Almost everybody reuses passwords. With so many accounts to keep track of the password might have slight variations – 06 instead of 05 or @ instead of a – but a 2014 study stated that 63% of U.S. business owners reuse the same passwords to log in to different systems. Some 73% of full-time workers also admit to reusing the same batch of passwords online.

This is a dangerous game because not all password databases are protected equally. Your bank might be secure, but the login for a commentator account or email newsletter might not be. Hackers go for the lowest hanging fruit and then try to use those compromised credentials in other places.

This is why the latest report from Recorded Future highlights a significant problem. The threat-intelligence company found login credentials connected to 47 United States government agencies across 89 unique domains. While this initially sounds horrible – and it is very troubling – this doesn’t mean the credentials can necessarily be used to login to government systems.

The email accounts the report refers to are for government users, but the associated passwords are for other non-government sites. For example, if a government employee created an account on a third-party site with their work email to keep track of materials for a project and then that site has its password database hacked then that information is out there.

If that password was just used for access to that site then there’s little to worry about, but if password reuse is as rampant as reported then there are problems.

The leaked credentials came from a range of vectors both targeted and untargeted. Many credentials were included in email and password dumps from hacks that lacked targeting and exploited an opportunity on a vulnerable third-party site, service, or individual. Examples include the hacking of a natural history museum, a sports news site and an individual employee. Often, these attacks leverage freely traded exploits against unpatched sites and servers.

What about PIV?

Those agencies that have implemented policies and procedures to use the PIV have less to worry about because hackers would not be able to access system without the smart card. But as stated in the White House Office of Management and Budget annual report to Congress on the Federal Information Security Act (FISMA), only 41% of agency accounts are using the PIV leaving the rest with just user names and passwords.

It’s been 11 years since HSPD-12 called for a standard, interoperable credential to be used for physical and logical access to government facilities and systems. The credentials have been issued, it’s hard to walk around Washington without seeings someone with a PIV around their neck, but with the exception of a couple standout agencies, usage is pitiful. Agencies need to step up and deploy systems that use the smart card for access to networks. It’s well past time this happens.

---

Related articles:

Anatomy of a password hack Exterminating the password The Mobile ID Experiment