In This Article
In today's high-tech world, passwords can be a troublesome nuisance. In order to keep all your sensitive information secure, you'll need to come up with strong passwords for all your online accounts. These passwords often involve long strings of capital letters, numbers, and even punctuation that can be hard to remember (and tricky to enter correctly on the first try). However, there's a good reason for this — highly complex passwords are hard to crack, and nearly impossible to simply guess.
Most of us have also heard of people who circumvent this frustrating process by entering something like “password” or “1234” as their password. We also know this is a very bad idea, because these are some of the first things criminals will guess if they try to access your accounts. It's akin to leaving the key to your front door under the welcome mat, in the hope that nobody will look for it there.
Now, imagine if you were in charge of setting 8-digit password codes for launching nuclear missiles — what would you set them to? Well, if you were the United States Strategic Air Command (SAC) during the Cold War, you'd set them to 00000000. Unbelievably, for nearly 20 years, the PAL launch code for every nuclear missile silo in the U.S. was set to 8 zeros.
The story of this “zero code” begins back in June 1962, when President John F. Kennedy signed a document known as the National Security Action Memorandum 160. This directive was prompted by concerns over the security of U.S. nuclear missiles, specifically the concern that missiles would be captured and launched by enemy forces, or that they would be launched by rogue American military officers.
Before the implementation of this security memorandum, missiles were secured only by physical locks, leading to concern that ICBMs could be launched by high-ranking officers without outside consent. U.S. Air Force General Horace Wade wrote the following about a fellow Strategic Air Command officer, the appropriately-named General Thomas Power:
“I used to worry about General Power. I used to worry that General Power was not stable. I used to worry about the fact that he had control over so many weapons and weapon systems and could, under certain conditions, launch the force. Back in the days before we had real positive control [i.e., PAL locks], SAC had the power to do a lot of things, and it was in his hands, and he knew it.”
In order to alleviate these concerns, the National Security Memorandum 160 mandated that the old physical locks be replaced by new electromechanical locks called Permissive Action Links (PALs). The PAL locks were extremely complex devices that were virtually impossible to crack or hotwire. One weapons designer stated that bypassing one of these PAL locks would be “about as complex as performing a tonsillectomy while entering the patient from the wrong end.”
When it was time to implement the PAL locks in nuclear missile silos throughout the U.S., Secretary of Defense Robert McNamara personally supervised the process. However, much of the Strategic Air Command leadership at the time resented and opposed this process. They felt adding more complex locks would slow our reaction time to an attack, and prevent launching missiles quickly in a real emergency.
As a result, shortly after McNamara and his staff left the facilities, the Strategic Air Command reset all PAL codes to 00000000. This was done because SAC leadership felt that it would ensure that the nuclear missiles would be ready to use at a moment's notice, regardless of whether the President was available to authorize a launch. In their mind, this instant readiness took precedence over any potential safety concerns.
Bruce G. Blair was a launch officer at an underground silo in Montana during this time, and now serves as a nuclear security expert and research scholar at Princeton University. Blair exposed the massive security flaw to the public in an article published in 2004. He wrote, “The codes were the only real mechanical or technical impediment to the crews launching missiles, and they were all set to zero. The safeguard was non-functional.”
On top of this, the new “secret” code was written down on a checklist and handed out to airmen at each facility. Blair wrote, “Our launch checklist in fact instructed us, the firing crew, to double-check the locking panel in our underground launch bunker to ensure that no digits other than zero had been inadvertently dialed into the panel.”
Blair also personally revealed the facts about the all-zero PAL launch code to former Secretary McNamara. Mr. Blair stated that McNamara's response was one of shock and outrage, as he asked “Who the hell authorized that?”
Recently, Air Force representatives have disputed Blair's claims, stating that the PAL codes were never actually 00000000. Although there is no undeniable public proof of the zero code at this point in time, testimony from other nuclear security experts supports Blair's statements: “Bruce is correct about the major historical narrative at stake – the United States Air Force, particularly Strategic Air Command, generally resisted the introduction of technical safeguards out of concerns that such measures might make it more difficult to use the weapons in the event of a conflict.”
If you've done any reading on nuclear missiles in the past, or even watched one of the many Hollywood thrillers about the topic, you'll probably be thinking that it takes more than a single code to fire a nuclear weapon — and you'd be right. The major catch to this 00000000 launch code is the fact that it was typically only one of many security measures preventing inadvertent mutually assured destruction.
According to Steven Bellovin, a professor at Columbia University who teaches security architecture, these PAL codes were designed to prevent the launch of a nuclear missile that had been physically captured by enemy forces. For example, missiles were often stored in NATO countries outside the U.S., and these codes were intended to prevent enemy forces from launching our missiles in the event that one of these overseas facilities was captured.
So, while the PAL launch code may have been 00000000, actually arming the nuclear warhead required a much more complex system. The arming procedure involved sealed envelopes, simultaneous turning of keys, and verification of three different codes over a secure phone line. This means that enemy forces or saboteurs may theoretically have been able to gain access to our missiles with the zero code, but the nuclear warheads would not have been armed without first defeating more security measures.
Then again, we also know that even the much more complex security features were far from foolproof. In fact, we narrowly escaped all-out nuclear war on several occasions despite these additional safeguards — go read our previous article on Nuclear Near Misses for a more detailed explanation.