The Agency Insider with Linda McGlasson

Presidential Politics: 'Passwordgate' More Distressing Than Troopergate

Presidential Politics: 'Passwordgate' More Distressing Than Troopergate

I have issues with weak passwords and easy to guess answers for challenge questions on password resets. This was Sarah Palin's (Republican vice presidential candidate)apparent problem with her personal Yahoo! email account. It only took a Google search and some thought on a young hacker's part to find out the challenge question to her email account password reset. Now I'm also adding that Palin isn't the only executive who is known to use such simple passwords or easy to find answers to challenge questions.

But it still rubs against the grain of every fiber of my information security-being that she chose such an easy-to-find out (or guess) challenge question/answer. We can't expect everyone to know the mantra "the best password is easy to remember yet hard to guess," but in the case of Republican vice presidential candidate Sarah Palin's latest blunderfuss in the normal news media, I am concerned about the wider issue of the future direction and emphasis on information security and cyber security in our country.

Now, if you've not heard by now, Palin's personal Yahoo email account was hacked successfully and then several screenshots and details of the contents were posted to a web site noted for this kind of publicity. The activist group called "anonymous," best known for its jousts with the Church of Scientology, apparently hacked into Palin's private Yahoo e-mail account. Not all the blame should be heaped at her feet, because after speaking with a former Yahoo information security officer, he recalled that Yahoo had tried to change its password requirements several years ago, but because of the increased number of calls to its customer support number (and thus more money being spent), the plan to make everyone add a letter and a number to their passwords was dropped.

After her account was hacked with a password reset move, it was reported that a member of the hacker group then reset her password to "popcorn" and posted it on the Internet.

First, I'll say it was a bad thing for those hackers to do, breaking into Palin's email account, although based on her choice of password/challenge question-answer, it may not have taken them that long. A good dictionary attack program would have gotten to her password pretty darn quickly. One of my favorite lines from Southern comedian Ron White sums it up succinctly, as he drawls, "You can't cure stupid."

I will add, based on her current level of bright ideas being repeated by the press, her idea of mixing business correspondence in her private emails, it's not the smartest thing I've heard a candidate do. No doubt this will end up as fodder for the late night talk show hosts who'll make fun at her poor decision-making ability when choosing a password and add some sharp pointy sticks for that committee investigating her in Alaska.

But what really is the question here is, why would anyone want to mix their business and personal email together? As a public servant, Palin's use of her personal email account to discuss government affairs is at least going to raise one or two eyebrows on ethics and accountability. The anonymous group posted two emails and some photos from her email account (site was overloaded as of this writing) and charges Palin has improperly used her private e-mail to shield government business from public scrutiny. This contention had already been raised by others.

Who among us hasn't had to send at least one email through their personal email account? Me included, I will admit. The recent hurricanes that roared through the Gulf had me contacting all the state bank commissioners for their preparation efforts. Though I tried more than once, the Texas State Banking Agency's webmail server kept denying my emails to the commissioner. After a phone call and an email being kicked back yet again, I resorted to sending an email through my private email account. But that was only because I needed to get an email to them and receive a response back. No troopergate here, sorry, only a firewall issue.

And now the question for those in the banking industry, do you know what your employees are sending out via their private email accounts about your institution? Many companies now prohibit the use of webmail while at work and block its access. (That's one way of getting around it.) Now if you could only stop employees' use of texting on cell phones and their private Blackberry use.

This incident brings to light that Palin may not be 100% above-board in her use of her private email (at least she has a working knowledge of how to send an email, while her No. 1 John McCain admits he doesn't know his way around a computer), her lack of awareness of security issues begs yet another set of questions to be answered by our presidential candidates - what example will they set, and what will they do to bolster cyber security and protecting data when they get into office?

I can see it now, late March 2009, and Palin is sitting in her office at the White House, choosing a password for her www.whitehouse.gov email account. "Hmmm, I can't use popcorn because those darned left-winger Democratic hackers have used it. I'm going to try another favorite snack . . .'moose jerky'."



About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.