Hawaii Emergency Management Password Found In Press Photo

Discussion in '[H]ard|OCP Front Page News' started by rgMekanic, Jan 17, 2018.

  1. rgMekanic

    rgMekanic [H]ard|News Staff Member

    Messages:
    5,069
    Joined:
    May 13, 2013
    After a false alert about an inbound missile, Hawaii's Emergency Management Agency has said a worker clicked the wrong item in a drop-down menu and sent it, and that its system was not hacked. But Hawaii News Now is reporting an AP photo from July has resurfaced, showing the agency's operations officer in front of monitors, attached to one of them is a Post-it note with a password on it.

    Just.... wow. I'm nearly at a loss for words on how big of a screw up this is. And from the response of the spokesman sounds like this was a shared password, therefore no way to link it to a specific careless employee.

    Richard Rapoza, emergency management agency spokesman, confirmed that the password is authentic and was actually used for an "internal application." He said he didn't believe that application is any longer in use, but declined to say what application the password was for. "It wasn't for any major piece of software," he said, while also acknowledging that it's not a good idea to have a password in plain sight, especially with news cameras around.
     
    yumnmycandy, drescherjm and SticKx911 like this.
  2. Nunu

    Nunu Limp Gawd

    Messages:
    155
    Joined:
    Jun 5, 2017
    It's amazing this only happened once ...
     
  3. Powerage

    Powerage [H]ard|Gawd

    Messages:
    1,089
    Joined:
    Jun 26, 2007
    Don't know what the password is for, so it's really a non-story. Could be to log into the offline linux box they use to play chess during lunch.
     
    Rahh, Brian_B and Jim Kim like this.
  4. bugleyman

    bugleyman [H]ard|Gawd

    Messages:
    1,082
    Joined:
    Oct 27, 2010
    Wow, I couldn't disagree more. Writing down, displaying, and sharing passwords are all major operational no-nos for a government agency in any feasible context.
     
  5. Gweenz

    Gweenz [H]ard|Gawd

    Messages:
    1,150
    Joined:
    Dec 18, 2003
    Why would anyone be surprised by this.
     
    FlawleZ likes this.
  6. Powerage

    Powerage [H]ard|Gawd

    Messages:
    1,089
    Joined:
    Jun 26, 2007
    Eh, that's fair but there's no indication that anything mission critical or even mission relevant was compromised by this. I accept your point from a policy perspective though.
     
    commodork6510 likes this.
  7. EODetroit

    EODetroit [H]ard|Gawd

    Messages:
    1,315
    Joined:
    Oct 20, 2004
    Haha. It just means they have shit controls over their procedures. If they were an FDA regulated company, they would be given a citation for it, for example.
     
    rgMekanic likes this.
  8. rgMekanic

    rgMekanic [H]ard|News Staff Member

    Messages:
    5,069
    Joined:
    May 13, 2013
    This.
     
    Rahh likes this.
  9. kirbyrj

    kirbyrj Why oh why didn't I take the BLUE pill?

    Messages:
    22,866
    Joined:
    Feb 1, 2005
    Most government work has requirements of a password change every 60 days. The password has to contain at least 12 characters (up from 8), have a special character, number, and capital letter, and can't be reused again at a later time.

    Is it any wonder people write them down to remember them?
     
  10. bugleyman

    bugleyman [H]ard|Gawd

    Messages:
    1,082
    Joined:
    Oct 27, 2010
    Fair enough. *tips hat*
     
    Powerage and commodork6510 like this.
  11. Brian_B

    Brian_B [H]ard|Gawd

    Messages:
    1,465
    Joined:
    Mar 23, 2012
    You have to have so many passwords these days, and a lot of them have some pretty onerous requirements (like forcing change every 90 days or some such).

    Sure, it's good security.

    It's also such a royal pain in the ass that me, as an average Joe who can barely remember my own name on a good day, doesn't have much of a shot of remembering all 637 unique usernames, passwords, PIN numbers, security images, authentication dongles, and whatever else security people say I need to make my life secure.

    Should he have had it on a post-it note? No. But I also don't blame him one bit for it. I use a password manager, and even when that I can't keep it all straight.

    Every single senior citizen I help with a computer, the very first thing I do, is tell them to get a sheet of paper, stick it in their top drawer, and absolutely do write down every single account name and password. They always say "I was told not to do that" - and that's true, your not supposed to. But every single person (senior citizen or not) who doesn't do that, in my experience, has lost accounts somewhere because they couldn't keep it all straight in their head.

    I'm not against security, don't get me wrong, but unless you have perfect recall, something's gonna give somewhere. Sure, some of you out there have James Bond jobs and it's life or death. For most of us, it's just Facebook and forums like this.
     
  12. NickJames

    NickJames Viagra Required

    Messages:
    6,339
    Joined:
    Apr 28, 2009
    Welcome to the government. We're forced to change our password every 90 days and each one has to be unique for 4 different user logins. Granted most of us just add a different digit or symbol at the end but a lot of people are older folks with little tech skill and bad memory. I can tell you that nearly 40% of office workers write down their PW's somewhere, usually a notepad or sticky note and places it in or around their desk. The smart ones at least use a locked drawer but even then they sometimes just leave it unlocked allowing anyone to just pick up their notebook and see 20 different users/passwords for various software/accounts/PC logins.
     
  13. BSmith

    BSmith [H]ard|Gawd

    Messages:
    1,035
    Joined:
    Nov 9, 2017
    We have a simple policy where I work.

    If you write down a login or password, then you will be terminated immediately. I also clear all cookies so none can be remembered for the user. Yes, it makes my life a pain sometimes, but I am not going to have my job compromised by some numpty.

    Everyone aware of that sticky should be fired.
     
  14. Mchart

    Mchart 2[H]4U

    Messages:
    2,353
    Joined:
    Aug 7, 2004
    Hard to do when the same idiots suggest we need to remember 12 different 21 character with no repeating characters passwords.
     
    Armenius and kirbyrj like this.
  15. BSmith

    BSmith [H]ard|Gawd

    Messages:
    1,035
    Joined:
    Nov 9, 2017
    I cannot help a company who may have inept admins.

    Wait,...yes I can,....contract work. I keep forgetting. :)
     
  16. EODetroit

    EODetroit [H]ard|Gawd

    Messages:
    1,315
    Joined:
    Oct 20, 2004
    Only if there's a procedure against it and they have a history of ignoring procedures. If you run around firing people like you suggest, soon you'll have no employees. You develop procedures, including what to do when one isn't followed.
     
  17. SomeoneElse

    SomeoneElse [H]ard|Gawd

    Messages:
    1,372
    Joined:
    Jan 16, 2007
    It only takes one person to have an account comprised and a hacker can escalate privileges.
     
    BSmith likes this.
  18. BSmith

    BSmith [H]ard|Gawd

    Messages:
    1,035
    Joined:
    Nov 9, 2017
    Well, I cannot imagine them not having a procedure for this. If they did not, then the entire IT department should be fired. Even without a procedure, someone should have raised a GIANT RED flag about it. I mean, what admin would allow for that?

    Yes, I am a hard ass when it comes to network security. I give no quarter.

    In over 25 years of being an admin for all types of networks, I have never had a system compromised. Not one. I'll let that record speak for itself.
     
  19. J3RK

    J3RK [H]ardForum Junkie

    Messages:
    8,332
    Joined:
    Jun 25, 2004
    26 characters changed every 30 days for my department. It's a pain, but whatever. I come up with phrases using misspelled words. Pretty easy to remember that way.
     
  20. Jim Kim

    Jim Kim 2[H]4U

    Messages:
    2,573
    Joined:
    May 24, 2012
    You forgot 2 things.
    1. That you know of.
    and
    2. Yet
     
  21. kju1

    kju1 2[H]4U

    Messages:
    2,508
    Joined:
    Mar 27, 2002
    Yes you can reuse them after a specific period of time, your time period is off, oh and so is the length and complexity requirements.

    My point? Password requirements vary by agency.

    Maybe they should have used correcthorsebatterystaple?
     
  22. kirbyrj

    kirbyrj Why oh why didn't I take the BLUE pill?

    Messages:
    22,866
    Joined:
    Feb 1, 2005
    I can only speak for my agency which is where the requirements posted come from. Who the hell wants to sit there and type a sentence or series of words into the computer as a password?
     
  23. MMitch

    MMitch Limp Gawd

    Messages:
    288
    Joined:
    Nov 29, 2016
    !!? Holy cow batman... and here I thought our 8 character with at least 1 capital and 1 special along with nothing repeating + changing every 60 days was a lot...
    I got a good memory but older folks always need to reset their credentials when they come back from vacation... painful.
     
    Seelenlos and J3RK like this.
  24. kju1

    kju1 2[H]4U

    Messages:
    2,508
    Joined:
    Mar 27, 2002
    That was my point. When you say "most government work" and then state requirements you implied a standard that was not correct.
     
  25. BSmith

    BSmith [H]ard|Gawd

    Messages:
    1,035
    Joined:
    Nov 9, 2017
    hehe.

    Oh, I would know.
    And it is not going to happen.

    But I liked your post. :)
     
  26. vagabond102

    vagabond102 n00bie

    Messages:
    23
    Joined:
    Jan 21, 2009
    Then I am glad you are not my administrator. One thing I've learned in 25 years in tech/IT is that no matter how much I learn or think I know, I know absolutely nothing. If you think you can protect a system connected to a network completely, you are sadly mistaken.

    As far as the sticky, that's a bad one and shouldn't happen, anywhere, for any reason. That said, most employees, system, and network admins I've known have some way of keeping track of their logins and passwords. Most IT positions I've held have had me having a dozen or more creds to remember and that's just not possible for reasonable people, let alone to actually do it right.

    Just my .02
     
  27. kirbyrj

    kirbyrj Why oh why didn't I take the BLUE pill?

    Messages:
    22,866
    Joined:
    Feb 1, 2005
    Like any government agency. They don't operate in a vacuum. One group starts doing something in the name of security, others follow. For example, 8 characters used to be a minimum and now many are moving to 12.
     
  28. Bigbacon

    Bigbacon [H]ardForum Junkie

    Messages:
    15,332
    Joined:
    Jul 12, 2007
    i would never remember that and I would have to write it down and carry it with me.
     
  29. oldmanbal

    oldmanbal [H]ard|Gawd

    Messages:
    1,585
    Joined:
    Aug 27, 2010
    Pretty sure I saw this in a videogame recently, prey wasn't it?
     
  30. RogueTadhg

    RogueTadhg [H]ard|Gawd

    Messages:
    1,392
    Joined:
    Dec 14, 2011
    There's been a video (I think) that an IT department's password was on a white board.
    You haven't been on the internet long enough until you have to find a way to remember your passwords that make normal people squirm. Then double, trip or quad that number for your IT job.

    User: "I can't remember the 4 passwords I have! It's too many!"
    Me [In thought]: "I wish I only had 4 passwords to remember."
    Me: Yep, that's a lot of passwords.

    User: This is my password, do you think it's long enough?


    Me: Definitely not.
     
    Armenius and wolfofone like this.
  31. Dekoth-E-

    Dekoth-E- [H]ardness Supreme

    Messages:
    7,212
    Joined:
    Mar 23, 2010
    Basically sums up why my default feeling for many people in IT is one of utter contempt.
     
  32. rudy

    rudy [H]ardForum Junkie

    Messages:
    8,349
    Joined:
    Apr 4, 2004
    Before I clicked on the link I said to myself its going to be on a sticky note on the monitor. lol
     
    Armenius likes this.
  33. pendragon1

    pendragon1 [H]ardForum Junkie

    Messages:
    10,696
    Joined:
    Oct 7, 2000
  34. trudude

    trudude [H]ard|Gawd

    Messages:
    1,647
    Joined:
    Jul 17, 2003
    Would be interesting to know which systems dump to their disaster recovery environments stateside when the missile warnings are triggered...
     
  35. BSmith

    BSmith [H]ard|Gawd

    Messages:
    1,035
    Joined:
    Nov 9, 2017
    It would be your prerogative not to hire me. However, I think passing up an opportunity to hire someone, who might actually be very good at what they do (yes, even a little cocky about it), is a mistake. If someone walks into my office with that level of confidence, the first think I want to know is why they are so confident. Not to sound passive-aggressive, but that is just the way I roll. How you roll is up to you.

    Oh, I am in the same boat as far as keeping up logins and passwords. No way am I going to remember 25K of them. I have written some programs which manage that information in an encrypted form, with the decryption key being hidden away. The only time I recall ever having to access it occured when someone left the company.

    As the one who has to make the decisions on how things are done, I am a hard nosed arse when it comes to following protocols I have established. I also have an open door to anyone who has any ideas on how to do things better.

    Everyone in the company knows (via training) writing a password down or recording a credit/debit card number is basis for immediate termination.
     
    Last edited: Jan 18, 2018
  36. Uvaman2

    Uvaman2 2[H]4U

    Messages:
    2,334
    Joined:
    Jan 4, 2016
    A mistake, suuuuure.
     
  37. lostin3d

    lostin3d [H]ard|Gawd

    Messages:
    1,238
    Joined:
    Oct 13, 2016
    In regards to this picture, not the event that just happened. . .I laughed, laughed some more, took a deep breath and then kept snickering.
     
  38. DyNamiC.

    DyNamiC. [H]ard|Gawd

    Messages:
    1,297
    Joined:
    Mar 27, 2006
    25k paswords? What?
     
  39. BSmith

    BSmith [H]ard|Gawd

    Messages:
    1,035
    Joined:
    Nov 9, 2017
    The passwords of all the users on the network. I have been in that situation at three different companies in my career.
     
  40. King of Heroes

    King of Heroes 2[H]4U

    Messages:
    2,105
    Joined:
    Mar 26, 2008
    So you use a password manager, either online (like LastPass) or on a thumb drive (like KeePass). Writing it down for public display is never a valid solution.