1000 passwords exposed, what about yours?

In the last three issues of the Bulletin, we have stressed the importance of the secrecy of your password. Remember: Your password should be treated like a toothbrush: do not share it, and change it regularly! And this is not only valid for your CERN password, but also for any other password you use to log into your university or laboratory, Facebook or Twitter portals, or other web sites.


Unfortunately, recent security checks have revealed a huge area for improvement here. Within a period of only one week, more than 1000 different passwords passed through the CERN outer perimeter firewall in clear text. “Clear text” means that the password was readable to any adversary able to intercept the communication.

Make sure your web connection is secure! This can easily be checked in the address bar of your web browser. If the address starts with “HTTPS”, everything is fine. If it is only “HTTP” (without “S”), your password is at risk and can be easily sniffed out by an adversary.

Protect yourself! Never type your password into an “HTTP”-only page unless that password is completely unimportant to you and not used anywhere else. If you have done this, change the password as soon as you can. If you know the owners of those web sites - e.g. the local security team - contact them and inform them of this flaw. They will be happy to make the necessary improvements. Finally, check out our passwords recommendations here.

If you have questions, suggestions or comments, please contact Computer.Security@cern.ch or visit us at http://cern.ch/security.


by Computer Security Team