The primary entry point to your digital life is your password. Your Facebook password to meet your friends, your Instagram password for sharing your photos, your Amazon and PayPal passwords for buying stuff, your iCloud password (or similar) for all your photos, music and videos, and your CERN “NICE” password for your professional activities for the Organization. A lost password means full exposure: with your password, an adversary can dig deep into your private (and professional!) life. Imagine someone who’s able to roam through your flat – but much more clandestine. It’s not rocket science that your passwords deserve the same care and attention as your car and house keys, your credit cards or your Smartphone. Their loss can have a significant impact on your life…
A good password is something you can easily remember, is unique for each computing service, has never been shared with someone else, and is sufficiently complex that it cannot be guessed by humans or automatic tools (like so-called dictionary attacks trying out every word in a dictionary and even combinations thereof). Unfortunately, “memorable”, “unique” and “sufficiently complex” seem to contradict each other for the average human brain. Brain power seems to be too limited nowadays to recall several dozens of password/site combinations. What seemed to be easy for my grandma, remembering hundreds of phone numbers and whom they belong to, seems to have become difficult today. And the usual hints of:
- Choosing a line or two from a song or poem, and using the first letter of each word. For example, "In Xanadu did Kubla Khan a stately pleasure dome decree!" becomes "IXdKKaspdd!";
- Using a long passphrase like the sentence "In-Xanadu-Did-Kubla-Khan-A-Stately-Pleasure-Dome-Decree!" itself or mathematical formulas like "sin^2(x)+cos^2(x)=1";
- Alternating between one consonant and one or two vowels with mixed upper/lower case. This provides nonsense words that are usually pronounceable, and thus easily remembered. For example: "Weze-Xupe" or "DediNida3";
- Choosing two short words (or a big one that you split) and joining them together with one or more punctuation characters between them. For example: "dogs+F18" or "comP!!UTer"
do not work for everyone.
The easiest thing to do, of course, is to reduce the number of passwords: your Google or Facebook account can already be used for services outside the Facebook and Google realms. And CERN is also actively working on a “federated identity” solution so that you can use your CERN username and password to access computing services at other institutes and universities – and vice versa! In addition, there is nothing to stop you using easy passwords like “123456” for websites on which you do not expose anything personal, have no financial risk, and where an adversary cannot create havoc (e.g. newsletter subscriptions). If you seldom access those pages, you might even forget those passwords and reset them only once needed...
For more important computing services, you might want to consider using a password manager to store all your different passwords and protect them with a very strong, complex and long master password. There are many technical solutions on the market: “Lastpass” , “Keepass”, Apple “Keychain” or even the built-in password managers within Internet Explorer, Firefox, Safari (i.e. Apple “Keychain”) and Chrome. But before you start using any of them, please consider whether you are fine with putting all your eggs in one basket. If the device running your password manager is compromised, all your passwords are potentially compromised and not only the ones you recently typed into that device; if the password manager is ill-conceived or turns out to be vulnerable, all your passwords are at risk, too (see, for example, this slightly biased old article); if that device is lost, the only hope left is your brain power. Furthermore, what about the risk of loss of control? Some solutions, like “Lastpass”, push your passwords into the cloud. In the end, it is your choice regarding the balance between convenience and risk.
However, whatever you decide, also consider enabling multi-factor authentication solutions where possible. You use this already for your online bank transactions, and Google, Facebook, Twitter, and others offer similar protection! Multi-factor authentication will also soon come to CERN for privileged access to computing services, the Technical Network and for financial transactions (see our Bulletin article on “Pimp up your password”).
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, visit our website or contact us at Computer.Security@cern.ch.