A Photo Accidentally Revealed a Password For Hawaii's Emergency Agency

An anonymous reader quotes a report from Quartz: In the aftermath of an erroneous missile warning that terrified Hawaiians on Saturday (Jan. 13), the state's emergency management agency has come under increased scrutiny, from the poor design of the software that enables alerts to a particularly slapdash security measure by one of its employees. Old photos from the Associated Press inside the agency's office appear to show an unspecified password on a yellow Post-It note, stuck to a computer monitor. The image, which shows operations manger Jeffrey Wong standing in front of the computer, was taken in July and appeared in articles published at the time about the agency's preparedness in the face of a nuclear threat. The agency verified that the password is indeed real but wouldn't go into specifics on what program the password was supposed to be used for.

Re:The weakest security

So much so that the latest NIST recommendations are that you Should NOT impose composition rules and you Should NOT require the password is changed frequently. It's better to train employees to come up with memorable secure passwords (which don't require hard to remember composition rules https://xkcd.com/936/) and use things like password managers and 2FA.

Re:The weakest security

[SirGarlon]

Are passwords that hard to remember?

Once you start requiring them to be 12 characters long, and contain at least one uppercase character, one lowercase character, one numeral, and one Egyptian hieroglyph they are.

By the way, those complexity rules have been officially withdrawn by NIST. In fact, TFA is an instance of the very problem that drove the rule change. Now all we have to do is spend 20 years undoing the damage of the old, stupid, complexity rules.

Re:Really bad security

Dude, did you see the "GUI" they are using? You can tell what has happened just by looking at the result.
(Image of the GUI is a bit down in the article.)

The reason this bullshit happened is because the person leading the development didn't have the competence needed to judge the state of the system or he didn't get the funding needed to finish the project.

You can tell just by looking at it that someone programmed the backend and made it work, and to test the system he spent 5 minutes to make a web-page that sent a test-signal.
When the backend worked he demonstrated the system for his boss that didn't listen to all that technical mumbo jumbo and just saw a button click and a correct response and decided that the project was done.
No proper GUI was ever developed.
Over the time new links were added to the test-page just to be able to send other messages but they were just added to the list in no particular order.

This isn't an operator error. In a sharp situation where the operator is stressed there is a high probability that even a competent person would pick the wrong message.
This is purely a development error and since the backend apparently works very well and clearly no-one spent even a day on building a GUI it is clearly a project management or funding issue.