The South Australian Auditor General has recommended that government agencies consider banning the use of certain passwords, amid concerns weak passwords are compromising systems and data security.

Employees across seven agencies commonly used phrases like Password@123, as well as first and last names, auditor Andrew Richardson found.

Welcome@123, Goodnight@345 and Goodmorning@234 were also commonly used, as well as locations including Adelaide@123 and SouthAustralia@123. JamesTaylor1999, Tommy@123 and RexDog2005 also failed the test.

All agencies must do better on password systems and settings if they are to meet the requirements of the state’s Cyber Security Framework (SACSF), Mr Richardson’s report concludes.

“To varying degrees, the Active Directory and application password settings we tested did not align with our recommended baseline settings,” he writes in the report. “We identified weaknesses in user password behaviours.”

“Although some agencies have implemented mitigating controls, they will need to consider their ongoing approach to ensure user passwords are strong and more difficult for an attacker to crack.”

22 per cent of passwords easy to crack

The report says investigators were able to crack many passwords in a short time during a password cracking exercise.  

“We considered these passwords to be weak, with many of them commonly used and expected by attackers when performing equivalent password cracking exercises,” the report says.

An average of 22 per cent of individual passwords across the agencies were cracked, and 32 per cent of the passwords that were successfully cracked were used by one or more user.

“We considered these passwords to be weak, with many of them commonly used and expected by attackers

Auditor General Andrew Richardson

Mr Richardson recommended that agencies consider regular password cracking exercises to find weak passwords.

“For some agencies, we recommended investigating whether it it possible to implement a ‘disallow’ list of common words or phrases within the identity authentication provider,” he added.

The audit found also found

• gaps in password policies

• weaknesses in authentication controls, including lack of multi-factor authentication

• inadequate management of shared privileged accounts.

The report says it’s important for agencies have robust controls in place as cyber incidents become more common and more sophisticated, and as increasing amounts of agency data is held by third parties, including external cloud environments.

The SA DPC has released whole-of-government SACFS guidelines on password management since the audit was done.

Comment below to have your say on this story.

If you have a news story or tip-off, get in touch at editorial@governmentnews.com.au.  

Sign up to the Government News newsletter