Password security
Inspector General Highlights Deficiencies in Interior Department Password Management
The Department of the Interior has lax cybersecurity practices that leave it vulnerable to phishing scams and hacks, the agency’s Office of the Inspector General found.
The OIG said in a report that it was able to crack over 18,000 out of nearly 86,000 active passwords, including those from accounts with elevated privileges and over 360 accounts owned by senior U.S. government employees. The OIG added that it was able to crack 16 percent of the DOI’s user accounts within an hour and a half.
The oversight body attributed the vulnerability to outdated and ineffective password requirements, FCW reported Tuesday.
The OIG found that 478 unique active accounts used commonly reused passwords and that the DOI failed to enforce its own account management policies about passwords. The oversight body also noted that multifactor authentication measures were not fully used across the agency.
The OIG provided eight recommendations to help strengthen the department’s user account management practices. These include the strict implementation of multifactor authentication, the revision of the DOI’s password and accounts management policies and the ban on using identical passwords for related accounts.
The department concurred with all recommendations but pointed out that it has safeguards that lower the risk of compromise.
The Cybersecurity and Infrastructure Security Agency, in 2019, updated its security tips on strong passwords. According to CISA, employees must choose a unique, hard-to-guess combination involving letters, numbers and characters that meet the National Institute of Standards and Technology’s requirements.
CISA recommended, among other things, using different passwords for different accounts and using a password manager app.
Category: Cybersecurity