According to a senior adviser at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the organization has seen cases of staff in elections offices using default passwords or sharing passwords via email. This tendency is understandable, particularly for election officials at the local level who lack the staff and resources of larger municipalities. However, it’s important that they are aware of the vulnerabilities associated with poor password practices and take steps to address them as part of shoring up election security.
Generally speaking, people understand the importance of creating strong, unique passwords for every online account. However, a desire for convenience and efficiency and inability to remember complex passwords typically outweigh these considerations. Case in point, a LastPass survey found that 91 percent of respondents recognize the risks of reusing passwords, but 61 percent admit to doing it anyway.
This is a problem because exposed passwords are readily available on the dark web for hackers to buy and use in subsequent attacks. A staggering 137 million records were exposed in the 10 largest data breaches of 2019 alone. If an election official is reusing a password, the likelihood of hackers being able to capitalize on this behavior is high.
Vulnerabilities increase with password sharing
As the CISA senior adviser noted, many election officials are sharing passwords with colleagues. Even if these passwords are complex and created for use with a specific account or service, this still introduces a number of threats. For example:- Email storage: Hackers can more easily obtain the credentials to sensitive systems if they are stored in multiple email accounts. If election officials have email enabled on a smartphone and/or utilize public Wi-Fi to check their email, this vulnerability only increases.
- Password reuse: Just because a password was created for use with a specific online account, there is no guarantee that it will remain unique once it’s been shared with multiple people. As mentioned above, if an election official reuses a password for other work or personal accounts, numerous security concerns are introduced.
- Staff turnover: When passwords are shared among colleagues, what happens when someone leaves the organization?
Local governments also must address the continued use of default passwords on connected devices or digital systems. It’s relatively common for these credentials to be incredibly basic and easy for hackers to guess — for example, last year over 600,000 GPS trackers with a default password of “123456” were shipped to customers worldwide. Default passwords are meant to be changed, but this step is commonly overlooked.
IT’s traditional approach to password security has been to mandate strong credentials and enforce periodic password resets, but this has its limitations. The policy typically frustrates employees and can cause them to seek workarounds that also compromise security. For example, when asked to create unique passwords, people may select the same root word or phrase and swap out special characters for each account — e.g., “Password1,” “Password2,” etc. Forcing frequent password changes also typically results in weaker passwords, as users don’t want to have to remember numerous new, complex sequences. For these reasons, the National Institute of Standards and Technology (NIST), a government body dedicated to improving digital security, no longer recommends that IT departments enforce periodic resets.
A modern approach to password security
Local governments must design password policies to reflect the realities of user behavior. With limited resources and leanly staffed teams, the best way to ensure the security of sensitive systems and accounts is by screening credentials to determine if they have been compromised. This is part of NIST’s most recent requirements, and a critical step in revising password management for the digital age.Of course, it’s important that local governments also work to eliminate password sharing and other poor security practices. But by cross-referencing passwords both at their creation and on a daily basis against an updated list of exposed credentials, they can at least ensure that employees’ password behavior is not actively introducing any new security vulnerabilities.
Cybersecurity is a complex problem, and a multibillion-dollar industry has sprung up to address it. In the rush to adopt emerging technologies and tactics, it’s important that organizations not overlook security basics. After all, the latest in AI-based threat detection will be of little use if hackers can easily leverage compromised credentials to infiltrate election-related accounts.
Safeguarding authentication is a simple yet incredibly important part of addressing election security. As part of this, local governments should also ensure that multi-factor authentication is enabled for all accounts. This adds an extra layer of protection and reduces the risk of a password attack.
Now is the time to act
Hackers don’t discriminate when it comes to election interference. The smallest local municipality is just as vulnerable as the largest urban center, and it’s important that city and county IT officials recognize the inherent threats in password management. With the pandemic introducing numerous new election-related challenges, these entities are already under significant pressure. However, it’s critical that they act now to ensure that the outcome of the 2020 presidential election is not influenced by poor password policy.Josh Horwitz is COO of Enzoic. He earned his MBA from Babson’s F.W. Olin Graduate School of Business and his B.A. from Washington University in St. Louis. Josh lives with his wife and son in beautiful Boulder, Colo.