A watchdog audit of IT security at the Interior Department has identified key password management failings at the agency.
The department’s inspector general found during a recent investigation that out of all active users, 4.75% of them used a password derived from some variation of the word “password.”
Within the first 90 minutes of testing conducted for the report, watchdog staff were able to crack passwords for 16% of the agency’s user accounts.
However, this represents a slight improvement on results from previous oversight projects when the IG was able to crack between 20% and 40% of passwords captured, according to the report.
In addition to concerns over password complexity requirements, the latest watchdog probe found that Interior did not consistently implement multi-factor authentication, including for 89% of its high-value assets.
High-value assets are defined as assets that could have serious impacts on the department’s ability to conduct business if compromised.
According to the report, the Interior Department’s password complexity requirements were outdated and ineffective. It also failed to disable inactive accounts in a timely manner or to enforce password age limits.
As a result of the findings, the watchdog has made eight recommendations, including that the agency immediately adopt multifactor authentication across its systems and implement a process for tracking its implementation across all departments.
Interior’s IG has also recommended revamping the agency’s security protocols to require more complex passwords and establishing procedures to ensure that inactive accounts are disabled within a defined period of time.
In a response to the report signed by Interior Chief Information Officer Darren Ash and acting Chief Information Security Officer John Clink, the agency agreed with the recommendations and said it was working to ensure full compliance with an August Office of Management and Budget memo requiring federal agency application owners to move to multifactor authentication within a set timeframe.
It said: “This report fundamentally asserts that passwords as lone credentials for authentication are not sufficient for modern information systems. The Department agrees and is committed to implementation of requirements specified in Executive Order (EO) 14028, Improving the Nation’s Cybersecurity and related policies and directives.”