Hawaii Emergency Management Password Found In Press Photo

R

rgMekanic

[H]ard|News
Joined
May 13, 2013
Messages
6,943
After a false alert about an inbound missile, Hawaii's Emergency Management Agency has said a worker clicked the wrong item in a drop-down menu and sent it, and that its system was not hacked. But Hawaii News Now is reporting an AP photo from July has resurfaced, showing the agency's operations officer in front of monitors, attached to one of them is a Post-it note with a password on it.

Just.... wow. I'm nearly at a loss for words on how big of a screw up this is. And from the response of the spokesman sounds like this was a shared password, therefore no way to link it to a specific careless employee.

Richard Rapoza, emergency management agency spokesman, confirmed that the password is authentic and was actually used for an "internal application." He said he didn't believe that application is any longer in use, but declined to say what application the password was for. "It wasn't for any major piece of software," he said, while also acknowledging that it's not a good idea to have a password in plain sight, especially with news cameras around.
 
Powerage said:
Don't know what the password is for, so it's really a non-story. Could be to log into the offline linux box they use to play chess during lunch.
Click to expand...

Wow, I couldn't disagree more. Writing down, displaying, and sharing passwords are all major operational no-nos for a government agency in any feasible context.
 
bugleyman said:
Wow, I couldn't disagree more. Writing down, displaying, and sharing passwords are all major operational no-nos in any feasible context.
Click to expand...
Eh, that's fair but there's no indication that anything mission critical or even mission relevant was compromised by this. I accept your point from a policy perspective though.
 
Haha. It just means they have shit controls over their procedures. If they were an FDA regulated company, they would be given a citation for it, for example.
 
Most government work has requirements of a password change every 60 days. The password has to contain at least 12 characters (up from 8), have a special character, number, and capital letter, and can't be reused again at a later time.

Is it any wonder people write them down to remember them?
 
You have to have so many passwords these days, and a lot of them have some pretty onerous requirements (like forcing change every 90 days or some such).

Sure, it's good security.

It's also such a royal pain in the ass that me, as an average Joe who can barely remember my own name on a good day, doesn't have much of a shot of remembering all 637 unique usernames, passwords, PIN numbers, security images, authentication dongles, and whatever else security people say I need to make my life secure.

Should he have had it on a post-it note? No. But I also don't blame him one bit for it. I use a password manager, and even when that I can't keep it all straight.

Every single senior citizen I help with a computer, the very first thing I do, is tell them to get a sheet of paper, stick it in their top drawer, and absolutely do write down every single account name and password. They always say "I was told not to do that" - and that's true, your not supposed to. But every single person (senior citizen or not) who doesn't do that, in my experience, has lost accounts somewhere because they couldn't keep it all straight in their head.

I'm not against security, don't get me wrong, but unless you have perfect recall, something's gonna give somewhere. Sure, some of you out there have James Bond jobs and it's life or death. For most of us, it's just Facebook and forums like this.
 
bugleyman said:
Wow, I couldn't disagree more. Writing down, displaying, and sharing passwords are all major operational no-nos for a government agency in any feasible context.
Click to expand...

Welcome to the government. We're forced to change our password every 90 days and each one has to be unique for 4 different user logins. Granted most of us just add a different digit or symbol at the end but a lot of people are older folks with little tech skill and bad memory. I can tell you that nearly 40% of office workers write down their PW's somewhere, usually a notepad or sticky note and places it in or around their desk. The smart ones at least use a locked drawer but even then they sometimes just leave it unlocked allowing anyone to just pick up their notebook and see 20 different users/passwords for various software/accounts/PC logins.
 
We have a simple policy where I work.

If you write down a login or password, then you will be terminated immediately. I also clear all cookies so none can be remembered for the user. Yes, it makes my life a pain sometimes, but I am not going to have my job compromised by some numpty.

Everyone aware of that sticky should be fired.
 
BSmith said:
We have a simple policy where I work.

If you write down a login or password, then you will be terminated immediately. I also clear all cookies so none can be remembered for the user. Yes, it makes my life a pain sometimes, but I am not going to have my job compromised by some numpty.

Everyone aware of that sticky should be fired.
Click to expand...

Hard to do when the same idiots suggest we need to remember 12 different 21 character with no repeating characters passwords.
 
I cannot help a company who may have inept admins.

Wait,...yes I can,....contract work. I keep forgetting. :)
 
BSmith said:
Everyone aware of that sticky should be fired.
Click to expand...

Only if there's a procedure against it and they have a history of ignoring procedures. If you run around firing people like you suggest, soon you'll have no employees. You develop procedures, including what to do when one isn't followed.
 
It only takes one person to have an account comprised and a hacker can escalate privileges.
 
Well, I cannot imagine them not having a procedure for this. If they did not, then the entire IT department should be fired. Even without a procedure, someone should have raised a GIANT RED flag about it. I mean, what admin would allow for that?

Yes, I am a hard ass when it comes to network security. I give no quarter.

In over 25 years of being an admin for all types of networks, I have never had a system compromised. Not one. I'll let that record speak for itself.
 
Mchart said:
Hard to do when the same idiots suggest we need to remember 12 different 21 character with no repeating characters passwords.
Click to expand...

26 characters changed every 30 days for my department. It's a pain, but whatever. I come up with phrases using misspelled words. Pretty easy to remember that way.
 
kirbyrj said:
Most government work has requirements of a password change every 60 days. The password has to contain at least 12 characters (up from 8), have a special character, number, and capital letter, and can't be reused again at a later time.

Is it any wonder people write them down to remember them?
Click to expand...

Yes you can reuse them after a specific period of time, your time period is off, oh and so is the length and complexity requirements.

My point? Password requirements vary by agency.

Maybe they should have used correcthorsebatterystaple?
 
kju1 said:
Yes you can reuse them after a specific period of time, your time period is off, oh and so is the length and complexity requirements.

My point? Password requirements vary by agency.

Maybe they should have used correcthorsebatterystaple?
Click to expand...

I can only speak for my agency which is where the requirements posted come from. Who the hell wants to sit there and type a sentence or series of words into the computer as a password?
 
J3RK said:
26 characters changed every 30 days for my department. It's a pain, but whatever. I come up with phrases using misspelled words. Pretty easy to remember that way.
Click to expand...

!!? Holy cow batman... and here I thought our 8 character with at least 1 capital and 1 special along with nothing repeating + changing every 60 days was a lot...
I got a good memory but older folks always need to reset their credentials when they come back from vacation... painful.
 
kirbyrj said:
I can only speak for my agency which is where the requirements posted come from.
Click to expand...

That was my point. When you say "most government work" and then state requirements you implied a standard that was not correct.
 
BSmith said:
hehe.

Oh, I would know.
And it is not going to happen.

But I liked your post. :)
Click to expand...

Then I am glad you are not my administrator. One thing I've learned in 25 years in tech/IT is that no matter how much I learn or think I know, I know absolutely nothing. If you think you can protect a system connected to a network completely, you are sadly mistaken.

As far as the sticky, that's a bad one and shouldn't happen, anywhere, for any reason. That said, most employees, system, and network admins I've known have some way of keeping track of their logins and passwords. Most IT positions I've held have had me having a dozen or more creds to remember and that's just not possible for reasonable people, let alone to actually do it right.

Just my .02
 
kju1 said:
That was my point. When you say "most government work" and then state requirements you implied a standard that was not correct.
Click to expand...

Like any government agency. They don't operate in a vacuum. One group starts doing something in the name of security, others follow. For example, 8 characters used to be a minimum and now many are moving to 12.
 
J3RK said:
26 characters changed every 30 days for my department. It's a pain, but whatever. I come up with phrases using misspelled words. Pretty easy to remember that way.
Click to expand...

i would never remember that and I would have to write it down and carry it with me.
 
There's been a video (I think) that an IT department's password was on a white board.
vagabond102 said:
As far as the sticky, that's a bad one and shouldn't happen, anywhere, for any reason. That said, most employees, system, and network admins I've known have some way of keeping track of their logins and passwords. Most IT positions I've held have had me having a dozen or more creds to remember and that's just not possible for reasonable people, let alone to actually do it right.
Click to expand...

You haven't been on the internet long enough until you have to find a way to remember your passwords that make normal people squirm. Then double, trip or quad that number for your IT job.

User: "I can't remember the 4 passwords I have! It's too many!"
Me [In thought]: "I wish I only had 4 passwords to remember."
Me: Yep, that's a lot of passwords.

User: This is my password, do you think it's long enough?


Me: Definitely not.
 
Basically sums up why my default feeling for many people in IT is one of utter contempt.
 
Before I clicked on the link I said to myself its going to be on a sticky note on the monitor. lol
 
upload_2018-1-17_12-7-28.png
 
Would be interesting to know which systems dump to their disaster recovery environments stateside when the missile warnings are triggered...
 
vagabond102 said:
Then I am glad you are not my administrator. One thing I've learned in 25 years in tech/IT is that no matter how much I learn or think I know, I know absolutely nothing. If you think you can protect a system connected to a network completely, you are sadly mistaken.

As far as the sticky, that's a bad one and shouldn't happen, anywhere, for any reason. That said, most employees, system, and network admins I've known have some way of keeping track of their logins and passwords. Most IT positions I've held have had me having a dozen or more creds to remember and that's just not possible for reasonable people, let alone to actually do it right.

Just my .02
Click to expand...

It would be your prerogative not to hire me. However, I think passing up an opportunity to hire someone, who might actually be very good at what they do (yes, even a little cocky about it), is a mistake. If someone walks into my office with that level of confidence, the first think I want to know is why they are so confident. Not to sound passive-aggressive, but that is just the way I roll. How you roll is up to you.

Oh, I am in the same boat as far as keeping up logins and passwords. No way am I going to remember 25K of them. I have written some programs which manage that information in an encrypted form, with the decryption key being hidden away. The only time I recall ever having to access it occured when someone left the company.

As the one who has to make the decisions on how things are done, I am a hard nosed arse when it comes to following protocols I have established. I also have an open door to anyone who has any ideas on how to do things better.

Everyone in the company knows (via training) writing a password down or recording a credit/debit card number is basis for immediate termination.
 
Last edited:
In regards to this picture, not the event that just happened. . .I laughed, laughed some more, took a deep breath and then kept snickering.
 
BSmith said:
Oh, I am in the same boat as far as keeping up logins and passwords. No way am I going to remember 25K of them. I have written some programs which manage that information in an encrypted form, with the decryption key being hidden away. The only time I recall ever having to access it occured when someone left the company.
.
Click to expand...

25k paswords? What?
 
The passwords of all the users on the network. I have been in that situation at three different companies in my career.
 
kirbyrj said:
Most government work has requirements of a password change every 60 days. The password has to contain at least 12 characters (up from 8), have a special character, number, and capital letter, and can't be reused again at a later time.

Is it any wonder people write them down to remember them?
Click to expand...

So you use a password manager, either online (like LastPass) or on a thumb drive (like KeePass). Writing it down for public display is never a valid solution.
 
You must log in or register to reply here.
Back
Top