Voting machine manual tells officials to reuse weak passwords

Sysadmins will tell you that pathetically weak passwords are, in the words of one Redditor, “crazy normal.”

You have no idea how many Excel sheets containing passwords have “Passw0rd1!” peppered in them.

Right. But in this case, we’re not talking about any old vanilla set of users who get it into their heads, in spite of what one presumes/hopes to be organizational policy to the contrary, to cook up weak and/or iterative passwords. Rather, we’re talking about a vendor manual for voting machines that instructs users – and in this case, that means election officials – to use weak, iterative passwords.

On Monday, Motherboard published a report by Kim Zetter about these manuals, which, Zetter says, are used in about 10 states.

The manuals tell customers to use easy-to-guess, easy-to-crack passwords… and, in spite of the legions of security experts who advise against the practice of password reuse, to go right ahead and reuse those passwords when changing login credentials per federally mandated password-change prompts.

Motherboard hasn’t been able to verify what vendor produced the manual, but given that it’s for a Unisyn optical vote-counting machine, and that “unisyn” is one of the passwords suggested in the manual, one imagines it might have some ideas on the matter. However, it hadn’t responded to Zetter’s requests for comment as of Tuesday evening.

Unisyn machines are used in 3,629 precincts in 12 states, plus Puerto Rico.

Simple, shared logins please

Motherboard reports that the manual for the Unisyn voting machine indicates that the login name for the election-management system is the ubiquitous default “administrator,” and the sysadmin password is a simple string of five letters with a number appended to it: (e.g. admin1, admin2, admin3). The root password is the company’s name – unisyn – with the same number appended to it.

It continues on in that manner, Zetter writes:

Once logged into the system the credentials needed to access the tabulation monitor or the system for creating reports of ballots and vote tallies are different. The username is again a simple word to log in. The password is the same word with “1” appended to it. Users are told that to change the password when prompted, they should simply change the number sequentially to 2, 3, 4, etc.

The username for logging into the critical tabulator client where votes are tallied and stored is “supervisor.” According to the manual, the password is “election specific” – meaning officials create a different password for the tabulator client for each election. Given how simple other passwords for the system are, it’s not likely this election-specific password is more sophisticated, however.

This all came to light when Harri Hursti, founder of Nordic Innovation Labs and a longtime election security expert, found a binder containing loose leaf pages in an election office during a county risk assessment.

At first, Hursti figured the manual might have come from a third-party vendor. But then he came across yet another binder with the same guidelines being used by an election office in a different state – a state where that third-party vendor doesn’t help out with elections. So, Hursti surmised, those manuals must be coming from Unisyn itself.

An employee at the third-party vendor told Motherboard that yes, the passwords used are simple, and they get reused: that way, he and his colleagues don’t have to keep calling the elections office to get a password every time they need to get at the system.

Joseph Lorenzo Hall, chief technologist for the Center for Democracy and Technology, told Motherboard that the practice of password reuse across jurisdictions could lend itself to coordinated attacks, all carried out via physical access:

If those two passwords are commonly alternated in all of the Unisyn systems, that means anyone with this bit of knowledge of the Unisyn system will know how to direct an insider attack in another jurisdiction. We talk a lot about the diversity of our election systems being a strength, but things like this reduce that diversity so you just need a few facts about a system to have all you need to change a system in [multiple jurisdictions].

Motherboard notes that guidelines from the federal Elections Assistance Commission (EAC) encourage election officials to change passwords after each election, and to follow these guidelines:

  • Passwords should be at least six characters long, preferably eight.
  • At least one character should be an uppercase letter.
  • At least one character should be a lower case letter.
  • At least one character should be numeral.
  • At least one character should be a special symbol.

Although this represents a vast improvement over the advice accompanying the Unisyn machine, formulas like this are also problematic. Insisting that passwords follow rules like these reduces the number of possible passwords, and so reduces the amount of guesswork a password cracker has to do.

The guidelines also suggest that passwords “should be easily remembered (so there will be no need to write them down)” while still “sufficiently vague that they cannot be easily guessed.”

How to pick a proper password

Please do note that “easily remembered” should also be hard to guess: for example, as Paul Ducklin explains in the two-minute video below, you can make up a little saying to help you out that leet-speak-ishly translates into Uc4nM^als2HYO… or you can use a password manager.

(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)