Computer Security: Your privacy at CERN matters
Congrats to all those who spotted that our last contribution to the CERN Bulletin (“CERN Secure Password Competition” – see here) was an April Fools’ Day hoax. Of course, there is no review and no jury and there won’t be any competition. Consequently, we are sorry to say that we cannot announce any winners. The extension of the password history rule and the initiative of finding password duplicates are absolute nonsense too.
In fact, the Computer Security team, just like the CERN Account Management service, the Single Sign-On team and the ServiceDesk, does not know and has no need to know your password. Passwords are actually salted and hashed using the SHA256 cryptographic hash function. Thus, there is no literal password database and no way that anyone apart from you can know your password – unless you have given it away intentionally or inadvertently…
Remember, your password is yours and only yours, so please do not share it with anyone. Also, beware of “phishing” emails trying to convince you to hand over your password. Nobody legitimate will ever ask you for your password: neither us, nor the ServiceDesk, nor your supervisor. Not Facebook, Google, Amazon, your bank, any other Internet service. Never type your CERN password into webpages that do not look like the CERN single sign-on portal (we do our best to have all authentication done there!). Check that the webpage’s address starts with “https://” and is part of the “cern.ch” domain (the authentication portal is accessible via https://login.cern.ch).
In the event that we do need to access your account, mailbox or private data repositories like the “My Documents” folder on DFS (distributed file system) or the “~/private” folder on AFS (Andrew file system), strict procedures apply. For example, if your summer student is on a prolonged holiday in the Amazon, not reachable by phone or e-mail, and you as the supervisor need that one document stored in the student’s private mailbox, the procedure for getting that document is governed by CERN’s policy on “Third party access to users' accounts and data”. Be prepared to provide exact information. The Computer Security Officer will consider and, if appropriate, approve your request to access the document. Of course, in the interests of full transparency, the initial document owner will be notified, so he or she can object in retrospect. If you need full, unlimited access, however, this would require the additional written consent of the Director-General and would also involve the CERN Legal Service and the IT department head.
For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report.
Access the entire collection of Computer Security articles here.
by Stefan Lueders, Computer Security Team