By James Hanback
Turns out, the Montana station had never changed the default password on its EAS system. Therefore, the prankster was able to simply guess the correct password to gain entry to the system and broadcast the zombie attack alert. Although in this case no harm appears to have been done, fictional emergency alerts have caused panic among the population in the past. The Halloween 1938 Orson Welles radio broadcast of H. G. Wells' The War of the Worlds is perhaps the most famous example of panic caused by a fictional emergency. Moreover, Mashable.com reported that the Montana station's manager is concerned that similar attacks on an EAS system could result in widespread panic over reports of more realistic sounding threats, such as a terrorist attack.
Passwords and personal identification numbers (PINs) are used everywhere for access to just about everything these days. So prevalent have concerns about password security become that both CompTIA and Cisco devote entire domains of otherwise non-security-related certification exams to the subject of security. Even so, outside of IT circles there seems to be a general disinterest in creating strong passwords because they can be both difficult to remember and inconvenient to the user. Therefore, it is typically up to IT professionals to educate and, if necessary, enforce the use of strong passwords.
Changing a default password is always a good first step in securing any device that you intend to connect to a network because default passwords are both easily guessed and easily obtainable from lists published on the Internet. However, it is of equal importance to ensure that the new password is a strong password, which is to say that it is not easily guessed and is as resistant as it can be to brute-force cracking and other methods used by password cracking tools.
So what constitutes a strong password?
Alas, expert opinions vary. However, there are some general rules that seem to have become common advice. For example, the online documentation for some Cisco products defines a strong password as having all of the following characteristics:
Microsoft recommends similar characteristics but adds that you should include punctuation and symbols along with letters and numbers.
The relative strength of a password can also depend on what the particular device, system, or account you are securing accepts as input for the password field. For example, you won't be able to create a strong password that contains the dollar sign ($) or at (@) symbols if the password input field accepts only letters and numbers. Similarly, if the password field limits you to seven or fewer characters, you won't be able to create a password of eight characters or more.
Further ensuring that you'll want to tear out your hair is the sheer volume of online accounts, device accounts, and corporate network accounts that the average user maintains these days. No matter how strong your password is, you potentially weaken it every time you use it to secure more than one of your many, many accounts. For example, if you have one password that you use for both an online banking account and an online marketplace or social networking account, an attacker who compromises the passwords that are stored at the online marketplace or social network might then be able to also gain access your online banking account. Now you not only need a strong password. You need multiple strong passwords.
Oh, and then there's that old chestnut about not writing down your passwords (especially if your habit is to memorize your life details by creating Post-It notes that you end up sticking to your monitor). Not documenting your passwords is still good advice if you can manage to remember all those strings of nonsensical characters and to which account they belong. If you must write down your passwords, it is of utmost importance that you keep them in a safe place that is not publicly viewable and, preferably, not publicly accessible.
So, now that you finally have a series of strong passwords that you can remember, what must you do next? At the risk of injuring your forehead as the palm of your hand flies upward to smack it, I'll tell you. Change them. Change them regularly. Even the strongest passwords can be compromised, by attack or by accident. A strong password that is regularly replaced by a different strong password diminishes the risk of compromise by essentially creating a moving target. The more often you change your password, the less likely it is that a previously compromised password will allow an unauthorized individual to access your devices, systems, or accounts.
Now that we've established enough anxiety to keep you awake nights for years to come, let me point out one other issue you should think about when creating strong passwords. Strong passwords alone will not keep your devices or accounts safe from compromise. In fact, Mashable.com reported in that same story about the compromised EAS system that the particular system used by the Montana television station has other vulnerabilities that could have been exploited to gain access, even if the station had changed the default password.
In the end, a strong password does offer a good first line of defense against password guessing and brute-force attacks. They're sort of like all that furniture and those two-by-fours that Ben and company nailed across the doors and windows of the little farmhouse in Night of the Living Dead. They keep the zombies out for a while, but they will never entirely stop the forward momentum of the undead being driven by their cravings for the meaty flesh of your brain.
And they won't hold up forever.
Interested in IT certification? Try our free practice exam demos.
War of the Worlds Photo: Marcin Wichary
Zombie Photo: Eric Ingrum