Hundreds of accounts belonging to the U.S. Department of the Interior used weak passwords like "Password-1234," exposing the agency to potential hacks from even the most low-skilled of attackers, an agency watchdog said Friday.
During its investigation, the agency's Office of Inspector General said it was able to compromise 18,174 of 85,944 — or 21% — of the department's active accounts, including 362 accounts of senior U.S. government employees and 288 accounts with "elevated privileges," like system administrators.
The watchdog report revealed how the Interior Department, whose responsibilities include environmental conservation efforts, managing public lands and minerals, and providing services to American Indian tribes and Alaska Natives, made several basic cybersecurity errors, including that 4.75% of all active user account passwords were based on the word "password."
The department also has outdated password complexity requirements that have allowed users to select easy-to-crack passwords like "Changeme$12345," "Polar_bear65" and "Nationalparks2014!," the inspector general's office said. The most commonly used password at the agency, "Password-1234," was used on 478 accounts and "currently meets the department's requirements even though it is not difficult to crack," the watchdog added.
The department also failed to implement multifactor authentication, another basic cybersecurity practice, for 89% of what the inspector general's office called "high-value assets" that could "have serious impacts to the department's ability to conduct business if compromised," the report said.
"We found that the department's management practices and password complexity requirements were not sufficient to prevent potential unauthorized access to its systems and data," according to the watchdog's investigators.
The watchdog warned that the agency risks a potentially widespread cyberattack on its network if it does not take steps to address its cybersecurity failings, including by bolstering its password complexity requirements.
"If a malicious actor compromises an account with elevated privileges, such as the account of a system administrator, the magnitude of harm increases as the attacker can upload malware, steal sensitive data, add or delete users, change system configurations, and alter logs to conceal his or her actions," the inspector general's office wrote.
U.S. federal agencies have been targeted several times in cyberattacks in recent years, including in a sprawling 2020 incident, attributed to Russian spies, that breached the networks of at least nine federal government agencies and hundreds of private companies.
A press representative for the Interior Department declined to comment Friday on the watchdog's findings.