An audit report from WA’s (Western Australia’s) Auditor General has identified large information security weaknesses in WA government agencies.
The report examined general computer controls across 47 government agencies, and the use of passwords at 17 agencies.
Caroline Spencer, WA’s Auditor General, said, “Common weaknesses across all our information systems audits indicate agencies are not taking risks to information systems seriously enough.”
26% of accounts used weak or commonly used passwords
A staggering 60,000 out of 234,000 (26%) user accounts were identified as using weak or commonly used passwords, putting them at risk of criminal hackers gaining access to systems and information.
The report found the following top ten weak passwords had been used across WA agencies:
- Password123 (1,464 accounts)
- Project10 (994 accounts)
- Support (886 accounts)
- password1 (813 accounts)
- October2017 (226 accounts)
- Monday01 (225 accounts)
- Spring17 (198 accounts)
- Sunday01 (188 accounts)
- password (184 accounts)
- abcd1234 (176 accounts)
A number of these can be found in SplashData’s Worst Passwords of 2017 list.
Even though the passwords listed in the report comply with industry standards for password complexity and length, the report states that “this indicates that merely applying these parameters is insufficient to guard against inappropriate access to networks and systems”.
“‘After repeatedly raising password risks with agencies, it is unacceptable that people are still using Password123 and abcd1234 to access critical agency systems and information,” said Spencer.
“It is frustrating because my Office has demonstrated to agencies over many years how weak passwords and poor system controls can be taken advantage of to access information systems without detection.”
Tips for creating a more secure password
- Pick something completely random
By not picking the name of a month or season, using the names of your children, or commonly linked words and/or letters, you reduce the chance of someone being able to simply guess your password.
Instead, pick up a dictionary and choose three random words, then mix them together into one word that you won’t find in any dictionary.
For example, if your three words are Apple, Stretch and Write you might transform this into Apretchite. Add some numbers and capital letters in there to make it Ap3etC8ite. Don’t worry, you’ll eventually be able to remember this, and it will be much more secure than easily guessable words.
- Don’t go for the minimum
Most parameters will require a minimum amount of characters and numbers for a password. If it requires at least 8 characters including 1 number, make your password 12 characters long with 2 numbers.
- Don’t reuse passwords
Using the same password for multiple accounts means that if one account is breached, the others are also vulnerable. Simply adding numbers to the end of a password does not make it sufficiently different – this is a common technique that criminal hackers are prepared for.
Having numerous, complex passwords can be hard to remember. Using a password management application such as LastPass or Dashlane allows you to organise passwords; they can also be used to help generate new ones.
Educate your employees on information security best practice
Organisations should raise awareness of information security and what is considered best practice among employees to avoid weak passwords being used internally.
If your staff haven’t had information security training, chances are they don’t know what classes as a secure password. You need to make sure that all your staff have a healthy knowledge of password security, or your organisation may face the consequences.
IT Governance’s Information Security Staff Awareness E-learning Course teaches your staff about basic information security principles and what they should and shouldn’t do.