As far as opsec goes, writing down a password on a piece of paper isn’t the worst idea. Provided you can put that piece of paper somewhere — tucked inside a copy of Infinite Jest, beneath the footbed of a pair of particularly rank sneakers — where nobody but you will ever find it. The idea here being it’s a hell of a lot harder, short of somebody finding your hiding place, to hack a piece of paper than it is to hack a password manager, or a Google doc, or any other internet-connected place you might have stored your information. This, of course, all goes out the window if you forget that piece of paper at a public bus stop in Washington, D.C., which is what White House staffer Ryan McAvoy reportedly did earlier this month.
McAvoy wrote down his username and password for encrypted email platform ProtonMail, the Intercept reports. Depending on how secure McAvoy’s account was — like if he uses two-factor authentication — it might not have been possible to log on using the information found at the bus stop. It’s also unclear if this was McAvoy’s personal email or a professional account. Either way, it’s still not a great look for the Trump administration. An administration that historically has been so fond of calling certain other people out for lax email security.
