Passwords Are Terrible (Surprising No One)

Read Time:1 Minute, 7 Second

This is the result of a security audit:

More than a fifth of the passwords protecting network accounts at the US Department of the Interior—including Password1234, Password1234!, and ChangeItN0w!—were weak enough to be cracked using standard methods, a recently published security audit of the agency found.

[…]

The results weren’t encouraging. In all, the auditors cracked 18,174—or 21 percent—of the 85,944 cryptographic hashes they tested; 288 of the affected accounts had elevated privileges, and 362 of them belonged to senior government employees. In the first 90 minutes of testing, auditors cracked the hashes for 16 percent of the department’s user accounts.

The audit uncovered another security weakness—the failure to consistently implement multi-factor authentication (MFA). The failure extended to 25—or 89 percent—of 28 high-value assets (HVAs), which, when breached, have the potential to severely impact agency operations.

Original story:

To make their point, the watchdog spent less than $15,000 on building a password-cracking rig—a setup of a high-performance computer or several chained together - with the computing power designed to take on complex mathematical tasks, like recovering hashed passwords. Within the first 90 minutes, the watchdog was able to recover nearly 14,000 employee passwords, or about 16% of all department accounts, including passwords like ‘Polar_bear65’ and ‘Nationalparks2014!’.

New Malware Variant RESURGE Exploits Ivanti Vulnerability

ClickFake Interview Campaign by Lazarus Targets Crypto Job Seekers

The Signal Chat Leak and the NSA

EU Commission to Invest €1.3bn in Cybersecurity and AI

NCSC Urges Users to Patch Next.js Flaw Immediately

US Seizes $8.2m from Romance Baiting Scammers

How Each Pillar of the 1st Amendment is Under Attack

£3 million fine for healthcare MSP with sloppy security after it was hit by ransomware attack

Friday Squid Blogging: Squid Werewolf Hacking Group