Inspector General: 21% of DOI Passwords Easily Compromised in Test

In all, the OIG was able to crack 21% of the DOI passwords, and 16% of those were cracked within the first 90 minutes of testing. There were 14 agencies tested, including the Bureau of Indian Affairs (BIA); the Bureau of Land Management (BLM); the Bureau of Reclamation (BOR); the Bureau of Trust Funds Administration (BTFA); the Interior Business Center (IBC); the Minerals Management Service (MMS); the Bureau of Ocean Energy Management (BOEM); the Bureau of Safety and Environmental Enforcement (BSEE); the Office of Natural Resources Revenue (ONRR); the National Park Service (NPS); the Office of Inspector General (OIG); the Office of Surface Mining Reclamation and Enforcement (OSMRE); the U.S. Fish and Wildlife Service (FWS); and the U.S. Geological Survey (USGS).

Users cannot generate safe passwords. Organizations need to accept this and mitigate.

  1. Block easily cracked passwords at the reset page (even just running through the Have I Been Pwnd API would help.
  2. Enable and enforce MFA.
  3. Develop a plan to get to a passwordless environment.