Following up on some questions we received concerning our last Bulletin article (“An old scam in a new disguise”), let us expand on the easiest way to lose your CERN password… just reuse it on insecure web services outside CERN!
Passwords are a necessary token for protecting your data in any web service: CERN INDICO, CERN EDH, Facebook, Twitter, Amazon, etc. During registration, passwords are usually stored in combination with an identifier (i.e. your e-mail address) for that web service, and later on requested during the login (“authentication”) process in order to verify your identity. At CERN, this is managed through the CERN identity management system and CERN Single Sign-On (“CERN SSO”). This provides a handy way to get you logged into any CERN web and computing services. And as all CERN computing services are required to use this central solution, all you need to remember is just one password and not a plethora of unique passwords. The CERN SSO portal then protects your password in accordance with best practice and converts it into a non-recoverable string (technically a “salted hash”). Of course, as the access possible with such a CERN password is wide-ranging, a number of due-diligence requirements are applied with respect to password length and complexity as well as expiry date (see our Bulletin article on “Brain Power vs. Password Managers”). In certain circumstances, e.g. when accessing critical services, the CERN SSO might even require you to provide a second authentication factor (besides the password you “know”, a token you “have” – like the “calculator” used for some Internet banking services).
But it is not always guaranteed that other web service providers will apply similar due diligence… “Security” might not be their core business. Passwords might not be given the necessary attention but just be stored weakly encrypted or even in plain text without any further protection. If those websites are infiltrated, all clear text passwords are exposed and the access protection to any other data is completely lost. From that moment, all data can be considered to be involuntarily public. This is happening more often than you might think. The reliable and trusty website haveibeenpwned.com/ provides a long list of compromised websites that have already lost their data. Feel free to enter your private or CERN e-mail address. You might be surprised.
But you shouldn’t be. The CERN Computer Security Team has subscribed to the “';--have i been pwned?” web service as well as to several others. Through them, and through our network of peers from other computer security teams, from academia, industry and security companies, as well as from national authorities and law enforcement agencies, we usually learn in advance of newly published “password dumps” (i.e. lists of e-mail addresses and clear-text passwords linked to a particular web service). Our automatic mechanisms analyse those dumps and identify entries linked to your CERN e-mail address or any e-mail address you have registered with CERN (e.g. with your lightweight account, or an e-mail address used to forward mails to). This allows us to inform you in a timely manner that your external password has been disclosed. Time for you to change that password or to consider terminating that account completely. Similarly, we process those password dumps in order to identify exposed passwords and e-mail addresses linked to sites of the Worldwide LHC Computing Grid (the WLCG), other affiliated universities and institutes, some of the Geneva-based international organisations, and even some Swiss companies. The corresponding computer security teams are informed of all necessary details. A partnership at its best…
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.