Skip to Content

Cybersecurity & Standards

Election Cybersecurity 101 Field Guide – Passwords

CDT’s Election Cybersecurity 101 Field Guides are a series of short, simple, usable guides intended to help election administrators and staff better understand key concepts in cybersecurity.

The Problem with Passwords

  • Passwords can be both easy and frustrating. They’re widespread, so most users understand how to use them. But making them strong enough to be protective can also make them difficult to remember. To prove a user is authorized to access an account or device, they type in a series of characters – like using a key to open a locked door. Characters can be letters (abc), numbers (123), and special characters (@#$). The idea is to use a password that is difficult to guess. Weak passwords are short or not very creative, such as “1234” or “password”. Strong passwords are longer and contain a mixture of characters and case, such as “ZX2Jh7nx39” or “?#KJ*M]TmQ\U”.
  • Storing passwords in a spreadsheet called “Important” on your computer is the digital equivalent of a sticky note on your monitor. It can be much easier to use a digital password manager – an application or service on a computer or mobile device that can create, store, and manage passwords for a single user or group of users. This means you only ever have to remember one strong password: the master password, which opens your password manager and unlocks access to all other passwords [like keeping your keys in a locked safe with a master key].

Why Password Hygiene is Important

Memorizing a strong password for hundreds of accounts can be difficult, if not impossible. And a strong password is only the beginning. Reusing the same password for multiple accounts is risky because when just one of those accounts is compromised, any other account sharing the same password can also be compromised. To prevent this, every user should have a unique strong password for each account or device. Research shows that 38% of passwords are reused across multiple websites. Once breached, these user names, passwords, or personal details can then be resold or even posted online in publicly for anyone to view. Similarly, computers are becoming faster at guessing passwords using brute force (trying every character incrementally) or dictionary (trying common words from a dictionary) attacks. Skilled criminals are getting better at stealing passwords using social engineering or phishing emails. This requires we pick stronger passwords, and guard them more carefully.

For other field guides, more resources, and info on what CDT is doing to help election officials, check out our Election Security campaign.