What a Government Security Audit Teaches us About Password Vulnerabilities

SDO Marketing Staff | September 3, 2018

Security firms and experts constantly encourage companies and organizations to enforce strong password policies to prevent the accounts of their employees and users from getting hacked. But what happens when an organization does enforce password policies? Employees knowingly find workarounds and continue to choose weak passwords that conform to those policies.

At least that’s what a recent audit of 17 Western Australian government agencies, spanning across more than 234,000 employee accounts, shows. And we know for certainty that the Australian government isn’t alone in its ordeal.

According to the report, at least 60,000 of the passwords, which amount to 26 percent of the total count, were either very weak or easily guessable. Some of the examples included “Password123,” “Project10,” “support,” “password1,” “October2017” and “Monday01.”

Here is the official count:

Australian password audit - official count

 

What made the situation worse was that some of these agencies allowed their employees to log into their accounts from remote locations, which means if hackers obtained the password to one of those accounts, they would be able to compromise the organization’s data without gaining physical access to its network.

Of course, much of the blame goes to the Western Australian government for failing to set the correct policies and secure its user accounts. But the episode also highlights the challenges of using passwords in authenticating users’ identities.

 

Poor password policy and practices

According to the report, the Western Australian government agencies had a password policy in place. However, it wasn’t a good one. The only requirement the agencies imposed was that employees choose a password that is at least 8 characters long. This is below the minimum standards, which also includes requirements for complexity such as using a combination of lower- and upper-case letters as well as digits and symbols.

 

“After repeatedly raising password risks with agencies, it is unacceptable that people are still using password123 and abcd1234 to access critical agency systems and information,”
Auditor General Carolina Spencer

 

But most internet users, including the employees of Australian government agencies, already know what the fundamentals of a strong password are. So why don’t they abide by them?

The reality is that cognitively, managing a strong password is a difficult task. How can you remember so many passwords that are lengthy and contain letters, numbers and symbols? Most users prefer to compromise their security and choose a phrase that they’re likely to remember, such as an obvious word, the name of a pet, a birthday, a home address, a school teacher’s name, etc. This is something that numerous data breaches have proven.

The problem is, in the ubiquitously connected world that we live, where every human generates gigabytes of data every year, such information can no longer be considered private, because a quick web scraping and a short visit to dark web data markets can earn crop up a lot of information about a target, including sensitive info such as their Social Security Number if they live in the U.S. There are also rich dictionaries of popular passwords that hackers have curated from different data breaches. They use those lists to run dictionary attacks against online systems and try to brute force their way into user accounts.

Some users might choose one strong password and use it across several services. The problem with this practice is that if one of those services becomes hacked, the attackers will quickly be able to gain access to all the other accounts that share the same password. And history has proven that even the most reputable companies (e.g. LinkedIn, Twitter, Yahoo) can become hacked.

So, while you can blame the Western Australian government for implementing poor password policies and not blacklisting poor password combinations, you can’t say that users didn’t know about the threats. Users tend to choose convenience over security, putting their organizations at risk for the sake of having an easier user experience.

 

The problem with storing passwords

The audit of the Western Australia agencies also revealed that one agency had left an old offline Active Directory database in a location support users and contractors were able to access, and another had “inadvertently shared its entire AD database with a third party. The database contained all user account information including staff names, usernames and encrypted passwords.”

Given that most users avoid changing passwords for long periods of time, you can only guess how problematic the situation can become.

This highlights the challenges of managing password at the organization level. Every system that relies on passwords to authenticate the identity of its users must store those passwords in a database somewhere. The challenge with password databases is that if they fall into the wrong hands, they can give malicious actors access to all user accounts.

Organizations use encryption and hashing to prevent data breaches from giving access to employee accounts. But not all hashing algorithms are reliable, and hackers have many tools to circumvent them, including rainbow tables, precomputed lists of hash functions for known words and passwords. They can use these tables to reverse engineer hashed algorithms and given a considerable percentage of users choose weak and known passwords, they will likely uncover a lot of the passwords contained in a database.

 

The need for passwordless authentication

Had the WA agencies opted to use password-free authentication to support the security of their accounts, they would have saved themselves a lot of security headaches and made their employees’ experience a lot easier.

Passwordess authentication replaces the storage and exchange of secrets with alternative technologies such as biometric scanners, mobile apps and physical tokens. From an IT manager’s perspective, the main benefit of a password-free authentication mechanism is that it doesn’t store secrets on company servers. This means that even if hackers manage to breach the company’s servers, they won’t be able to use the data to access user accounts. From a user’s perspective, password free authentication removes the friction and complexities of choosing, memorizing and changing passwords.

Some of the major service providers and authentication protocols acknowledge the benefits and importance of password-free authentication and have added support for it in the latest version of their offerings. In fact, Active Directory, the technology that the Western Australian agencies were using, supports the integration of passwordless authentication mechanisms such as Secret Double Octopus.

The audited agencies were lucky to not have suffered any known breaches with such poor authentication security. But in the realm of cybersecurity, luck is not your best friend—sound security practices and technologies are.