How the OPM Hackers Killed the Password

White House directives dating back to 2004 warned against relying on passwords as the only mechanism to lock government systems—but that didn’t stop agencies. U.S. cyber czar Michael Daniel publicly exhorted citizens to “kill the password” multiple times in 2014, but that didn’t stop password proliferation. Nor did a hack of passcode-protected personal devices that exposed nude photos of starlets like Jennifer Lawrence seem to faze federal computer users. 

It was not until password-cracking actually hit home that agencies jumped to alternative forms of identification.

Briefly, here is a timeline of the death of the password:

August 27, 2004: In response to the September 2001 terrorist attacks, President George W. Bush issues Homeland Security Presidential Directive 12 demanding the creation of a common identification form for federal employees and contractors. HSPD-12 requires a credential format that is “strongly resistant to identity fraud,” can be “rapidly authenticated electronically” and only issued through an “official accreditation process.”

 The directive goes mostly unheeded for a decade. 

September 2014: The majority of computer users across civilian agencies still can log on to government networks with simply a password. Only 1 percent of Office of Personnel Management computer users need something more than a password to access the agency’s information. All Pentagon workers, however, are swiping common access cards for system entry.

June 4, 2015: OPM reveals a contractor’s password was exploited to unlock 4.2 million records on current and former employees across the government. The records were housed in an Interior Department data center shared by 150 federal offices.

Almost immediately, the race is on to couple passwords with at least a physical smartcard, or even better, physical proof of identity, like an iris scan. 

June 12, 2015: The White House instructs all agencies to accelerate the activation of such two-step identification processes as part of a “30-day cybersecurity sprint.”

Then perceptions of federal data security worsen. 

July 9, 2015: OPM discloses that personal data on 21.5 million employees, applicants for clearances to handle classified information and their family members were stolen during a separate, related intrusion.

Within hours, U.S. Chief Information Officer Tony Scott tells reporters: “We’ve dramatically increased the amount of two-factor authentication for privileged,” or high-level access, “users across the federal government.” 

 July 12, 2015: Ninety-seven percent of OPM computer users and more than 72 percent of users governmentwide cannot get into agency systems without a smartcard. 

“That’s an important control that’s needed. We were already working on it,” ahead of the hacks, Interior CIO Sylvia Burns told a House committee this summer. “We were making slow progress. When the incident happened, it just created a different lens on looking at the need, and I think it made it crystal clear to everybody why it was so critical that we achieve two-factor authentication.”

The winner of the latchkey challenge was the General Services Administration, with only 1 percent of personnel still logging in with just a password by the end of the 30-day cybersecurity sprint. But the Energy Department, a frequent target of foreign espionage, made little headway in fortifying defenses. About 88 percent of Energy personnel can still punch in a single password to see sensitive government information. Surprisingly, 72 percent of users at the State Department, which was infiltrated by suspected Russian spies last fall, remain vulnerable to password-breaking. 

“One of the most significant steps any organization can take to reduce the risk of adversaries penetrating networks and systems is requiring the use of a hardware-based personal identity verification card or an alternative form of strong authentication,” Scott said in a blog post announcing the results of the White House initiative. “Agencies made significant progress in this area.”

In the private sector, however, the password is alive and kicking—even at the company providing ID protection for victims of the smaller OPM hack. Feds who register for those services are protected only by a password they create with the company, in which case a hacker needs only to break that password to victimize those individuals again. 

“When you think of all the data that credit monitoring and identity theft services aggregate, those services themselves become a potential target,” says Jeremy Grant, former head of the Commerce Department’s National Program Office for the National Strategy for Trusted Identities in Cyberspace. He is one of the victims. 

Grant was pleasantly surprised to learn that ID protection services for individuals affected by the larger breach related to background checks are expected to be more secure, according to a vendor solicitation.

The contractor “will need to deliver a second factor,” like a one-time PIN sent in a text message, says Grant, now a managing director at the Chertoff Group, a consulting firm. “Protecting access to breach victims’ accounts at the portal with two-factor authentication makes sure that someone can’t access their data with a stolen password.” 

 In the future, feds might have to go through even more steps to log in at work, said Shonnie Lyon, acting director of the Homeland Security Department’s Office of Biometric Identity Management, days after word broke of the OPM attack.

Government employees might have to enter a smartcard, type a password and press a finger against a touchpad. 

“Several organizations are looking at three-factor authentication,” Lyon said at a June 11 industry event. “I think that’s the way things are going to have to go.”

Unfortunately, now even fingerprints can be spoofed.  The fingerprint records of 1.1 million victims of the OPM hack were stolen.