A government watchdog spent $15,000 to crack a federal agency’s passwords in minutes

Step one: build a password-cracking rig

A government watchdog has published a scathing rebuke of the Department of the Interior’s cybersecurity posture, finding it was able to crack thousands of employee user accounts because the department’s security policies allow easily guessable passwords like 'Password1234'.

The report by the Office of the Inspector General for the Department of the Interior, tasked with oversight of the U.S. executive agency that manages the country’s federal land, national parks and a budget of billions of dollars, said that the department’s reliance on passwords as the sole way of protecting some of its most important systems and employees’ user accounts has bucked nearly two decades of the government’s own cybersecurity guidance of mandating stronger two-factor authentication.

It concludes that poor password policies puts the department at risk of a breach that could lead to a “high probability” of massive disruption to its operations.

The inspector general’s office said it launched its investigation after a previous test of the agency’s cybersecurity defenses found lax password policies and requirements across the Department of the Interior’s dozen-plus agencies and bureaus. The aim this time around was to determine if the department’s security defenses were enough to block the use of stolen and recovered passwords.

Passwords themselves are not always stolen in their readable form. The passwords you create on websites and online services are typically scrambled and stored in a way that makes them unreadable to humans — usually as a string of seemingly random letters and numbers — so that passwords stolen by malware or a data breach cannot be easily used in further hacks. This is called password hashing, and the complexity of a password (and the strength of the hashing algorithm used to encrypt it) determines how long it can take a computer to unscramble it. Generally, the longer or more complex the password, the longer it takes to recover.

But watchdog staffers said that relying on claims that passwords meeting the department’s minimum security requirements would take more than a hundred years to recover using off-the-shelf password cracking software has created a “false sense of security” that its passwords are secure, in large part because of the commercial availability of computing power available today.

To make their point, the watchdog spent less than $15,000 on building a password-cracking rig — a setup of a high-performance computer or several chained together — with the computing power designed to take on complex mathematical tasks, like recovering hashed passwords. Within the first 90 minutes, the watchdog was able to recover nearly 14,000 employee passwords, or about 16% of all department accounts, including passwords like 'Polar_bear65' and 'Nationalparks2014!'.

The watchdog also recovered hundreds of accounts belonging to senior government employees and other accounts with elevated security privileges for accessing sensitive data and systems. Another 4,200 hashed passwords were cracked over an additional eight weeks of testing.

Password-cracking rigs aren’t a new concept, but they require considerable computing power and energy consumable to operate, and it can easily cost several thousands of dollars just to build a relatively simple hardware configuration. For comparison, White Oak Security spent about $7,000 on hardware for a reasonably powerful rig back in 2019.

When we asked for details of the rig in question, a spokesperson for the inspector general’s office told TechCrunch:

The setup we use consists of two rigs with 8 GPU each (16 total), and a management console. The rigs themselves run multiple open-source containers where we can bring up 2, 4, or 8 GPU and assign them tasks from the open-source work distribution console. Using GPU 2 and 3 generations behind currently available products, we achieved pre-fieldwork NTLM combined benchmarks of 240GHs testing NTLM via 12 character masks, and 25.6GHs via 10GB dictionary and a 3MB rules file. Actual speeds varied across multiple test configurations during the engagement.

Password-cracking rigs also rely on massive amounts of human-readable data for comparison to scrambled passwords. Using open source and freely available software like Hashcat can compare lists of readable words and phrases to hashed passwords. For example, 'password' converts to '5f4dcc3b5aa765d61d8327deb882cf99'. Because this password hash is already known, a computer takes less than a microsecond to confirm it.

According to the report, the Department of the Interior provided the password hashes of every user account to the watchdog, which then waited 90 days for the passwords to expire — per the department’s own password policy — before it was safe to attempt to crack them.

The watchdog said it curated its own custom wordlist for cracking the department’s passwords from dictionaries in multiple languages, as well as U.S. government terminology, pop culture references, and other publicly available lists of hashed passwords collected from past data breaches. (It’s not uncommon for tech companies to also collect lists of stolen passwords in other data breaches to compare to their own set of customers’ hashed passwords, as a way of preventing customers from reusing the same password from other websites.) By doing so, the watchdog demonstrated that a well-resourced cybercriminal could have cracked the department’s passwords at a similar rate, the report said.

The watchdog found that close to 5% of all active user account passwords were based on some variation of the word “password” and that the department did not “timely” wind down inactive or unused user accounts, leaving at least 6,000 user accounts vulnerable to compromise.

The report also criticized the Department of the Interior for “not consistently” implementing or enforcing two-factor authentication, where users are required to enter a code from a device that they physically own to prevent attackers from logging in using just a stolen password. The report said that nearly nine out of 10 of the department’s high-value assets, such as systems that would severely impact its operations or the loss of sensitive data, were not protected by some form of second-factor security, and the department had as a result disregarded 18 years of federal mandates, including its “own internal policies.” When the watchdog asked for a detailed report on the department’s use of two-factor authentication, the department said the information did not exist.

“This failure to prioritize a fundamental security control led to continued use of single-factor authentication,” the watchdog concluded.

In its response, the Department of the Interior said it concurred with most of the inspector general’s findings and said it was “committed” to the implementation of the Biden administration’s executive order directing federal agencies to improve their cybersecurity defenses.

Read more: