Monday, July 30, 2007

Nevada governor's email password is only a click away

It may not surprise you to discover that the Nevada governor doesn't send out his own weekly email updates. However, you should be alarmed that this task might not be limited to his trusted staff.

Declan McCullagh posted this news article about finding the governor's password in an Internet accessible Word document. The document contained step-by-step instructions for sending out email using the governor’s account. At the appropriate places, the account username and password for the governor were listed.

Whether anyone on the Internet could have logged in and sent mail as the governor is an interesting question, but I certainly assume that unauthorized folks within the state capital (possibly from opposition parties) could have. If a malicious email had been sent out, it would take more than a quick retraction to undo the damage.

The main lesson to take away from this incident is that your passwords should almost never be included in procedural documents. Instead, these appropriate steps should refer the reader to the appropriate secure password storage location (like an encrypted password safe) or to an employee who can properly limit password distribution to authorized personnel. Then your authentication system won't rely entirely on how well people protect an unencrypted electronic document.

No comments: