On January 13th, 2018—at 8:07 am—an emergency alert was issued in Hawaii. The message, in its entirety: "BALLISTIC MISSILE THREAT INBOUND TO HAWAII. SEEK IMMEDIATE SHELTER. THIS IS NOT A DRILL."
Although this message—which showed up on smart phones across the state—was, indeed, not a drill...it also was not a real threat. There was no missile hurtling through the atmosphere towards Hawaii. It turns out someone had simply clicked the wrong option from a very poorly designed user interface and sent out a fake (but very real-looking) emergency alert.
This is officially known as a "whoopsie daisy".
As the story spread around the globe, obviously all the news reports were going to need a picture to run along with it. As luck would have it, the Associated Press had published a picture taken inside the Hawaii Emergency Management Agency—showing computer workstations where they watch for such possible threats. This picture was spread far and wide.
On that picture, people noticed something. Something amusing. Something, for many of us, relatable.
On one of the monitors was a sticky note. With the password written on it.
(There were actually two sticky notes on the monitors in the picture. The second sticky note contained the message "SIGN OUT". Because, you know, security is important.)
While the accidental, non-real emergency alert was not caused by any sort of security breach (sticky-note-based or otherwise), this picture served as a great reminder to the entire world that we probably shouldn't write down our passwords on sticky notes. Not even a government agency tasked with Emergency Management is immune to this sort of weak security.
It reminds me of a scene from the Mel Brooks' film Spaceballs. In the film, an advanced security barrier had been constructed around a planet. The dastardly space-villains forced the king of the planet to give up the code that would open that barrier. That code? 12345. Upon learning of the code, one of the characters was shocked. "Remind me to change the code on my luggage."
Any of this sound familiar? Perhaps it's time to get rid of the sticky notes—and the passwords that are no more complex than "password123"—and get yourself a good password manager.
In this issue, Shawn Powers provides a good "Password Manager Roundup", laying out the pros and cons of various options.
Then, while you're in a security frame of mind, familiarize yourself with a good set of guidelines (based on the Linux Foundation's Security Checklist) for how to keep your system secure with Mike McCallister's "Everyday Security Tips".
Following these suggestions will make you far more secure than that Emergency Agency in Hawaii or that planet in Spaceballs, but what if you want to take things a step further? What if you want to dive into the world of encryption and hardware security keys?