Lessons learned from the Premera cyber-attack – Always the same passwords lead to a disaster!

2 April 2015

Do you have a favorite password? Maybe something like ILovePeteSinceFeb2010? Not bad at all, easy to remember, and easy to crack.

When I build my first Windows NT 3.5 domain I had to enforce the password rules of my organization. The most annoying rule for the users was the Password History. We had to configure Windows to remember ten passwords.

We started without a Minimum Password Age (the period of time in days that a password must be used before the user can change it) and found that many users changed their password ten times within a short period to keep their favorite password.

When we introduced the minimum password age it came to a near-uprising. 20 years later, the users get accustomed to the minimum password age of one day.

It’s all the more surprising, that on some of the Premera systems a minimum password age was not enforced last year. In the Final Audit Report of the UNITED STATES OFFICE OF PERSONNEL MANAGEMENT, dated 28 November 2014, we read on page 5:

Password History Configuration

Premera has implemented a corporate password policy that is applicable to all infornation systems on the network. However, we performed automated configuration compliance scans that indicated that several systems did not limit the time between password changes.

This configuration would allow users to circumvent Premera’s password history requirement by changing their password multiple times within a short time period and then reuse their initial password.

That’s really bad. If an attacker has guessed a password, the missing minimum password age and the user’s convenience supports him to stay in the system.

As always we have to deal with people and process issues. The technology was still there, but not used to enforce the rules.

Never say die!