This website is no longer maintained. Its content may be obsolete. Please visit http://home.cern/ for current CERN information.
Miguel Marquina, CERN/IT
Dear Miguel,
This is probably a good idea to write down that information,
and possibly to repeat it in a regular way,
as I am not sure that many of our readers know
that it is, in fact, possible and quite easy.
The basic recipe is to use the
"Search & View" facility for
"IT services, documentation and more", that is replacing
the old but powerful "XFIND" utility on the now defunct CERNVM. It is
accesible on the Web, using any kind of Web browser, at URL:
http://consult.cern.ch/xfind
The "search" is quicker, and the number of answers less considerable,
if you restrict it to a given category (by pressing the corresponding
button, just below the input text area where you must enter the
keyword(s) to be searched). One pre-defined "category" is
precisely "CNLs": by selecting it, and giving one (or several)
keyword(s) related to the information you are looking for,
you will get very quickly a list of past CNLs that contained article(s)
on that subject.
Trying, for instance, the two keywords "mail forward", you will get:
Xfind search result for MAIL FORWARD :
CERN computer News Letters (CNL)
No. 226 January -- March 1997
Special Chapter: Mail Issues
The End of AFSmail
No. 225 October -- December 1996
Questions and Answers from the UCO
No. 224 July -- September 1996
General
Using MAIL on the VXCERN Cluster
No. 222 January - March 1996
Mail Issues
Roadmap to MAIL Services
How to Migrate your Mail out of CERNVM
AFSmail and the MailServer
Mailforwarding -- Make Sure You Do Not ``Lose'' Mail
N.B. By adding more keywords you will get a more precise search.
Nicole Cremel (CNL editor).
Jim Linnemann / MSU
Dear Mr. Linnemann,
You sent your e-mail to the CNL editor but it is not clear to which
article you are referring and in which CNL issue. The "reference"
information regarding "password rules" are part of the
"CERN Security Handbook" that I wrote and you can find at URL:
http://consult.cern.ch/writeup/security.
What we try to do regarding passwords
is to enforce some rules (like minimum length) in
order to raise the quality of the passwords and therefore increase the
security of CERN computers.
The rules are just the ones that most cracking programs (to guess
passwords) will try. If these rules may seem quite complex, it does not
mean that a good password is not easy to remember.
We try to give
some hints, in the "CERN Security Handbook", to help you
finding a good password. A quick recipe is, for instance, to take
two short words (only 8 characters are meaningful on UNIX) that are
easy to remember for you, to combine them with a special
character (e.g. -, +, /), and to mix upper and lower cases.
Of course, if we get too strict, the
passwords will become hard to remember and users will write them
down. This is, of course, not what we want. I believe that the current
rules (allowing passwords like "mineISgood" or "very/easy") still
gives a vast choice for users. Maybe we should explain this more and
teach our users how to find simply a good but easy to remember
password.
On the question of the different accounts, one section of my guide
ends with:
"So, in our opinion, the best thing is to have different passwords for
all your accounts with no obvious similarities. If you can't (for
instance because you have too many accounts), it's acceptable to have
the same password if it's a really good one and if you change it often
(for instance once per month)."
I still think that this is not too bad.
Feel free to contact me to discuss more about this topic.
Thanks for your comments,
Lionel Cons, IT/DIS
_______________
Comments from the Security Officer:
As Lionel Cons has conveyed in his reply, password security is important. I
don't think it is exaggerated to say that if a hacker manages to get access
to a normal user's account then it is fairly easy to gain root privileges.
In the past few days over half a dozen such exploits have been posted on the
net for SGI computers alone. For most of the services provided by IT division
a single password is provided through the use of AFS and the inherent Kerberos
authentication used by AFS. The AFS service is not restricted to just IT and
others are welcome to "join".
Why should a single password be OK for AFS and not without it? This is a
question on how hackers "crack" passwords. With AFS the password file is not
available and therefore cannot be cracked. Of course, even AFS passwords are
vulnerable to being "sniffed", either off the network or from a computer
that has been hacked. This is why they should also be changed frequently
until the technology for not transmitting passwords in plain text over the
network is ubiquitous.
John Gamble (CERN Computer Security Officer)