Computer Security: Don’t copy/paste passwords!

What do umbrellas, hair, wars and passwords have in common? Over time, they all get lost.

 

While some losses are inevitable, we can at least help you reduce the impact. Millions of passwords are stolen or lost every year. Partly because of inattentive users falling for “Phishing” traps, where adversaries simply ask people for their passwords; partly due to compromised web sites having had their database of passwords stolen.

For example, over the past few years, eBay recently asked their 145 million users to change their passwords, LinkedIn lost 6.5 million hashed* passwords, and the hacking of the CERN HyperNews service rendered 4745 password hashes public. Just recently, 860,000 usernames, e-mail addresses and hashed passwords were stolen from the MacRumors forum, and Adobe lost a record 150 million e-mail/password combinations. So far, not good. At CERN, 746 people were notified when their CERN e-mail address was found among these combinations. Indeed, it was likely that some people used a similar password for their CERN account, as some password hints exposed suggested this: “cern id”, “nice pw dec 2011” and “wie edh” but also “us the year of LHC startup”.

So take up this small challenge. We are creative people! Good security practitioners use complex passwords and different passwords for different sites. A good password must be private (used and known by only one person); secret (it must not appear in clear text in any file or program, or on a piece of paper pinned to the monitor); easily remembered (so there is no need to write it down); at least 8 characters long with a mixture of at least three of the following: upper case letters, lower case letters, digits and symbols. It must not be listed in a dictionary of any major language and it cannot be guessable by any programme in a reasonable time, for instance, less than one week.

A good password is a work of art. Here are some hints to help you choose good passwords:

• Choose a line or two from a song or poem, and use the first letter of each word. For example, "In Xanadu did Kubla Kahn a stately pleasure dome decree!" becomes "IXdKKaspdd!". Mathematical formulas would also do: “a**2+sqr(b)==c^2”.
• Use a long passphrase like the sentence "InXanaduDidKublaKahnAStatelyPleasureDomeDecree!" itself.
• Alternate between one consonant and one or two vowels with mixed upper/lower case. This provides nonsense words that are usually pronounceable, and thus easily remembered. For example: "Weze-Xupe" or "DediNida3".
• Choose two short words (or a big one that you split) and join them together with one or more punctuation marks. For example: "dogs+F18" or "comP!!UTer".

Remember that your password is your “toothbrush” - a toothbrush you do not share and which you change regularly. Neither your colleagues, your supervisor, the ServiceDesk or the Computer Security Team have any valid reason to ask for it. They should not and will never do so. The same is valid for any external company: UBS, Paypal, Amazon, Facebook or Google will never ask you for your password! Your password is yours and yours alone.

If you still struggle to recall all your passwords, use one of these fine password vaults: KeePass or Password Safe (but note that usage is at your own risk - neither the CERN Security Team nor the IT department support these tools). However, refrain from using the password cache offered by your browser, e.g. Chrome, Firefox, or Internet Explorer, as passwords are not always stored in a secure manner (more on this in our Bulletin article “Don’t let Chrome expose your passwords”). In particular if you lose your device, you might also give away the access to your favourite web sites! Another good reason to re-type your password, especially on smart phones, is that a hardcoded password might end up in your devices’ back-up - stored somewhere in the cloud ("Backed up and gone...").


Check out our website for further information, answers to your questions and help, or e-mail Computer.Security@cern.ch.

If you want to learn more about computer security incidents and issues at CERN, just follow our Monthly Report.


Access the entire collection of Computer Security articles here.


*”Hashes” are results of a mathematical one-way functions like MD5 or SHA. Calculating a “hash” of a password is easy; but the inverse is supposed to be difficult. Once you login, the hash value is calculated from your password and compared to what is stored with the web service you intend to use. However, if an attacker gets hold of this list of hashes, they can use so-called “rainbow tables”, i.e. pre-calculated hashes for a wide variety of passwords produced from common dictionaries, and hope that one entry of those pre-calculated hashes matches those in the stolen list of hashes. As a counter measure, random data is now added to hashes as “salt”, so that the size of a rainbow table grows exponentially.

by Computer Security Team