Thinkstock

How the OPM Hackers Killed the Password

The theft of feds’ personal information, not Hollywood’s selfies, might have finally sped up security measures.

White House directives dating back to 2004 warned against relying on passwords as the only mechanism to lock government systems—but that didn’t stop agencies. U.S. cyber czar Michael Daniel publicly exhorted citizens to “kill the password” multiple times in 2014, but that didn’t stop password proliferation. Nor did a hack of passcode-protected personal devices that exposed nude photos of starlets like Jennifer Lawrence seem to faze federal computer users. 

It was not until password-cracking actually hit home that agencies jumped to alternative forms of identification.

Briefly, here is a timeline of the death of the password:

August 27, 2004: In response to the September 2001 terrorist attacks, President George W. Bush issues Homeland Security Presidential Directive 12 demanding the creation of a common identification form for federal employees and contractors. HSPD-12 requires a credential format that is “strongly resistant to identity fraud,” can be “rapidly authenticated electronically” and only issued through an “official accreditation process.”

 The directive goes mostly unheeded for a decade. 

September 2014: The majority of computer users across civilian agencies still can log on to government networks with simply a password. Only 1 percent of Office of Personnel Management computer users need something more than a password to access the agency’s information. All Pentagon workers, however, are swiping common access cards for system entry.

June 4, 2015: OPM reveals a contractor’s password was exploited to unlock 4.2 million records on current and former employees across the government. The records were housed in an Interior Department data center shared by 150 federal offices.

Almost immediately, the race is on to couple passwords with at least a physical smartcard, or even better, physical proof of identity, like an iris scan. 

June 12, 2015: The White House instructs all agencies to accelerate the activation of such two-step identification processes as part of a “30-day cybersecurity sprint.”

Then perceptions of federal data security worsen. 

July 9, 2015: OPM discloses that personal data on 21.5 million employees, applicants for clearances to handle classified information and their family members were stolen during a separate, related intrusion.

Within hours, U.S. Chief Information Officer Tony Scott tells reporters: “We’ve dramatically increased the amount of two-factor authentication for privileged,” or high-level access, “users across the federal government.” 

 July 12, 2015: Ninety-seven percent of OPM computer users and more than 72 percent of users governmentwide cannot get into agency systems without a smartcard. 

“That’s an important control that’s needed. We were already working on it,” ahead of the hacks, Interior CIO Sylvia Burns told a House committee this summer. “We were making slow progress. When the incident happened, it just created a different lens on looking at the need, and I think it made it crystal clear to everybody why it was so critical that we achieve two-factor authentication.”

The winner of the latchkey challenge was the General Services Administration, with only 1 percent of personnel still logging in with just a password by the end of the 30-day cybersecurity sprint. But the Energy Department, a frequent target of foreign espionage, made little headway in fortifying defenses. About 88 percent of Energy personnel can still punch in a single password to see sensitive government information. Surprisingly, 72 percent of users at the State Department, which was infiltrated by suspected Russian spies last fall, remain vulnerable to password-breaking. 

“One of the most significant steps any organization can take to reduce the risk of adversaries penetrating networks and systems is requiring the use of a hardware-based personal identity verification card or an alternative form of strong authentication,” Scott said in a blog post announcing the results of the White House initiative. “Agencies made significant progress in this area.”

In the private sector, however, the password is alive and kicking—even at the company providing ID protection for victims of the smaller OPM hack. Feds who register for those services are protected only by a password they create with the company, in which case a hacker needs only to break that password to victimize those individuals again. 

“When you think of all the data that credit monitoring and identity theft services aggregate, those services themselves become a potential target,” says Jeremy Grant, former head of the Commerce Department’s National Program Office for the National Strategy for Trusted Identities in Cyberspace. He is one of the victims. 

Grant was pleasantly surprised to learn that ID protection services for individuals affected by the larger breach related to background checks are expected to be more secure, according to a vendor solicitation.

The contractor “will need to deliver a second factor,” like a one-time PIN sent in a text message, says Grant, now a managing director at the Chertoff Group, a consulting firm. “Protecting access to breach victims’ accounts at the portal with two-factor authentication makes sure that someone can’t access their data with a stolen password.” 

 In the future, feds might have to go through even more steps to log in at work, said Shonnie Lyon, acting director of the Homeland Security Department’s Office of Biometric Identity Management, days after word broke of the OPM attack.

Government employees might have to enter a smartcard, type a password and press a finger against a touchpad. 

“Several organizations are looking at three-factor authentication,” Lyon said at a June 11 industry event. “I think that’s the way things are going to have to go.”

Unfortunately, now even fingerprints can be spoofed.  The fingerprint records of 1.1 million victims of the OPM hack were stolen. 

NEXT STORY: Fighter of the Future

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.