OK. Apparently, our “Secure Password Competition” announced in the last Bulletin was too easily spotted as an April Fools’ gag… Congratulations to those who didn’t fall for it. And a “keep smiling” message to those who did :) Apologies if you were hoping to meet peers using a similar password…
In fact, an important cornerstone for computer security at CERN (but also elsewhere) is the secrecy of your password. Remember that, as things stand, your password is in many cases your only key to and protection for a computing service (or, in the case of CERN, all computing services through CERN’s Single Sign-On portal). Losing that key means losing any protection for your documents and data. Losing your CERN password to a malicious attacker allows them to misuse CERN’s computing resources: spamming the world with your e-mail address, instantiating virtual machines in the computer centre to illegally generate crypto-coins, downloading digital journals from the CERN Library that are paid for by CERN, spying on your work in order to later attack the computing services or control systems you work on or manage, or misusing your computer to attack others at CERN or outside CERN. At home, losing your computer’s protection puts your personal life at risk: your Facebook profile, your Twitter feeds, your Instagram posts, your Internet banking, but also your photos and videos stored locally. And your privacy in general: with your computer’s password attackers can take it over completely and log every keyboard stroke you make, watch you on your webcam, or listen to you and your surroundings using the built-in microphone.
Hence, your password must be yours alone and must remain yours alone. CERN does not store your password but just a “hash” of it – a mathematical fingerprint properly protected by the CERN IT department’s identity management professionals. The Service Desk and the Computer Security Team do not know your password. And do not want to know it. There is no need to tell them. If they need to access computing resources protected under your account, there are procedures for this that do not require your password (see the subsidiary rule to the CERN Computing Rules on “Third-party access to users' accounts and data”). Also, there is no need to share your password with other third parties like your colleagues or supervisor. They should never ask for it. If they do, let us know the reason and we’ll find a solution to avoid it. Remember that your password is like your toothbrush: you don’t share it and you change it regularly.
Hence, too, your password must not be guessable. Make it sufficiently complex by using a mixture of letters, symbols and numbers. The longer, the better. Think of sentences: “In Xanadu did Kubla Khan a stately pleasure dome decree!". Or, if you are of a mathematical mindset, use formulas: “DeltaX*DeltaP>=h/2Pi” (for physicists*), “a**2+b^2=sqr(c)” (for engineers and technicians*). In any case, do not reuse your passwords. Have different ones for different services. CERN deserves one; Facebook another. Your bank definitely a third. If you struggle to remember them all, use a password vault like “Keepass”, Apple’s “Keychain” or even the built-in password managers within Internet Explorer/Edge, Firefox, Safari (i.e. Apple “Keychain”) and Chrome. But before you start using any of them, please consider whether you are fine with putting all your eggs in one basket. Or you could consider creating a few small baskets for different purposes.
Remember what is at stake: at home, nothing less than your private life. At CERN, the Organization’s operations and reputation. Both are worth protecting. Thanks for making the effort!
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.
*Please folks, do not all use these examples. We do already. Be creative and invent your own.