Computer Security: oops, there it goes...
Do you love riddles, hide and seek or picture puzzles a la “Where’s Wally”? Then take a look at the photo below, and try to spot the error.
It is hard to spot: the yellow sticker on the computer screen shows a password providing access to the web application running on the screen. Surprising! Fortunately, this sticker was quickly removed by the corresponding system owners and the password changed. However, we can all make improvements: passwords must never be written down and definitely not on stickers attached to screens, keyboards, or desks.
Remember: your password is your “toothbrush” - a toothbrush you do not share and you change regularly. Neither your colleagues, your supervisor, the Service Desk or the Computer Security Team have any valid reason to ask for it. They should not and will never do so. The same is valid for any external company: UBS, Paypal, Amazon, Facebook or Google will never ask you for your password! Your password is yours and yours alone. In this particular case, the password is not a personal one, but used between collaborators to access a shared resource (the web application). Still, we should try to do better!
Wherever possible, shared accounts should not be encouraged. Avoid using them and instead use e-groups listing individual members of your team and limit access to your application or service to the people in the e-group. All CERN web-services easily allow for this through the CERN Single Sign-On portal. If your application is a commercial one and requires a shared password, put this password in an encrypted file on AFS, or use one of these password vaults: KeePass or Password Safe (but note that usage is at your own risk - neither the CERN Security Team nor the IT department support these tools). Do not write the password down in a file stored on a public or restricted webpage! If the password is hardcoded in your software, look for alternatives and take care to check whether your preferred software repository leaks that password. And, of course, do not put it on a sticker and glue it to the monitor, under or on the keyboard, or put a corresponding note in the drawer close-by.
Finally, the password on that tiny yellow sticker was “Administrator”… recall that good security requires creativity (see our Bulletin article on “Creativity@CERN”)! Use complex passwords and different passwords for different sites (“Don’t Copy/Paste Passwords!"). A good password must be private, i.e. known and used by only one person (“Don’t let Chrome expose your passwords”); secret, i.e. it must not appear in clear text in any file or program, or on a piece of paper pinned to the monitor ("Backed up and gone..."); easy to remember, so there is no need to write it down; and at least eight characters long with a mixture of at least three of the following: upper-case letters, lower-case letters, digits and symbols (see also our password hints). It must not be listed in a dictionary of any major language and it must not be guessable by any programme in a reasonable time.
For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report.
Access the entire collection of Computer Security articles here.
by Stefan Lueders, Computer Security Team
