21% of federal agency passwords cracked in their security audit

Users Use Same PasswordsSome excellent work here. An internal US Government agency audit showed that a fifth of passwords were easy to crack. Their recently published study showed that hashes for well over 80,000 AD accounts included passwords like Password1234, Password1234!, and ChangeItN0w!

The results weren’t encouraging; 288 of the affected accounts had elevated privileges, and 362 of them belonged to senior government employees. 

The audit uncovered another security weakness—the failure to consistently implement multi-factor authentication (MFA). The failure extended to 25—or 89 percent—of 28 high-value assets (HVAs), which, when breached, have the potential to severely impact agency operations. “It is likely that if a well-resourced attacker were to capture Department AD password hashes, the attacker would have achieved a success rate similar to ours in cracking the hashes,” the final inspection report stated.

Like I said above, this is excellent work. It shows the need for a password policy adapted to real life which does not necessarily means you need to change them every 90 days, because that gives an incentive to create weak passwords. Much better to create a longer passphrase that you can keep for an extended period of time.

You can check for your weak passwords now at no cost. 

We’re thrilled to announce that the power of KnowBe4’s most popular free password security tool has been brought to your KnowBe4 console as a new feature!

PasswordIQ continuously monitors your organization for any detected password vulnerabilities in your Active Directory. It checks to see if your users are currently using passwords that are shared, weak, or show up in publicly available data breaches. 

PasswordIQ combines multiple password tools into one easy-to-use system that organizes this data on an intuitive dashboard within your KnowBe4 console. With PasswordIQ, you can establish a baseline of password issues and better manage the ongoing problem of password risk across your users. 

Now you can work to identify and address weak passwords, reused passwords or breached passwords in your Active Directory on an ongoing basis to track password hygiene over time and see trends and improvements, all from within your KnowBe4 console!


Here’s How PasswordIQ Works

  • Schedule automatic scanning to check for 11 types of password-related threats
  • Easily report and identify those users that are affected - no actual passwords reported
  • Use KnowBe4’s Smart Groups feature to automatically assign remedial training based on the detected vulnerabilities
  • See at-a-glance the current state of your organization’s password risk and watch trends and progress over time

NOTE: PasswordIQ will never display or report your users' passwords. In Active Directory, all passwords are encrypted and stored in a hashed format, so the unhashed versions of passwords are inaccessible to PasswordIQ and KnowBe4.

PasswordIQ is included--at no charge--with your full Diamond level subscription. More info, including a video at our support site:



Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews