LAS VEGAS—The same lie is being told over and over again on television, social media and even on stage at the biggest tech conference of the year: John Podesta, the Hillary Clinton campaign chair who had his email account hacked and emails leaked during the 2016 presidential campaign, used the password “password” on his email account.
This isn’t a meaningless white lie. The big question right now is whether Podesta was targeted by a nation-state like Russia or if anyone in the world—even a 14-year-old 400 lb. teenager in New Jersey—could have carried out the hack. If Podesta did use the ultimate in weak passwords, that’s an argument in the public’s eyes that it took little or no technical sophistication to break in. Here’s political pundit Ann Coulter making exactly that argument:
John Podesta's password was "password." So it was either a very sophisticated state-sponsored hack by the Russians OR the morning bagel boy.
— Ann Coulter (@AnnCoulter) January 5, 2017
Julian Assange made the same claim in a Fox News interview this week with Sean Hannity, using the password as proof that “a 14-year-old” could have hacked Podesta’s account. Now it’s a headline on popular pro-Trump websites, thus spreading the lie further.
At CES, the massive annual tech conference in Las Vegas, the cybersecurity stage heard this lie multiple times. In a panel discussion titled “password protection, authentication, and new exploits,” people like Tim Bajarin, president of Creative Strategies, Inc., opened his panel with the cautionary tale about Podesta’s password. Everyone laughed at the story.
But that’s just not the case. Some of Podesta’s passwords are on WikiLeaks, including his iCloud password: ‘Runner4567.’ That’s not a great password—Podesta famously loves jogging and you should not use easily identifiable hobbies as passwords—but it’s not nearly on the same incompetence level as using the actual word “password” as an email password. More to the point, Google doesn’t even allow “password” to be used as a GMail password, making the entire story impossible. Podesta’s Windows password was “p@ssword” for his Windows 8 machine at one point, but that has absolutely nothing to do with how his emails were hacked and leaked, making it irrelevant to the entire hacking incident.
Was Podesta's gmail password 'password'? Nope. Google doesn't let you create an account with that password, or change your password to it. pic.twitter.com/vhW8sfEIKW
— Pwn All The Things (@pwnallthethings) January 4, 2017
Podesta wasn’t hacked because he used a bad password. His email was breached because hackers sent a spear phishing email pretending to be Google asking for his credentials because, according to the fake email, he had already been hacked. It’s a common tactic of hackers to create emotional urgency during an attack. Ironic as it is, pretending you’ve already been hacked is a common tactic because it can push people to quickly click malicious links without thinking through or checking the consequences.
Additionally, phishing remains the most effective and widely used attack vector, especially so when it comes to high value targets like Podesta. The same hacker, a group now known widely as Fancy Bear or APT28, had a favorite target: The spokesman for the Prime Minister of Ukraine who had his email targeted nine times.
The same hacker—the one who could be a “14-year-old” according to Julian Assange and Ann Coulter—who hit Podesta also attacked western military and government targets, NATO, defense companies, journalists, NGOs, political activists and researchers. We doubt that whole group was dumb enough to also use “password” as their password.