No, eight characters, some capital letters and numbers is not a good password policy
Western Oz infosec audit report was shocking, but only 'cos it made public
Internal cybersecurity audits rarely make it to the public domain, but when they do it’s often an eye-popping read.
Take the Western Australian (WA) Auditor General’s 2017 recent report on the state of user account security in an Aussie state which tends a mammoth 234,000 Active Directory (AD) accounts across 17 state agencies.
We reported the news here, but what are the deeper implications? Well, this isn’t a problem unique to the government of Western Australia.
Bad passwords are one of those problems that never goes out of fashion, and sure enough, 60,000 (26 per cent) of the state’s AD passwords were found to be somewhere between easily guessed and downright lamentable.
Among these, ‘Password123’ was in use by 1,464 accounts, ‘Project10’ by 994, ‘support’ by 866, ‘password1’ by 813, and ‘October2017’ by 226, to pick only the top five worst offenders in popularity order.
In one particularly epic fail, the auditors said they were able to remotely access a test environment for the agency’s web system using the password ‘Summer123’.
“We identified a significant amount of production data in this environment,” noted the authors, with commendable understatement. So far so bad, but it gets worse when analysing the common patterns among the weak passwords where variations on date and season appeared 12,744 times, ahead of 6,827 variants of ‘123’, 5,182 variants of ‘password’, and 765 comprising only digits.
It’d be easy to blame the WA Government for not imposing a sane password policy, except that it did have a sane password policy – the wrong one. “Many of these passwords comply with industry standards for password complexity and a length of at least 8 characters,” the report pointed out.
“This indicates that merely applying these parameters is insufficient to guard against inappropriate access to networks and systems.”
Failure # 1 – where’s the authentication?
Ostensibly, what the state’s admins weren’t doing was blacklisting known terrible passwords or requiring them to meet a given level of complexity. Arguably, however, the real problem was that thousands of government employees could log into networks without properly authenticating themselves.
The perfect example of this conceptual failure is the way the state was managing the privileged passwords, the ones no network wants to fall into the wrong hands.
One agency was found to have 250 privileged passwords in a weak state, while most of the agencies weren’t managing privileged accounts using a system of identity management, said the auditors. One agency was found to have over 2,000 shared accounts with privileged access.
“These accounts generally have shared passwords and limited ability to track actions back to individuals and therefore present a high risk of unauthorised access.”
Failure #2 – what Active Directory database?
Just when you thought the report could not get any worse it moved onto Active Directory security. Here it was found that one agency had left an old offline AD database in a location support users and contractors were able to access – just the sort of place attackers might look first. Another had, “inadvertently shared its entire AD database with a third party. The database contained all user account information including staff names, usernames and encrypted passwords.”
So, this wasn’t just an organisation with bad passwords, it’s an organisation with bad security all over, the lack of password policies and enforcement simply reflecting this lack of strategy.
The WA Government now has until the end of 2018 to implement a security overhaul, which will include blacklisting the worst passwords, mandating better password management on privileged accounts, and – it’s not rocket science – multi-factor authentication (MFA) for remote accounts.
Behind the freshly painted white picket fence, plenty of corporate networks are probably not as far away from this near failure of account security as they’d like to imagine.
At least the Western Australian Government had one thing missing from the world of most enterprise network chiefs – an auditor willing not only write a damning report for consumption behind closed doors but able to publish it for all to see.
With bad passwords never going out of fashion, it would seem we all need that touch of outside intervention. ®