A staggering 60,000 out of 234,0000 active accounts at a range of WA government agencies were potentially at risk of a dictionary attack due to their weak passwords, a review by the state’s auditor general has found.
The state’s auditor general today upheld a venerable WA government information security tradition, slamming agencies for poor practices when it came to passwords and other protective measures.
For the report, the WA Office of the Auditor General obtained encrypted password data from 23 Active Directory environments across 17 agencies. Using a selection of password dictionaries it found that tens of thousands of users had chosen weak passwords including “Password123” (1464 accounts), “password1” (813), “password” (184), “password2” (142) and “Password01” (118).
“‘After repeatedly raising password risks with agencies, it is unacceptable that people are still using Password123 and abcd1234 to access critical agency systems and information,” said Western Australia’s auditor general, Caroline Spencer.
“It is frustrating because my office has demonstrated to agencies over many years how weak passwords and poor system controls can be taken advantage of to access information systems without detection.”
As part of the audit, the office last year assessed a web-based system of a WA agency that was accessible via the Internet.
“We gained access to the agency’s network with full system administrator privileges by using an easily guessed password, Summer123,” the report states. “We identified a significant amount of production data in this environment.”
Unsurprisingly the report concluded that government agencies’ “password management and access control policies are not comprehensive”.
The auditor also assessed the information security controls surrounding key business applications at five government agencies: The Patient Medical Record System at WA’s Department of Health, the Department of Mines, Industry Regulation and Safety’s Tenancy Bonds Management System, the Office of State Revenue’s First Home Owner Grant Online System, the Election Management System WA at the WA Electoral Commission and the Keysmart System at the Keystart Housing Scheme Trust.
All five “had control weaknesses with most related to poor information security and policies and procedures”.
“While I am aware some agencies have already taken action to address our most recent findings, this is an area that requires ongoing vigilance and high level oversight,” Spencer said. “Most of the issues raised can be easily addressed, however, it appears that risks are simply not properly understood and they are certainly not being effectively managed.”
Earlier this year the WA government transformed the Office of the Government Chief Information Officer into the Office of Digital Government and moved it to the Department of the Premier and Cabinet.
In its response to the audit report, DPC said that the move would help “ensure that ICT performance, data sharing and cyber security are strengthened”.