Internet users are questioning the integrity of Colorado’s elections in 2024 because sensitive voting system passwords were mistakenly made available on the Colorado Department of State’s website. It is true that the passwords were accidentally posted, but Colorado officials have stated that the posting could not have feasibly led to a security breach of its election systems. The state agency has nonetheless changed the leaked passwords and verified that the settings to the state’s electronic voting machines were not changed or altered in any way.
On October 29, the Colorado Department of State publicly shared that “partial passwords to certain components” of voting systems were “improperly” included on a spreadsheet posted to its website. The spreadsheet was intended to display only the various voting machine components used in each county. However, under a hidden tab on the spreadsheet, more than 600 passwords for voting machines used in 63 of Colorado’s 64 counties were accessible. Specifically, the passwords were to the voting machine’s basic input/output (BIOS) system, firmware used to run the device’s operating systems.
Nonetheless, state officials stated that Colorado’s election systems remain secure—the mistake would have no effect on voting results. Every Colorado electronic election device is protected with two distinct passwords, stored in “separate places” and held by “different parties,” the department explained. Each pair of passwords is unique to a specific election machine, and access to those machines require operators to input the passwords physically and in person.
Regardless, that did not stop some social media users from claiming that the 2024 Colorado election results can no longer be trusted, implicating Colorado Secretary of State Jena Griswold directly. “Jenna Griswold just broke the 2024 Election in Colorado,” Patrick Byrne, the former CEO of online retailer Overstock and a Donald Trump supporter who spoke at the Stop the Steal rally on January 6, 2021, tweeted on Wednesday. “Results are now 100% non-certifiable and anyone who says differently is lying,” he wrote.
“The Colorado Secretary of State, Jena Griswold ‘Accidentally’ Had Over 600 BIOS Passwords for voting Machines across 63 counties on their Website for MONTHS—If you Knew Where to Look,” one X account with more than 400,000 followers also tweeted. “Let me tell you how shady this is… and how Corrupt Jena Griswold is.”
On October 31, Griswold implemented a temporary rule change that allowed her, or an authorized state employee who has previously passed a background check, to change election machine BIOS passwords. Colorado state law allows the secretary of state to make temporary rule amendments when the state department “finds that immediate adoption of the rule is imperatively necessary” and when strict compliance with the current rules “would be contrary to the public interest.”
Mark Cook, a self-described “election security and cyber-security subject matter expert” who has campaigned against the use of electronic voting machines in the 2024 election, tweeted on Thursday, “Griswold just made an Emergency Rule Change!!!! This is insane! Another cover her a— moment. She just keeps making it worse!” Later that day, Cook tweeted again, saying, “And Griswold makes a SECOND EMERGENCY RULE on the same day!”
However, the rule change Cook included in his second post was adopted on May 9, 2024. Moreover, that rule change had nothing to do with voting machine passwords. Rather, it stipulated that ballot envelopes returned to county clerks cannot be counted if it has “a hole or any other opening of any size” which makes a ballot question visible or exposed.
News of the leaked passwords was first made public on October 29, the day Colorado Republican Party vice chairwoman Hope Scheppelman shared an affidavit claiming that election voting machine passwords were publicly available on an Excel spreadsheet posted to the Colorado Department of State website page on voting systems. While the passwords were removed from the website on October 24—with no public announcement made at the time from Griswold or any other state official—the affidavit claimed that the voting system passwords had been publicly accessible since at least August 8. “While the above does not constitute evidence of a breach by itself,” the Colorado GOP said in a statement, “it does demonstrate a major lapse in basic systems security and password management.”
9News Denver, a Colorado NBC affiliate station, reported last week that although the Colorado Department of State discovered the passwords were publicly available on October 24, the agency did not start the process for changing the leaked passwords until October 29, when the story was first reported.
Colorado Gov. Jared Polis and Griswold on Friday announced in a joint statement they had successfully updated “all passwords” to its voting systems. Polis added that state officials verified that no settings were changed to any Colorado voting system.
Even with knowledge of both passwords for a specific machine, would-be wrongdoers could not hack into the machines unless they gained physical access to the machines. The state agency’s statement also detailed how machines are kept secure. Not only do election workers restrict access to “secure ballot areas”—where all electronic voting devices are required by law to be stored—to select officials who pass background checks, but security cameras monitor the room “24/7,” around the clock, and the facility requires an ID badge to gain entry. Because each official with authorized access to the secure room is given a unique ID badge, an access log keeps track of the identities and times of everyone who enters the restricted area.
Polis and Griswold maintained that the integrity of Colorado’s election results was never put in jeopardy. “This password disclosure never posed an immediate security threat to Colorado’s elections,” they wrote in the statement, “nor will it impact how ballots are counted.”
The Dispatch Fact Check has reached out to the Colorado Department of State for comment.
If you have a claim you would like to see us fact check, please send us an email at factcheck@thedispatch.com. If you would like to suggest a correction to this piece or any other Dispatch article, please email corrections@thedispatch.com.
Please note that we at The Dispatch hold ourselves, our work, and our commenters to a higher standard than other places on the internet. We welcome comments that foster genuine debate or discussion—including comments critical of us or our work—but responses that include ad hominem attacks on fellow Dispatch members or are intended to stoke fear and anger may be moderated.
You are currently using a limited time guest pass and do not have access to commenting. Consider subscribing to join the conversation.
With your membership, you only have the ability to comment on The Morning Dispatch articles. Consider upgrading to join the conversation everywhere.