A false alert warning of an inbound missile was broadcast in Hawaii on Saturday.

Since then, people have discovered that a photo taken in Hawaii's Emergency Management Agency for a news article in July includes a sticky note with a password.

Hawaii says the alert was sent was because "an employee pushed the wrong button," not because of a hack, but the photo has sparked criticism about the agency's level of security.



On Saturday, people in Hawaii were awakened by a terrifying false alert about an inbound missile. Hawaii's Emergency Management Agency has said a worker clicked the wrong item in a drop-down menu and sent it, and that its system was not hacked.

"It was a mistake made during a standard procedure at the changeover of a shift, and an employee pushed the wrong button," Gov. David Ige said.

But an Associated Press photo from July that recently resurfaced on Twitter has raised questions about the agency's cybersecurity practices.

In it, the agency's operations officer poses in front of a battery of screens. Attached to one is a password written on a Post-it note.

Jeffrey Wong, the Hawaii Emergency Management Agency's operations officer, shows computer screens monitoring hazards at the agency's headquarters in Honolulu on July 21. AP

Computer, enhance:

An agency spokesman told Hawaii News Now that the password is authentic, and had been used for an "internal application" that he believed was no longer being used.

While these computers are unrelated to the system that sent the false missile alert, the photo raises questions about the approach to information security at the agency. (On the other screen, another note reminds the user to "SIGN OUT.")

Writing down passwords isn't a strict security no-no. Some experts say that keeping a hard copy of a password in your wallet is defensible — if you can keep the piece of paper secure. But a note on a monitor is not secure, especially if it's for computer systems dedicated to keeping people safe.

The photo has already drawn some ridicule from those in the operational-security industry.

Here's what the system that sent the false alert on Saturday looks like:

—Honolulu Civil Beat (@CivilBeat) January 16, 2018