Branchoria UFO Hackers UFO Hackers

The hacking cases, UFO claims, court battles, and evidence gaps behind a modern myth.

Within Weak Security

Why Blank Passwords Became a Military Risk

Blank or unchanged passwords turned ordinary exposed computers into entry points for a UFO-motivated intruder.

On this page

  • How weak credentials opened the first doors
  • Why basic password policy failed at scale
  • What the case teaches about verifying access controls
Preview for Why Blank Passwords Became a Military Risk

Introduction

One of the most striking lessons from the Gary McKinnon case was not the sophistication of the intrusion but the simplicity of the access path. McKinnon, who said he was searching military and NASA systems for evidence related to UFOs and advanced technology, repeatedly described finding computers that were protected by weak, default, or even blank passwords. According to his public accounts, he used automated scanning methods to identify machines where administrator credentials had not been properly secured, turning routine configuration failures into gateways into sensitive networks. [The Guardian+2Schneier on Security]theguardian.comThe GuardianHacker's progress: how McKinnon pierced Pentagon security3 Apr 2007 — With such glaring errors leaving the backdoor wide open…

Blank Passwords illustration 1 Within the broader story of military network security weaknesses exposed by UFO-motivated hacking, blank passwords represent a particularly important failure mechanism. They demonstrate how an organisation can invest heavily in hardware, software, and perimeter defences while remaining vulnerable because basic access controls are not consistently enforced. The case became a cautionary example of how ordinary administrative lapses can create risks far greater than the technical complexity of the attack itself. [Cybereason]cybereason.comMalicious Life Podcast: The U.Svs. Gary McKinnonHe exploited known Windows vulnerabilities on computers without adequate password and firewall protections. The ease wit…

The Man Who Hacked the U.S. Government

Channel: Newsthink · Views: 816.8K · Uploaded: March 2024 · Length: 18 minutes

Open on YouTube

How Weak Credentials Opened the First Doors

The popular image of a military hacker often involves advanced exploits, secret vulnerabilities, or highly specialised technical knowledge. The McKinnon case challenged that assumption. Multiple accounts of the incident describe an attacker taking advantage of systems that lacked adequate password protection rather than defeating sophisticated security technologies. McKinnon himself stated in interviews that he searched for machines with blank administrator passwords, while later commentary from security researchers and journalists noted that default or unchanged passwords were among the weaknesses he encountered. [Schneier on Security+2The Guardian]schneier.comgaruy mckinnonSchneier on SecurityGary McKinnon4 Aug 2008 — The interview I saw with McKinnon implied that he just hit systems with the default adminis…

This distinction matters because a blank password is not a software flaw in the conventional sense. The operating system may function exactly as designed. The vulnerability arises because an account that should require authentication effectively does not. In practical terms, a computer connected to a larger military network can become an entry point if administrators leave credentials unchanged after installation or fail to disable insecure default settings. [The Guardian]theguardian.comThe GuardianHacker's progress: how McKinnon pierced Pentagon security3 Apr 2007 — With such glaring errors leaving the backdoor wide open…

The ease of access was repeatedly emphasised in retrospective examinations of the case. A Cybereason analysis described McKinnon’s activities as relying largely on publicly available tools and on systems lacking adequate password and firewall protections, arguing that the ease of entry was itself a significant part of the story. [Cybereason]cybereason.comMalicious Life Podcast: The U.Svs. Gary McKinnonHe exploited known Windows vulnerabilities on computers without adequate password and firewall protections. The ease wit…

The Lone Hacker That Found NASA’s Secret Space Fleet [Gary McKinnon Interview]

Channel: Jesse Michels · Views: 651.4K · Uploaded: March 2026 · Length: 2 hours 6 minutes

Open on YouTube

Why Basic Password Policy Failed at Scale

The most serious implication was not that one computer had a weak password. Large organisations, especially military organisations, operate thousands of systems administered by different teams, contractors, and local support staff. A password policy is only effective if it is consistently implemented and continuously verified.

The McKinnon case suggested a gap between policy and reality. Security procedures may have required strong passwords, but the existence of accessible systems with default or blank credentials indicated that enforcement was incomplete. As McKinnon told journalists years later, some of the “biggest loopholes” arose from users failing to change default passwords. [The Guardian]theguardian.comThe GuardianHacker's progress: how McKinnon pierced Pentagon security3 Apr 2007 — With such glaring errors leaving the backdoor wide open…

Several factors make this type of failure particularly dangerous at scale:

  • Administrative convenience: Temporary accounts and test systems may be left with default credentials to simplify maintenance.
  • Distributed responsibility: Different units may assume that another team is responsible for enforcing password standards.
  • Legacy systems: Older computers often remain connected long after deployment and may not receive consistent security reviews.
  • Trust assumptions: Internal systems are sometimes treated as inherently safer than internet-facing services, reducing scrutiny of authentication controls.

When these factors combine, a single weakly protected machine can become a bridge into a much larger environment. The security problem is therefore organisational as much as technical. A military network can possess advanced defensive capabilities while still being undermined by routine credential management failures. [Cybereason]cybereason.comMalicious Life Podcast: The U.Svs. Gary McKinnonHe exploited known Windows vulnerabilities on computers without adequate password and firewall protections. The ease wit…

Blank Passwords illustration 2

Why Blank Passwords Were a Military Risk Rather Than a Mere IT Mistake

In an ordinary business environment, a blank password might expose local files or internal communications. In a military environment, the consequences can be broader because systems often connect to administrative, logistical, engineering, or operational networks.

The risk is not limited to what an intruder sees on the first compromised machine. Once authenticated access is obtained, the attacker may gain visibility into network structure, user accounts, shared resources, and trust relationships. Journalistic accounts of the McKinnon affair described him moving from less protected systems towards more sensitive environments by exploiting the trust granted to already authenticated users. [The Guardian]theguardian.comThe GuardianHacker's progress: how McKinnon pierced Pentagon security3 Apr 2007 — With such glaring errors leaving the backdoor wide open…

This illustrates a fundamental security principle: authentication is often the first and most important security boundary. If that boundary can be bypassed with a blank password, other protections may never have an opportunity to operate.

The case also highlighted a strategic concern. A curiosity-driven intruder looking for UFO information discovered weaknesses that a hostile intelligence service could potentially have exploited for espionage or disruption. The same credential failure that enabled one unauthorised visitor could have enabled many others with different motives. [Department of Justice]justice.govDepartment of JusticeLondon, England Hacker Indicted Under Computer Fraud…Gary McKinnon, of London, England, was indicted in Alexandri…

Cybersecurity News: Military Malware, UFOs, and More Passwords Leaked

Channel: IT Audit Labs - Cybersecurity Media

Open on YouTube

What the Case Teaches About Verifying Access Controls

Perhaps the most enduring lesson is that security controls cannot merely exist on paper. They must be tested against actual conditions.

Blank passwords are among the easiest weaknesses to detect through auditing. Organisations can identify them through automated scans, account reviews, configuration management systems, and regular compliance checks. The fact that systems described in the McKinnon case reportedly remained accessible suggests that verification processes were either absent, inconsistent, or ineffective. [The Guardian]theguardian.comThe GuardianHacker's progress: how McKinnon pierced Pentagon security3 Apr 2007 — With such glaring errors leaving the backdoor wide open…

The broader lesson extends beyond passwords themselves. Security programmes often fail when organisations assume controls are functioning without independently confirming that they are. Effective access-control verification requires:

  • Removal of default credentials before deployment.
  • Automated detection of weak or blank passwords.
  • Continuous monitoring rather than one-time compliance checks.
  • Independent validation that policy requirements match operational reality.

Modern military and government cybersecurity programmes place far greater emphasis on these practices than was common in the early 2000s. Yet the underlying principle remains unchanged: the strength of a security system is often determined not by its most advanced technologies but by whether basic controls are consistently enforced. The McKinnon case became memorable precisely because it demonstrated how a seemingly mundane issue—blank passwords—could contribute to one of the most widely discussed military intrusion cases of its era. [Cybereason+2The Guardian]cybereason.comMalicious Life Podcast: The U.Svs. Gary McKinnonHe exploited known Windows vulnerabilities on computers without adequate password and firewall protections. The ease wit…

Blank Passwords illustration 3

Amazon book picks

Further Reading

Books and field guides related to Why Blank Passwords Became a Military Risk. Use these as the next step if you want deeper reading beyond the article.

Browse more on Amazon: Ghost in the Wires The Cuckoo's Egg Cybersecurity and Cyberwar

As an Amazon Associate I earn from qualifying purchases.

eBay marketplace picks

Marketplace Samples

Example marketplace items related to this page. Use the search link to explore similar finds on eBay.

Using USA
Browse more on eBay.co.uk

Example items shown for inspiration; availability and pricing can change. Branchoria may earn a commission if you purchase through outbound eBay links.

Endnotes

  1. Source: schneier.com
    Title: garuy mckinnon
    Link: https://www.schneier.com/blog/archives/2008/08/garuy_mckinnon.html
    Source snippet

    Schneier on SecurityGary McKinnon4 Aug 2008 — The interview I saw with McKinnon implied that he just hit systems with the default adminis...

  2. Source: cybereason.com
    Title: Malicious Life Podcast: The U.S
    Link: https://www.cybereason.com/blog/malicious-life-podcast-the-u.s-vs.-gary-mckinnon
    Source snippet

    vs. Gary McKinnonHe exploited known Windows vulnerabilities on computers without adequate password and firewall protections. The ease wit...

  3. Source: justice.gov
    Link: https://www.justice.gov/archive/criminal/cybercrime/press-releases/2002/mckinnonIndict.htm
    Source snippet

    Department of JusticeLondon, England Hacker Indicted Under Computer Fraud...Gary McKinnon, of London, England, was indicted in Alexandri...

  4. Source: theguardian.com
    Link: https://www.theguardian.com/uk/2007/apr/03/politics.usa
    Source snippet

    The GuardianHacker's progress: how McKinnon pierced Pentagon security3 Apr 2007 — With such glaring errors leaving the backdoor wide open...

  5. Source: Wikipedia
    Title: Gary [Mc Kinnon]({{ ‘mc-kinnon/’ | relative_url }})
    Link: https://it.wikipedia.org/wiki/Gary_McKinnon

  6. Source: Wikipedia
    Title: Gary Mc Kinnon
    Link: https://en.wikipedia.org/wiki/Gary_McKinnon
    Source snippet

    Gary McKinnonThe US government accused McKinnon of hacking into 97 United States military and NASA computers over a 13-month period be...

  7. Source: theguardian.com
    Link: https://www.theguardian.com/theguardian/2005/jul/09/weekend7.weekend2
    Source snippet

    Game over | Gary McKinnon9 Jul 2005 — Gary McKinnon has been accused of committing the 'biggest military computer hack of all time', and...

Additional References

  1. Source: linkedin.com
    Link: https://www.linkedin.com/posts/armourcyber_the-password-was-never-a-security-problem-activity-7458901102948683776-blwD
    Source snippet

    Armour Cybersecurity's PostToday is, a reminder that while passwords are still part of everyday business security, the conversation is qu...

  2. Source: cybersecurityventures.com
    Link: https://cybersecurityventures.com/today/
    Source snippet

    CYBERCRIME WIRE: Latest Security And Privacy NewsOur daily feed provides you with the latest news and breaking stories on the cybereconom...

  3. Source: reddit.com
    Link: https://www.reddit.com/r/hacking/comments/1etqs6b/how_gary_mckinnon_did_what_he_did/

  4. Source: ccdcoe.org
    Link: https://ccdcoe.org/uploads/2018/10/2011_Proceedings_0-1.pdf
    Source snippet

    Strategic Cyber SecurityAs a consequence, all political and military conflicts now have a cyber dimension, the size and impact of which a...

  5. Source: facebook.com
    Link: https://www.facebook.com/groups/617328327480084/posts/793396476539934/
    Source snippet

    03-01-26 JESSE MICHELS "Gary McKinnon hacked into...All accessed with a Perl script scanning for blank passwords... GARY McKiNNON: USA...

  6. Source: tesserent.com
    Link: https://tesserent.com/insights/in-the-media/australians-warned-strengthen-passwords
    Source snippet

    Australians Warned to Strengthen PasswordsWith World Password Day looming on 5th May, Michael McKinnon, CIO of Thales Cyber Services ANZ...

  7. Source: reuters.com
    Link: https://www.reuters.com/article/technology/exclusive-snowden-persuaded-other-nsa-workers-to-give-up-passwords-sources-idUSBRE9A7032/
    Source snippet

    Exclusive: Snowden persuaded other NSA workers to give...8 Nov 2013 — Reuters reported last month that the NSA failed to install the mos...

  8. Source: federalnewsnetwork.com
    Link: https://federalnewsnetwork.com/cybersecurity/2026/05/some-of-the-biggest-cyber-risks-to-the-military-dont-start-inside-government-networks/
    Source snippet

    Some of the biggest cyber risks to the military don't start...20 May 2026 — Summary: By opening its Defense Industrial Base Cybersecurit...

    Published: May 2026

  9. Source: youtube.com
    Link: https://www.youtube.com/watch?v=2ttdlCa5ZCI
    Source snippet

    The Lone Hacker That Found NASA's [Secret Space Fleet]({{ 'space-fleet/' | relative_url }})...Gary McKinnon hacked into 97 U.S. military and government sites in... The Lone H...

  10. Source: futureintelligence.co.uk
    Title: Gary Mc Kinnon was unlucky
    Link: https://www.futureintelligence.co.uk/2012/10/18/gary-mckinnon-was-unlucky-hes-not-even-a-good-hacker/
    Source snippet

    He's not even a very good hackerOct 18, 2012 — “He was asking for passwords to US systems and ways to access them that were common knowle...

Topic Tree

Follow this branch

Parent topic

Weak Security How Weak Security Made the Case Bigger

Related pages 5