https://www.washingtonpost.com/opinions/2023/08/02/interior-department-passwords-ineffective-cybersecurity/
"A recent inspection undertaken in my office at the Interior Department illustrates the risks. Our team tested whether the department’s password controls were effective at preventing a malicious actor from gaining unauthorized access to its systems. To
accomplish this, we used a common technique known worldwide, spending less than $15,000 on a system designed to crack passwords using free, publicly available software and a custom word list.
And guess what. We successfully cracked more than 18,000 — or 21 percent — of the department’s passwords, nearly 14,000 in the first 90 minutes of testing alone. The hacked passwords included those for hundreds of accounts belonging to senior
department officials and hundreds belonging to employees with elevated privileges, such as system administrators. Some of our findings were surprising, given that we were testing government systems containing potentially high-value information. For
instance, “Password-1234” was the most commonly used password. In fact, five of the top 10 passwords included some variation of the word “password,” along with “1234.”
Even so, 99.99 percent of the hacked accounts met the department’s password complexity requirements, which included the string of letters, numbers and special characters that every computer user is so familiar with. In other words, 99.99 percent of the
passwords our team hacked were considered strong enough to thwart a hacker.
...
We made two recommendations to the department, but they apply equally to anyone using a computer at a nongovernment job or at home. First, we recommended that the department adopt multifactor authentication across all IT systems. MFA is the gold standard
for cybersecurity. It refers to the use of at least two factors to access computer systems. The factors usually fall into three categories: something you have (a digital token), something you know (a password) and something you are (a fingerprint or
retinal scan). MFA requires at least two of those factors, such as a fingerprint plus a password.
...
Second, where MFA cannot be currently implemented, we recommended that the department move away from passwords and toward passphrases.
...
To make matters worse, passwords are not only hard to remember but also have the added benefit of being ineffective: Even complex passwords are remarkably easy for computers to guess. A computer can hack a password such as “5pr1ng*ish3re” relatively
quickly. The better choice is a more easily remembered passphrase that strings together several unrelated words totaling more than 16 letters, such as “DinosaurLetterTrailChance.” Though a computer can break a complex password in days, if not hours,
it could take the same computer centuries or even millennia to crack a passphrase."
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)