锘匡豢<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <link rel="stylesheet" href="/style.css" type="text/css" /> <script type="text/javascript" src="/jquery.min.js"></script> <title>CERN Computer Security Information</title> <script type="text/javascript"> $(document).ready(function(){ // Menu highlight var path = location.pathname.split("/"); if ( path ) { $('#main_menu a[href*="' + path[1] + '"][class!="noselect"]').addClass('selected'); // path[3] = /security/<xxxxx>/ $('#sidebar ul.sidemenu li[class!="noselect"]:has(a[href$="' + path.reverse()[0] + '"])').addClass('selected'); } // Add icon to external links $('a[id!=logo-img]').filter(function() { return this.hostname && this.hostname !== location.hostname; 聽 }).after(' <img src="/images/external_link.png" alt="external link" title="external link"/>'); }); </script> </head> <body> <div id="wrap"> <div id="top-bg"></div> <!--header --> <div id="header"> <div id="logo-text"> <a id="logo-img" href="https://home.cern/"><img src="/images/CERNLogo2.png" width="59" height="59" style="margin: 10px" alt="CERN Logo"/></a><div id="logo-text-big"><a href="/home/en/index.shtml" title="">CERN Computer Security</a></div> </div> <div id="header-logo"><a href="/services/en/emergency.shtml"><img width=335 src="/images/emergency.png" alt="Computer Emergencies"/></a></div> </div> <!--header ends--> <div id="header-photo"></div> <!-- navigation starts--> <div id="nav"> <ul id="main_menu"> <li><a class="noselect" href="/home/fr/index.shtml"><img src="/images/fr.png" alt="FR"/></a></li> <li><a href="/home/en/index.shtml">Home</a></li> <li><a href="/rules/en/index.shtml">Computing Rules</a></li> <li><a href="/recommendations/en/index.shtml">Recommendations</a></li> <li><a href="/training/en/index.shtml">Training</a></li> <li><a href="/services/en/index.shtml">Services</a></li> <li><a class="secured" href="/reports/en/index.shtml">Reports &amp; Presentations</a></li> </ul> </div> <!-- navigation ends--> <!-- content-wrap starts --> <div id="content-wrap"> <div id="main"> <h2>Password Recommendations</h2> <p>Programs to crack passwords or read them from the network are readily available. In order to limit the risk of your password being cracked, it should be at least 8 characters long and include letters (both upper and lower case), digits and symbols. You should change your password regularly, in particular after a trip where you could have exposed your password at a remote site. Also, you should never employ your CERN password at any other site or for private use.</p> <p>In particular, be cautious of attempts to "steal" your password. <b>CERN's computing staff, including the Computer Security Team, will never ask for your password</b> (nor will some other legitimate person), so be wary of malicious emails, instant messages and chat that request your password, including via web links. This trick is known as "phishing" (i.e. password fishing). If you think your password may have been exposed, then change it and inform <a href="Computer.Security@cern.ch">Computer.Security@cern.ch</a> (Actually, we also check whether your password (hash) has ever been exposed, leaked or stolen and will <a href="https://auth-admin.docs.cern.ch/keycloak/compromised-passwords/">require you to change it then</a>, too). Keep in mind:</p> <p> <center> <table> <tr> <th><b>"Your password should be treated like a toothbrush: you do not share it and you change it when worn out !"</a></b></th> </tr> </table> </center> </p> <p>...and please apply the same sensitivity also for your other credentials, like SSH keys, certificates, CERN card, etc.</p> <h4>How to change CERN passwords</h4> <p>To change your CERN password (NICE, Mail, Web, LXPLUS, AFS, ... ), go to <a href="http://users-portal.web.cern.ch"> http://users-portal.web.cern.ch</a> and select "Change Password".</p> <p>We recommend that you <b>change your passwords whenever you return from a trip </b>that could have exposed them.</p> <h4>How to choose good passwords</h4> <p>A good password is: <ul> <li><b>private:</b> it is used and known by one person only;</li> <li><b>secret:</b> it does not appear in clear text in any file or program or on a piece of paper pinned to the monitor;</li> <li><b>easily remembered:</b> so there is no need to write it down;</li> <li><b>at least 8 characters long;</b></li> <li><b>a mixture</b> of at least 3 of the following: upper case letters, lower case letters, digits and symbols;</li> <li><b>not listed in a dictionary</b> of any major language;</li> <li><b>not guessable by any program</b> in a reasonable time, for instance less than one week.</li> </ul> <p>Here are some <b>hints </b>to help you choose good passwords: <ul> <li>Choose a line or two from a song or poem, and using the first letter of each word. For example, "In Xanadu did Kubla Khan a stately pleasure dome decree!" becomes "IXdKKaspdd!";</li> <li>Use a long passphrase like the sentence "InXanaduDidKublaKahnAStatelyPleasureDomeDecree!" itself or mathematical formulas like "sin^2(x)+cos^2(x)=1";</li> <li>Alternate between one consonant and one or two vowels with mixed upper/lower case. This provides nonsense words that are usually pronounceable, and thus easily remembered. For example: "Weze-Xupe" or "DediNida3";</li> <li>Choose two short words (or a big one that you split) and joining them together with one or more punctuation characters between them. For example: "dogs+F18" or "comP!!UTer"</li> </ul> <p>Attackers and programs that can try to break into your account know a large number of "frequently used" passwords. Here are some <b>guidelines to avoid <i>guessable</i> passwords:</b></p> <ul> <li><b>Don't</b> use your login name in any form (as-is, reversed, capitalised, doubled, with a prefix, with a suffix...);</li> <li><b>Don't</b> use in any form your first or last name and, more generally, any information easily otained about you. This includes car license plate numbers, telephone numbers, insurance numbers, the brand of your car, the name of the street you live on, the name of your spouse or of your children...;</li> <li><b>Don't</b> use a word contained in any dictionary of any language, spelling lists, or other lists of words (acronyms, sequences of letters like 'abcdef' or 'qwerty', place names, car names, cartoon heroes...);</li> <li><b>Don't</b> use the same password for other sites. Better, have one distinct password for every other site. If necessary, you might consider using a so-called password manager to memorize them all. For more details check out <a href="https://home.cern/news/news/computing/computer-security-brain-power-vs-password-managers">this Bulletin article</a>.</li> </ul> <p>Learn from others. Here are the 10 most used passwords:</p> <div style="text-align: center;"><iframe width="560" height="315" src="https://www.youtube.com/embed/Kee0ggcBaI8" frameborder="0" allow="autoplay; encrypted-media" allowfullscreen></iframe></div> <h4>Why you need good passwords</h4> <p>The password is the most vital part of account security. If an attacker can discover your password, he/she can use your account to attack systems in or outside CERN, as well as read, modify or delete all your files. <a href="http://cern.ch/security/rules/en">CERN's Computing Rules</a> require that you protect your accounts with a good password:</p> <cite> <ul> <li>III.11: All accounts must have appropriate access protection, such as account codes or passwords.</li> <li>III.12: The user shall take the necessary precautions to protect his personal computer or work station against unauthorized access. The user shall also protect details of his personal account, particularly by avoiding obvious passwords and shall not divulge his passwords to any third party, unless expressly authorized by his Division Leader. Upon request from the CERN Computer Security Officer or the service manager concerned, the user shall select a new password.</li> </ul> </cite> <h4>Why you must change passwords</h4> <p>Even if you choose a good password, it can still be discovered: someone may see you typing it or capture it by snooping on the computer or network. If you accidentally type your password in place your login name or on the command line on interactive clusters such as lxplus/aiadm, it will be logged and sent to the CERN Computer Security Operations Center for traceability/audit/forensics purposes. Moreover, it may directly be visible by other users of the system:</p> <pre> joe ttyp9 Wed Apr 28 09:37 XSecret! pty/ttys0 Fri Feb 26 15:15 - 15:16 (00:00) fred pty/ttys0 Fri Feb 26 15:16 - 14:27 (87+22:11) </pre> <h4>Using password managers</h4> <p>Alternatively, if you are short in memory, you can use a password manager like <a href="https://bitwarden.com">Bitwarden</a>, <a href="https://1password.com/">1Password</a> or <a href="https://keepassxc.org/">KeePassXC</a> providing you with entirely different, strong passwords for each website. A decent password manager will also protect you from entering your credentials into a "bad" web site. This way, for example, if you see a CERN login form of a <a href="https://security.web.cern.ch/recommendations/en/bad_mails.shtml">malicious phishing page</a>, the password manager cannot have the "right" saved password and you will know something is wrong.</p> </div> <!-- main ends --> <!-- SIDEBAR --> <!-- sidebar menu starts --> <div id="sidebar"> <h3>For All Users<br/> (Experts or Not)</h3> <ul class="sidemenu"> <li><a href="/recommendations/en/good_practises.shtml">Seven easy good practises</a></li> <li><a href="/recommendations/en/how_to_secure_your_pc.shtml">How to secure your PC or Mac</a></li> <li><a href="/recommendations/en/passwords.shtml">Passwords &amp; toothbrushes</a></li> <li><a href="/recommendations/en/2FA.shtml">Starting with multi-factor authentication</a></li> <li><a href="/recommendations/en/bad_mails.shtml">Bad mails for you:<br/>"Phishing", "SPAM" &amp; fraud</a></li> <li><a href="/recommendations/en/malicious_email.shtml">How to identify malicious e-mails and attachments</a></li> <li><a href="/recommendations/en/how_to_remove_malicious_browser_notifications.shtml">How to remove malicious browser notifications</a></li> <li><a href="/recommendations/en/working_remotely.shtml">Working remotely</a></li> <li><a href="/recommendations/en/connecting_to_cern.shtml">Connecting to CERN</a></li> <li><a href="/recommendations/en/ssh.shtml">Connecting using SSH</a></li> </ul> <h3>For Software Developers</h3> <ul class="sidemenu"> <li>Good programming in <a href="/recommendations/en/program_c.shtml">C/C++</a>, <a href="/recommendations/en/program_java.shtml">Java</a>, <a href="/recommendations/en/program_perl.shtml">Perl</a>, <a href="/recommendations/en/program_php.shtml">PHP</a>, and <a href="/recommendations/en/program_python.shtml">Python</a></li> <li><a href="/recommendations/en/password_alternatives.shtml">How to keep secrets secret<br/> (alternatives to passwords)</a></li> <li><a href="/recommendations/en/checklist_for_coders.shtml">Security checklist</a></li> <li><a href="https://gitlab.docs.cern.ch/docs/Secure%20your%20application/">GitLab CI Security Tools</a></li> <li><a href="/recommendations/en/web_applications.shtml">Securing Web applications</a></li> <li><a href="/recommendations/en/code_tools.shtml">Static code analysis tools</a></li> <li><a href="/recommendations/en/more_on_software.shtml">Further reading</a></li> </ul> <h3>For System Owners</h3> <ul class="sidemenu"> <li><a href="/recommendations/en/rootkits.shtml">Checking for rootkits</a></li> <li><a href="https://twiki.cern.ch/twiki/bin/viewauth/CNIC/WebHome">Securing Control Systems (CNIC)</a></li> <li><a href="/recommendations/en/containers.shtml">Securing Containers & Pods</a></li> <li><a href="/rules/en/baselines.shtml">Security baselines</a></li> <li><a href="http://linux.web.cern.ch/linux/docs/linux_exploit_faq.shtml"> The CERN Linux vulnerability FAQ</a></li> </ul> </div> <!-- sidebar menu ends --> <!-- content-wrap ends--> </div> <!-- footer starts --> <div id="footer-wrap"> <div id="footer-bottom"> &copy; Copyright 2024<strong> <a href="https://cern.ch/security">CERN Computer Security Office</a></strong> <table> <tr> <td id="footer-info-left"> e-mail: <a href="mailto:Computer.Security@cern.ch">Computer.Security@cern.ch</a><br/> Please use the following PGP key to encrypt your messages:<br/> ID: 0x954CE234B4C6ED84<br/> <a href="https://keys.openpgp.org/vks/v1/by-fingerprint/429D60460EBE8006B04CDF02954CE234B4C6ED84">429D 6046 0EBE 8006 B04C DF02 954C E234 B4C6 ED84</a> </td> <td id="footer-info-right"> Phone: +41 22 767 0500<br/> Please listen to the recorded instructions. </td> </tr> </table> </div> </div> <!-- footer ends--> </div> <!-- wrap ends here --> <!--img height=30px src="/home/en/CERNfooter_800.png"--> </body> </html>