We reviewed approximately 234,000 enabled accounts across 17 agencies and 23 AD environments. Of these, 26% (60,000) had weak or commonly used passwords. Weak passwords increase the risk of successful cyber-attacks with hackers gaining unauthorised access to systems and information.
Without adequate password controls in place the overall security of systems is potentially reduced increasing the risk of unauthorised access, as can been seen in the case study below.
Table 1 shows the top 20 weak passwords across our sample agencies. These passwords were used in 6,546 enabled accounts.
Many of these passwords comply with industry standards for password complexity and a length of at least 8 characters. This indicates that merely applying these parameters is insufficient to guard against inappropriate access to networks and systems.
Table 2 shows the 10 agencies in our sample with the highest percentage of weak passwords. Between 20% and 56% of enabled accounts in these agencies, were found to have weak passwords. This included over 400 privileged accounts which, because of their level of administrator access, pose a higher risk of unauthorised access to data.
We also looked at 5 common patterns used to create passwords. Our results are shown in Table 3. In ‘Variants of date and season’, we looked for passwords containing days of the week, months, season and years between 1900 and 2050. For ‘Variants of qwerty’, we looked for passwords that contain ‘qwe’.
Recent published lists of worst passwords still show variations of the word ‘password’, the keyboard pattern ‘qwerty’, and passwords that contain only digits as the most used patterns. Our review of WA agencies has confirmed this.
Agency passwords are longer, but still weak
Password length is one of the most advocated mitigation strategies for increasing password security. We assessed the length of weak passwords, in both disabled and enabled accounts, across the 17 agencies. We found that even weak passwords were generally of reasonable length. A summary of our findings is presented in Table 4.
Figure 2 shows our comparison of weak passwords across disabled and enabled accounts. Eight characters is the most used password length for both types of accounts and most enabled accounts (88%) have passwords between 8 and 11 characters. Agencies are using longer passwords, but they are still weak. Although longer passwords are generally considered better, easily guessed long passwords do not adequately mitigate the risk of unauthorised access to systems.
 998 accounts did not have the enable/disable status identified.
Password complexity requirements are in place, but not enforced
All agencies in our sample have password complexity requirements configured in their AD for network access. However, enabled accounts were not always forced to renew their passwords and complexity requirements were only enforced when passwords were created or changed. Several existing accounts still had simple passwords.
Our audit showed that 13% (7,633) of the agencies systems, services and user accounts do not comply with agencies’ password policies or complexity settings. Additionally, we found many accounts were set to never request password changes.
Table 5 shows the percentage of enabled accounts that comply with password complexity requirements. However, as can be seen from Table 1, weak passwords can also meet the complexity requirements. Agencies need to do more to mitigate the risk of passwords being comprised, such as blacklisting commonly used passwords.
Our comparison of enabled and old disabled accounts shows newer accounts have a higher levels of compliance with basic AD complexity requirements (Figure 3). This may reflect improvements in how agencies are managing and enforcing AD complexity requirements.
We found that agencies password management and access control policies are not comprehensive. Policies do not tailor security requirements to different identities (e.g. people, application, services) and endpoints (on and off premises, mobile, cloud) within their environments.
One agency had not implemented any password policy and controls for their internet accessible application, which is used by the WA business community and members of the public. Without appropriate management of passwords there is an increased risk that unauthorised or unintentional modifications of IT systems will occur. This could impact the confidentiality, integrity and availability of agency information.
Agency staff need more support and remote access systems are vulnerable
We found most agencies do not guide or support users to securely store and manage passwords. Users need to remember dozens of personal and work-related passwords and may write them down in spreadsheets or Word documents.
To reduce the need for multiple passwords or to lessen the risk of users mismanaging their passwords, some agencies have:
· implemented single sign-on (SSO)
· used multi-factor authentication
· provided users with online or offline password managers to securely store their passwords.
At least 12 of the 17 sampled agencies did not have multi-factor authentication as an additional layer of security for key systems that are accessible via remote access. Relying only on passwords leave these key systems vulnerable to attacks and increase the risk of unauthorised access. This risk was realised in 2017 when North Metropolitan TAFE reported a hacker had gained unauthorised remote access to their network and encrypted password hashes.
Agencies do not understand Active Directory security risks
The AD database contains significant amounts of information regarding user accounts and the network. We found that agencies do not generally monitor access and changes to this database. We also found:
· One agency had old offline versions of the AD database stored on the server and widely available to IT support users and contractors. This information would provide an attacker with the information they need to obtain unauthorised access to the agency’s accounts and network without the agency knowing.
· Another agency inadvertently shared its entire AD database with a third party. The database contained all user account information including staff names, usernames and encrypted passwords. This has left the agency exposed to unacceptable risks.
Administrator accounts are not well managed
Most agencies do not have effective security controls in place to manage privileged identities and access. We identified over 460 enabled privileged accounts with weak passwords. All agencies we reviewed had at least 1 privileged account with a weak password, with 1 agency having 250 accounts. Even larger agencies, which we expect to have good practices to protect their information assets, were found to have privileged accounts with weak passwords.
Privileged accounts present a high risk because of their level of administrative access. For this reason, restricting privileges is included as one of the Australian Signals Directorate’s (ASD) Essential Eight strategies of practical actions that agencies can take to make their computers and networks more secure.
However, we found most agencies are not managing privileged identities and access appropriately. None of the agencies we reviewed had established Privileged Identity Management or Privileged Access Management to centrally control access to privileged accounts, or included the need for one in their planning.
Privileged system, service and application accounts are neglected
Agencies generally neglect the importance of high privileged system, service and application accounts and do not manage them appropriately. This is despite these being among the most targeted by hackers because they allow the user to increase the privileges attached to an account.
We found many of these accounts with weak passwords across all agencies. One agency, not referred to in Table 2, had 180 systems and services accounts with weak passwords. Also, 1 account with domain administrator privileges, used for backup services, had not had its password changed for 14 years. This level of privilege has full access to change the network domain.
Further, most agencies do not keep sufficient information on these privileged accounts to determine their purpose. Consequently, agencies are not fully aware of what these accounts are used for and are reluctant to disable the accounts or change the passwords.
Accounts shared with multiple users increase the risk of unauthorised access
Generic and shared accounts violate the principle of ‘least privilege’. This is where only required privileges to complete the specific work should be granted, and accountability assigned to a specific user. One agency had over 2,000 of these accounts. The accounts generally have shared passwords and limited ability to track actions back to individuals and therefore present a high risk of unauthorised access.
We identified issues with these types of accounts during our 2017 general computer controls audit cycle. Common issues reported to agencies were:
- accounts using weak passwords
- lack of formal process for requesting, approving and managing the accounts
- no centralised register/inventory with a description of purpose and who is responsible for the use of the account
- high privileged generic and shared accounts used for remote access
- accounts belonging to terminated employees or partners that retain access to systems and data centres.