A staggering 60,000 out of 234,0000 active accounts at a range of WA government agencies were potentially at risk of a dictionary attack due to their weak passwords, a review by the state’s auditor general has found. The state’s auditor general today upheld a venerable WA government information security tradition, slamming agencies for poor practices when it came to passwords and other protective measures. For the report, the WA Office of the Auditor General obtained encrypted password data from 23 Active Directory environments across 17 agencies. Using a selection of password dictionaries it found that tens of thousands of users had chosen weak passwords including “Password123” (1464 accounts), “password1” (813), “password” (184), “password2” (142) and “Password01” (118). “‘After repeatedly raising password risks with agencies, it is unacceptable that people are still using Password123 and abcd1234 to access critical agency systems and information,” said Western Australia’s auditor general, Caroline Spencer.
“It is frustrating because my office has demonstrated to agencies over many years how weak passwords and poor system controls can be taken advantage of to access information systems without detection.”
As part of the audit, the office last year assessed a web-based system of a WA agency that was accessible via the Internet.
“We gained access to the agency’s network with full system administrator privileges by using an easily guessed password, Summer123,” the report states. “We identified a significant amount of production data in this environment.”