Can you trust a politician to choose a good password?

If Sarah Palin, potential VP of the USA, is anything to go by, then the answer is no. Palin chose the word “popcorn” as her password – not “lipstick”, not “caribou”, net even “snocat”, but those choices would have been just as bad. Password cracking software starts off with a list of 30,000 or so common words and only when it exhausts that list does it move on to brute force cracking – using every possible combination on the keyboard.

It’s feasible that Palin’s poor choice of password made it easier for the group that goes by the name Anonymous to break into her email account and expose the fact that she was using a non-governmental email system for governmental email. (There can’t have been much else in her email or we’d all know of it by now.) Officially, this matters because public servants are not supposed to use insecure non-governmental email systems for government business.

Anonymous made matters worse by handing all the information they grabbed from Palin’s email to Wikileaks, the web site whose sole purpose in life is to “publish and be damned”. It matters not to Wikileaks whether the information it publishes has a right to privacy – in fact they only publish information that someone wants to keep private.

The Responsibility of IT

The question that no-one is asking is whether the government IT Department for the State of Alaska properly insisted that all officials had to use the secure email system or to put it more bluntly: Who’s managing IT security in Alaska? Is there no governance happening here?

The most disturbing fact about the email account is that it’s address (now defunct) was “gov.sarah@yahoo.com” which suggests that Palin knew it was going to be used for government business.

Perhaps the whole situation with email has become too hard for most people, including the average politician. Maybe Palin never understood that Yahoo is insecure because anyone can get to the interface. And I suspect no-one was able to set up an email system for her that she could use from anywhere, where personal emails and government emails were naturally kept apart.

(Is that a user problem or is that just a poor system?)

The fact that Palin is the recently announced VP candidate naturally makes her a target for hacking, but she never knew until a few weeks ago that she was even a possible choice, so when she chose her personal password, she probably didn’t think she was a likely target for hacking. But even if she had been briefed on what makes a strong password, would she have chosen better? Users hate cryptic passwords they can’t easily remember and often fail to follow guidelines.

Breaking News….

It is now reported that the hack of Palin’s email account wasn’t achieved by use of a password cracker. It was done – believe it or not – by using the Yahoo password recovery feature, which comes into play if you forget your password. The following posting was made to the bulletin board of 4Chan by the geek who claims he pulled it off this coup.

“After the password recovery was reenabled, it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!)”The second was somewhat harder, the question was “where did you meet your spouse?” did some research, and apparently she had eloped with mister palin after college, if you’ll look on some of the screenshots that I took and other fellow anon have so graciously put on photobucket you will see the google search for “palin eloped” or some such in one of the tabs.

“I found out later though more research that they met at high school, so I did variations of that, high, high school, eventually hit on “Wasilla high” I promptly changed the password to popcorn and took a cold shower…”

So “popcorn” was not the password that Palin chose. It follows that we can never know what password Palin chose. It may indeed have been “lipstick” or it may have been a much more secure one like “1mG0nnabVP”.

We can at least be certain that John McCain’s email isn’t going to be hacked. He doesn’t use email, or even know how to. (That must be awful – life without spam.)