A Timely Remider: Passwords and Pin Codes Are Important

On June 24, 2014, a former editor of a now-defunct British tabloid newspaper (some will disagree with the use of the prefix “news”) was found guilty of phone hacking. Phone hacking is the practice of intercepting and listening to a phone’s voicemail messages without the owner’s knowledge or permission.

How did this happen? The technique used by the hackers was remarkably simple. In the first decade of the millennium, the time of the offenses, carriers had a default PIN code for remote voicemail access: “0000” or “1234,” for example. If a phone’s owner never retrieved voicemail from any device other than the owner’s personal cellphone, the default code would never be changed. All the hacker would have to do was know the mobile phone number of the target, follow the carrier’s technique for accessing voicemails from a different device, and then enter the carrier’s default number. Vodafone UK, for example, had a default of “3333.” It was incumbent upon the user of the phone to change this PIN.

Can voicemail hacking still happen? The long and short of it is “yes,” and this is not just a cellphone issue here. True, voicemail hacking is harder to accomplish. Carriers now allow remote access to voicemail only after it has been set up by the customer, who, at the time of setup, is required to chose a new PIN code.

However—and this is the crux of the issue—even when a person has set up a PIN code, it will most likely be easily guessed. Why? Simple: people are lazy. They will choose numbers close to them, numbers that are easily remembered: anniversary dates, for example, or birthdates of a spouses or children.

When you consider that the top twenty-five most common computer passwords still include such gems as “12345678,” “querty123,” and “password,” things do not bode well for secure voicemail PINs, especially considering that an average PIN is just four numbers. Simple strings like “1234,” “2222,” and “1379” (the latter being the four numbers at the corners of a telephone keypad) are still very common and will continue to be so.

This post is not about phone hacking per se, but rather the vulnerability of passwords and the ease of guessing them. The moral of this story is to avoid using easy-to-guess passwords. Here the Americans steal a march on the Europeans, as Americans commonly substitute letters for numerals in phone numbers. Thankfully, it has become easier to protect oneself, as carriers’ pins are now between four and eight digits in length; this is a lot of words to play with. “Password,” for example, is “72779673,” but you could shake it up a bit and substitute the numeral “0” for the “6.”

This is not just an issue with cell phones. Other devices are password-protected too: your PC, for example, hopefully. I am trying to teach grandmother to suck eggs here, but “password” as a password is easy to guess; “P@55w0rD” is a lot harder. That said, do not force your users down the policy path of complex passwords. Policies like “a password must be more than seven characters and include upper and lower case letters, numerals, and three non-standard characters” will just lead to its being stuck on the underside of the keyboard or on the monitor.

However, with a little thought, even that is doable. Consider “#P@55w0rd!”

Posted in SecurityTagged ,