Skip to content
Naked Security Naked Security

Hawaii Gov. couldn’t flag false missile alert on Twitter – didn’t know password

Two words, governor: password manager.

You’ve probably read about the ins and outs of that 38-minute lag between Hawaii’s false ballistics missile alert and Hawaii’s Emergency Management Agency’s (HI-EMA’s) “false alarm!” correction, right?
You may remember how HI-EMA said there wasn’t a system in place to correct the initial error, and how it had to “double back and work with the Federal Emergency Management Agency (FEMA) [to create the false alarm alert], and that’s what took time.” (Which, by the way, FEMA subsequently said was incorrect: states are authorized to cancel or retract warning messages on their own).
Well, here’s a brand-new raison d’être for the infamous 38 minutes, and it comes fresh from Hawaii Gov. David Ige. Namely, even though the governor knew it was a false alarm within two minutes of it being sent, he couldn’t update the public via Twitter because he didn’t know what his password was.
According to the Honolulu Star Advertiser, Ige was asked about that delay on Monday as he met with reporters after his State of the State address.
Well, see, here’s the thing, Ige said: he didn’t actually know how to log onto Twitter:

I was in the process of making calls to the leadership team both in Hawaii Emergency Management as well as others.
I have to confess that I don’t know my Twitter account log-ons and the passwords, so certainly that’s one of the changes that I’ve made. I’ve been putting that on my phone so that we can access the social media directly.

Yes, you definitely do want to access the social media directly when you’re in a position such as governor. Or, well, at least, somebody in the office should really know how to get into the account.

As the newspaper notes, a lot of politicians – and celebrities, for that matter – have staff who handle all that for their bosses by posting or tweeting on their behalf. Unfortunately, that often means that there are a lot of people sharing login credentials for very tempting accounts that hijackers love to target. A few years ago, Twitter came up with a tool, TweetDeck Teams, to enable teams to delegate different access levels to team mates for as long as they need it. Then, when they don’t, zip! You can take it away.
So, Governor Ige, if we can be so bold as to offer a bit of advice, that’s one tool you might want to consider, in conjunction with sharing access to your account with your staffers so as to avoid another situation like that 38 minutes.
The tool also makes it possible for anyone sharing an account to use Twitter’s two-factor authentication, or what it calls “login verification”.
That will send a one-time login code to a user’s phone that they need to enter in addition to a username and password. It’s another layer of protection against would-be account hijackers, since they’d need not only your login credentials but also your phone to take over your feed.
When it comes to getting your Twitter password safely into your phone for easy access, password managers can come in handy. If you don’t already have one on your phone, you might want to take a look at our guide to getting started with LastPass, Keepass or with Smart Lock and iCloud Keychain.
Just please, promise that nobody in your office is going to jot down your Twitter login credentials on a sticky note. That one hasn’t worked out well for HI-EMA in the past!


Talking about password managers – I am an advocate all the way and regularly preach about the benefits of use to my organisation, the other day I got a new reason from one naysayer which seems to be adopted by all the decision makers who have given themselves a great big pat on the back for taking this stance. The reason is, why would we put all our passwords behind one master password – you say that passwords are the key to the kingdom, then the master password would be the proverbial key to the keys, so not likely. I give up!!!


WHY would you have your system depend on Twitter for something like that??????


I wondered that. I think that conditioning people to accept tweets about something as serious as a missile alert rather undermines the original (if flawed) system. You can change the protocol (and they did) for the official alerts to make them more trustworthy. But that’s much harder in a fluid medium like Twitter…


I’ve been putting that on my phone so that we can access the social media directly.
Let’s hope that he has secured his phone!


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!