The Washington Post recently reported that several individuals were arrested for hacking into business phone systems (PBX Systems that are widely used in small and medium sized businesses) and running up $55 million dollars in phone charges.
What I think is worth noting is that these PBX systems could have had the best security and the latest software patches and they were still just as vulnerable, because of the weak passwords.
The reason these PBX systems were able to be hacked was because the default passwords were left on the system. A weak password for a computer system is akin to a medieval castle having 10 foot thick walls and a wide mote surrounding it, but no one bothers to close the gate when the attackers come.
When I talk with people about network security the conversation usually centers around having the latest software patches and security updates. While this is very important (and there is little excuse for not keeping up with this) I think the conversation needs to move more towards creating good passwords.
I know that it is almost impossible to keep all the usernames and passwords for the hundreds of websites and devices we have to log into. I'll admit that I have Firefox save many of my passwords so I don't have to type them in every-time I visit a site, but I don't think this is where the biggest vulnerability lies.
With so many sites and computers accessible via the web, users should take more care to pick stronger passwords. Passwords that involve a loved one, or hobby or birthday are always a bad choice because those types of passwords are the ones first tried by hackers.
Again with the PBX systems that were remotely broken into, it wasn't because users had saved there passwords, but because no one bothered to change the default passwords.
Had the administrators of the PBX system simply chosen a stronger password, they would have been spared in hundreds of bogus phone bills.
One technique I like to use is to create a password from a phrase that I will always remember.
For instance, the quote, "To be or not to be" could be made into the password: 'Tbontb' or '2bontb' each password would be difficult to crack, and yet easy to remember.
Here some other online resources to help you pick better passwords:
- http://www.cs.cmu.edu/~help/security/choosing_passwords.html
- http://pharmacy.ucsf.edu/pharmd/students/comp/accounts/choose/
- http://www.pctools.com/guides/password/
- http://netforbeginners.about.com/od/hacking101/a/password.htm
