Computer Security: CERN Secure Password Competition
It’s time for a spring clean at the CERN Single Sign-On portal. We will take this opportunity to review all 20,000+ passwords used with CERN primary, secondary and service accounts. This campaign has three purposes: to identify password duplicates, to extend the password history rule to all CERN accounts, and to reward the “best” passwords used at CERN.
The first aim, identifying password duplicates, involves finding different accounts using the same or similar passwords. As of 1 April, we will prevent the use of a password if it is already in use by someone else. We will notify the affected users well in advance and also provide them with the email addresses of peers using the same or similar passwords - this Facebook-like feature will allow users to form interest groups and share experiences of their password (usage).
In parallel, we will extend the password history rule to all CERN accounts. This history currently prevents you from reusing any passwords that you’ve used before. As of 1 April, this will be extended to include the previous passwords of all users: once a password has been used by one of the 20,000+ CERN accounts, it can never be used again…
Finally, we have formed a joint jury of colleagues from the HR and IT departments who will reward the best, most secure and most complex passwords used at CERN, the longest ones, the most creative or prosaic, the funniest and the most inspiring. The basis will be the CERN password database. The winning passwords and the names of their account owners will be published in the next issue of the CERN Bulletin. If you want to make sure that your password is among those, please point us to your account name (please do NOT send us your password as your password is yours and only yours).
Here are some hints to help you choose good, secure passwords:
- Choose a line or two from your favorite song or poem, and use the first letter of each word. For example, "In Xanadu did Kubla Kahn a stately pleasure dome decree!" becomes "IXdKKaspdd!". Mathematical formulas would also do: “a**2+sqr(b)==c^2”.
- Use a long passphrase like the sentence "InXanaduDidKublaKahnAStatelyPleasureDomeDecree!" itself.
- Alternate between one consonant and one or two vowels with mixed upper/lower case. This provides nonsense words that are usually pronounceable, and thus easily remembered. For example: "Weze-Xupe" or "DediNida3".
- Choose two short words (or a big one that you split) and join them together with one or more punctuation marks. For example: "dogs+F18" or "comP!!UTer".
Remember that your password is like your toothbrush - you do not share it and you change it regularly. Neither your colleagues, your supervisor, the Service Desk nor the Computer Security team have any valid reason to ask for it. They should not and will never do so. The same is valid for any external company: UBS, Paypal, Amazon, Facebook or Google will never ask you for your password! Your password is yours and yours alone.
For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report.
Access the entire collection of Computer Security articles here.
by Stefan Lueders, Computer Security Team