US Department of Internal Affairs published results of audit of audit reliability of passwords of employees of the department. During the audit of 85944, heshees of passwords from the user base in Active Directory managed to choose passwords for 18174 accounts (21% of employees), of which 288 selected passwords were associated with users with increased privileges, and 362 – with high -e Forces civil servants. In the first 90 minutes, 16% of employees managed to choose passwords.
It is noteworthy that 99.99% of certain passwords corresponded to the rules for choosing a complex password, requiring the use of at least 12 characters in the password, as well as the presence of characters in different registers, numbers and special systems. Such requirements did not help to avoid indicating the trivially selected passwords, for example, the password “Password -1234” used 478 employees, Password123 $ – 318, Password1234 – 274, Password1234! – 150, 1234password $ – 138. Other popular passwords: BR0NC0 $ 2012 – 389, Summ3rsun2020! – 191, 0rlando_0000 – 160, Changeit123 – 140 and Changeitn0w! – 130.
A system with 16 GPU systems was used to select passwords on hash. The verification was carried out using a dictionary of 1.5 billion words that included dictionaries for different languages, a dictionary of terms specific to the Ministry of Terms, typical sequences of the QWERTY type and publicly available password lists obtained as a result of leaks and hacks. During the bust, typical replacements of letters with numbers and special systems were taken into account. As methods for complicating the selection, it is recommended to use long passwords from several words or automatic to generate password managers random symbols.
Another problem revealed during the audit was the low spread of multifactorial authentication, which was used only in 11% of significant resources (3 out of 28), the compromise of which could cause serious damage to the organization.