Inspector General Highlights Deficiencies in Interior Department Password Management
The OIG said in a report that it was able to crack over 18,000 out of nearly 86,000 active passwords, including those from accounts with elevated privileges and over 360 accounts owned by senior U.S. government employees. The OIG added that it was able to crack 16 percent of the DOI’s user accounts within an hour and a half.
The oversight body attributed the vulnerability to outdated and ineffective password requirements, FCW reported Tuesday.
The OIG found that 478 unique active accounts used commonly reused passwords and that the DOI failed to enforce its own account management policies about passwords. The oversight body also noted that multifactor authentication measures were not fully used across the agency.
The OIG provided eight recommendations to help strengthen the department’s user account management practices. These include the strict implementation of multifactor authentication, the revision of the DOI’s password and accounts management policies and the ban on using identical passwords for related accounts.
The department concurred with all recommendations but pointed out that it has safeguards that lower the risk of compromise.
The Cybersecurity and Infrastructure Security Agency, in 2019, updated its security tips on strong passwords. According to CISA, employees must choose a unique, hard-to-guess combination involving letters, numbers and characters that meet the National Institute of Standards and Technology’s requirements.
CISA recommended, among other things, using different passwords for different accounts and using a password manager app.
Tags: cybersecurity Cybersecurity and Infrastructure Security Agency Department of the Interior FCW hacks Office of Inspector General password management passwords