On June 24, 2014, a former editor of a now-defunct British tabloid newspaper (some will disagree with the use of the prefix â€śnewsâ€ť) was found guilty of phone hacking. Phone hacking is the practice of intercepting and listening to a phoneâ€™s voicemail messages without the ownerâ€™s knowledge or permission.
How did this happen? The technique used by the hackers was remarkably simple. In the first decade of the millennium, the time of the offenses, carriers had a default PIN code for remote voicemail access: â€ś0000â€ť or â€ś1234,â€ť for example. If a phoneâ€™s owner never retrieved voicemail from any device other than the ownerâ€™s personal cellphone, the default code would never be changed. All the hacker would have to do was know the mobile phone number of the target, follow the carrierâ€™s technique for accessing voicemails from a different device, and then enter the carrierâ€™s default number. Vodafone UK, for example, had a default of â€ś3333.â€ť It was incumbent upon the user of the phone to change this PIN.
Can voicemail hacking still happen? The long and short of it is â€śyes,â€ť and this is not just a cellphone issue here. True, voicemail hacking is harder to accomplish. Carriers now allow remote access to voicemail only after it has been set up by the customer, who, at the time of setup, is required to chose a new PIN code.
Howeverâ€”and this is the crux of the issueâ€”even when a person has set up a PIN code, it will most likely be easily guessed. Why? Simple: people are lazy. They will choose numbers close to them, numbers that are easily remembered: anniversary dates, for example, or birthdates of a spouses or children.
When you consider that the top twenty-five most common computer passwords still include such gems as â€ś12345678,â€ť â€śquerty123,â€ť and â€śpassword,â€ť things do not bode well for secure voicemail PINs, especially considering that an average PIN is just four numbers. Simple strings like â€ś1234,â€ť â€ś2222,â€ť and â€ś1379â€ť (the latter being the four numbers at the corners of a telephone keypad) are still very common and will continue to be so.
This post is not about phone hacking per se, but rather the vulnerability of passwords and the ease of guessing them. The moral of this story is to avoid using easy-to-guess passwords. Here the Americans steal a march on the Europeans, as Americans commonly substitute letters for numerals in phone numbers. Thankfully, it has become easier to protect oneself, as carriersâ€™ pins are now between four and eight digits in length; this is a lot of words to play with. â€śPassword,â€ť for example, is â€ś72779673,â€ť but you could shake it up a bit and substitute the numeral â€ś0â€ť for the â€ś6.â€ť
This is not just an issue with cell phones. Other devices are password-protected too: your PC, for example, hopefully. I am trying to teach grandmother to suck eggs here, but â€śpasswordâ€ť as a password is easy to guess; â€śP@55w0rDâ€ť is a lot harder. That said, do not force your users down the policy path of complex passwords. Policies like â€śa password must be more than seven characters and include upper and lower case letters, numerals, and three non-standard charactersâ€ť will just lead to its being stuck on the underside of the keyboard or on the monitor.
However, with a little thought, even that is doable. Consider â€ś#P@55w0rd!â€ť