Lax and lazy passwords still rule
Somewhere in Western Australia, a government IT employee is probably laughing or crying or pulling their hair out, or maybe all of the above.
A security audit of the Western Australian government released this week by the state’s auditor general found that 26 per cent of its officials had weak, common passwords – more than 5000 including the word ‘‘password’’ out of 234,000 in 17 government agencies.
The legions of lazy passwords were exactly what you – or a thrilled hacker – would expect: 1464 people went for ‘‘Password123’’ and 813 used ‘‘password1’’.
Nearly 200 individuals simply used ‘‘password’’. Almost 13,000 used variations of the date and season, and almost 7000 included versions of ‘‘123’’.
The laxness might be amusing, but the potential consequences definitely aren’t. Many of these accounts are used to access important information and vital government systems, according to the report, and several can do so remotely, with no additional vetting or credentials.
Auditors were able to access one agency’s network, with full systemadministrator privileges, by guessing the password: ‘‘Summer123’’.
Overall, the report found that most agencies didn’t help users store their information safely and securely; this meant some employees were storing their passwords in Word documents or spreadsheets.
‘‘After repeatedly raising password risks with agencies, it is unacceptable that people are still using password123 and abcd1234 to access critical agency systems and information,’’ Auditor General Caroline Spencer said, according to the Western Australia Today.
In the wake of the report, the government has agreed to step up its security game. It’s developing practices to help employees store their password information more securely.
Weak passwords are easy target for hackers. Last year, Verizon’s annual Data Breach Investigations Report, which looked at hacking incidents at 65 companies, found that ‘‘81 per cent of hacking-related breaches leveraged stolen and/or weak passwords’’. This number has gone up from 50 per cent in the past three years.
This isn’t a problem specific to the Western Australian government. In 2014, a US Senate cybersecurity report found that several major breaches in important government agencies, including the Department of Homeland Security, the Internal Revenue Service and the Nuclear Regulatory Commission.
An analysis of these agencies’ cybersecurity practices found tendencies mirroring the Western Australian practices: use of ‘‘password’’ was common for sensitive accounts and databases, as was poorly stored and guarded credential information.
The traditional guidelines for strong passwords – making them long and complicated, including symbols and a mix of upper and lowercase letters, changing them regularly – were actually making it easier for hackers, Paul Grassi of the National Institute of Standards and Technology said last June.
The organisation’s current guidelines for good passwords dovetails sharply with past wisdom: Passwords should be simple, long and easy to remember. It suggests using normal English words and phrases that are easy for users, but tougher on hackers.
To keep accounts secure, pick something that’s lengthy and memorable; if you change it, switch more than a single letter or digit. And for heaven’s sake, don’t use the word ‘‘password’’.
The Washington Post