The Colorado Secretary of State’s office says a spreadsheet on the department’s website improperly included a tab with partial passwords to certain components of Colorado voting systems, known as BIOS passwords.
“This does not pose an immediate security threat to Colorado’s elections, nor will it impact how ballots are counted,” wrote a spokesman for the office, Jack Todd, in a statement Tuesday.
In the statement, Todd said the sitiuation would not impact how the state’s paper ballots are counted, and listed a number of the safeguards in place that should prevent the partial passwords from being used by unauthorized people to access voting equipment.
“There are two unique passwords for every election equipment component, which are kept in separate places and held by different parties. Passwords can only be used with physical in-person access to a voting system,” he wrote.
Colorado law also requires voting machine equipment to be under 24-7 video surveillance with very limited key card access.
The state did not reveal how it became aware that the passwords had been included on the spreadsheet, but the Colorado Republican Party first made the situation public in an email to its members early Tuesday.
According to a letter from the GOP to Democratic Secretary of State Jena Griswold demanding answers, the information had been online since August, in a hidden tab that was removed from the spreadsheet on Oct, 24.
The accidental posting “demonstrate(s) a major lapse in basic systems security and password management,” wrote Republican state party chair Dave Williams.
Williams, a frequent critic of Griswold, asked her office to provide assurances that the passwords were not currently in use, or if so, have since been changed, and that the office is following other security best practices.
Williams said he’s prepared to encourage county officials to decertify any election machines with passwords that were included in the spreadsheet.
“It’s shocking really. At best, even if the passwords were outdated, it represents significant incompetence and negligence, and it raises huge questions about password management and other basic security protocols at the highest levels within Griswold’s office,” wrote Williams in his email.
The statement from the Secretary of State’s office did not directly address Williams’ questions. Nor did it provide any information about how the passwords ended up online.
“The Department took immediate action as soon as it was aware of this,” said the statement, “and informed the Cybersecurity and Infrastructure Security Agency, which closely monitors and protects the county’s essential security infrastructure. The Department is working to remedy this situation where necessary.”
CISA is a federal agency under the Department of Homeland Security.
The revelation that the state accidentally exposed voting machine passwords comes on the heels of the prosecution of former Mesa County Clerk Tina Peters. Peters’ plan to help an unauthorized person access her voting equipment came to light after photos of the machines’ BIOS passwords appeared online. In response to Peters’ actions, state lawmakers made it a felony to knowingly publish passwords for voting equipment.
