Q1. Were passwords for Colorado’s election systems shared online?

A1. Passwords to voting system components were previously published on a hidden tab on a document on a subpage on the Department’s website earlier this year. The Department was notified of the issue on October 24 and subsequently removed the document and notified federal authorities.

Q2. Has this been resolved?

A2. Yes. The passwords have all been changed. This never posed an immediate security threat to Colorado’s elections because of the multiple layers of security that protect voting system equipment. Out of an abundance of caution, our office partnered with the Governor’s Office to update the passwords as quickly as possible and verify all proper setting for the equipment.

Q3. What security measures are in place to ensure that this does not compromise our election? Can these voting systems be accessed remotely?

A3. Colorado elections include many layers of security.

There are two unique passwords for election equipment components, which are kept in separate places and held by different parties. Passwords can only be used with physical in-person access to a voting system machine. Under Colorado law, these machines must be stored in secure rooms that require a secure ID badge to access. That ID badge creates an access log that tracks who enters a secure area and when. The people with those badges must pass criminal background checks before they are allowed to have access.

There is 24/7 video camera recording on all election equipment.

No person may be present in a secure area unless they are authorized to do so or are supervised by an authorized and background-checked employee.

There are also strict chain-of-custody requirements that track when a voting systems component has been accessed and by whom.

It is a felony to access voting equipment without authorization.

Most importantly: Every Colorado voter casts their vote on a paper ballot, which cannot be hacked. These paper ballots are audited after the election during the Risk Limiting Audit to ensure that ballots were counted according to voter intent.

Q4. What action has the Department taken?

A4. The Department took immediate action as soon as it was aware of this error, and informed the Cybersecurity and Infrastructure Security Agency, which closely monitors and protects the county’s essential security infrastructure.

On October 31, eight staff from the Department of State and an additional 22 state cybersecurity personnel were dispatched to update these passwords. All staff had appropriate background checks and underwent training prior to beginning work on election systems.

This password disclosure never posed an immediate security threat to Colorado’s elections, nor will it impact how ballots are counted. Changes to passwords were made out of an abundance of caution.

News releases

• November 1 - Governor Polis, Secretary of State Griswold Announce That All Passwords Have Been Updated on Colorado Voting Machines Impacted by Password Disclosure, Security of Voting Machines Has Been Verified
• October 31 - Gov. Polis and Secretary of State Griswold Announce Additional State Resources are Being Deployed to Ensure Election Security
• October 29 - Statement from Colorado Department of State on Systems Passwords