Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Authentication

9/14/2018
12:45 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Military, Government Users Just as Bad About Password Hygiene as Civilians

New report comes out just as group of US senators chastise Secretary of State Mike Pompeo for not using multifactor authentication.

Military and government users aren't engaging in password hygiene any better than their brethren in less sensitive, private-sector positions, according to a new study out this week, which shows both sides creating weak passwords at about the same rate. 

The examination of password strength came by way of WatchGuard Technologies' Q2 2018 "Internet Security Report," which analyzed a data dump of 117 weakly encrypted credential pairs protected only with SHA-1 hash functions from a 2012 breach at LinkedIn. The study showed that credential pairs associated with .mil and .gov accounts were easily crackable — within a week — about 50% of the time. This was only slightly less than the rate of weak passwords in pairs associated with civilian accounts, which were at about 52%.

Among the sample of cracked government passwords were plenty of common doozies that typically make it into bad password hall of shame lists. The top two bad passwords in government-associated accounts were, respectively, "123456" and the ever-present "password." 

"We didn't find many surprises in that the most commonly used bad passwords remained largely the same," wrote WatchGuard researchers. "However, it should be quite surprising that government and military entities use such horrible password practices. We can only hope that these were all dummy accounts that weren't used for anything of consequence." 

Clearly, the sample set wasn't among credentials for government systems, so the results need to be taken with a large grain of salt here. But the prevailing point remains that these government and military users should probably know better than to use bad passwords anywhere they set up an account. The fact that many of them don't heed hygiene best practices can probably be extrapolated to at least some degree across the rest of their digital footprints. When government agencies don't account for this universally weak human factor of passwords, there's bound to be rampant insecurity of accounts.

"For our federal government, no amount of budgetary pressures or other excuses should be tolerated when it comes to failing to have utilized a basic cybersecurity technique, such as MFA — especially since 'user convenience' is not the overriding concern," says Todd Shollenbarger, chief global strategist of Veridium, who adds that NIST's update of its Digital Identity Guidelines has done the hard work of outlining what needs to be done to shore up credentials. "What's now needed — obviously — is for our federal government agencies to use it."

And in separate but related news, this week a group of US senators chastised Secretary of State Mike Pompeo for lack of multifactor authentication (MFA) adoption within the Department of State.

"We urge you to improve compliance by enabling more secure authentication mechanisms across the Department of State's information systems," wrote Sens. Ron Wyden, Cory Gardner, Edward Markey, Rand Paul, and Jeanne Shaheen, referencing a General Service Administration (GSA) that showed the agency had only deployed MFA across 11% of required devices. "This password-only approach is no longer sufficient to protect sensitive information from sophisticated phishing attempts and other forms of credential theft." 

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
9/17/2018 | 2:49:06 PM
No surprise
People are people anywhere you go and dumb exists.  I always think of 123456 as the same password used on my luggage.  (See SPACEBALLS of course).  And military intelligence?  Don't go there. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5421
PUBLISHED: 2020-09-19
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
CVE-2020-8225
PUBLISHED: 2020-09-18
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
CVE-2020-8237
PUBLISHED: 2020-09-18
Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.
CVE-2020-8245
PUBLISHED: 2020-09-18
Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11....
CVE-2020-8246
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...