I'm so tired of hearing "they didn't use MFA!" as if that's a magic bullet that prevents 99.9999% of mis-authentications.
Browsers now all have password vaults, and they are heavily used. A nice feature relatively recently added is the option to let the browser generate a good password for you. Good passwords are what's really needed. On that front, it would be a great help if services weren't so insistent on making users create passwords. Just create the password for the user! Stop with all the nagging to include a "special character", an upper and lowercase letter, and a number. One of the most aggravating things about the "special character" are these systems that won't accept all the special characters, for no good technical reason. If the system is vulnerable to SQL injection through the password, then, dammit, that's a serious security bug and it should be fixed, not put on the users to avoid the special characters that trigger SQL injection.
We know that users, when faced with hundreds of accounts that have to be created over the years, will reuse passwords. Just make passwords for the users! Integrate this password creation with browser password vaults, and there you go, the Internet will be a lot more secure,