A password for the Hawaii emergency agency was hiding in a public photo, written on a Post-it note
A false alert warning of an inbound missile was broadcast in Hawaii on Saturday.
Since then, people have discovered that a photo taken in Hawaii's Emergency Management Agency for a news article in July includes a sticky note with a password.
Hawaii says the alert was sent was because "an employee pushed the wrong button," not because of a hack, but the photo has sparked criticism about the agency's level of security.
On Saturday, people in Hawaii were awakened by a terrifying false alert about an inbound missile. Hawaii's Emergency Management Agency has said a worker clicked the wrong item in a drop-down menu and sent it, and that its system was not hacked.
"It was a mistake made during a standard procedure at the changeover of a shift, and an employee pushed the wrong button," Gov. David Ige said.
But an Associated Press photo from July that recently resurfaced on Twitter has raised questions about the agency's cybersecurity practices.
In it, the agency's operations officer poses in front of a battery of screens. Attached to one is a password written on a Post-it note.
An agency spokesman told Hawaii News Now that the password is authentic, and had been used for an "internal application" that he believed was no longer being used.
While these computers are unrelated to the system that sent the false missile alert, the photo raises questions about the approach to information security at the agency. (On the other screen, another note reminds the user to "SIGN OUT.")
Writing down passwords isn't a strict security no-no. Some experts say that keeping a hard copy of a password in your wallet is defensible — if you can keep the piece of paper secure. But a note on a monitor is not secure, especially if it's for computer systems dedicated to keeping people safe.
The photo has already drawn some ridicule from those in the operational-security industry.
Here's what the system that sent the false alert on Saturday looks like:
This is the screen that set off the ballistic missile alert on Saturday. The operator clicked the PACOM (CDW) State Only link. The drill link is the one that was supposed to be clicked. #Hawaii pic.twitter.com/lDVnqUmyHa
NOW WATCH: The safest way to walk on ice is to impersonate a penguin — here's why
Bitcoin crashes 25% to below $11,000 during 'cryptocurrency bloodbath'
7 sneakers that will never go out of style — and they're all under $100
SEE ALSO: The Hawaii worker who 'pressed the wrong button' has been reassigned