Computer Security: pimp up your password
In the past, we have repeatedly stated the importance of a well-chosen, complex and unique password, for your account at CERN (see the article “Oops, there it goes…”), but also for your accounts on Facebook, Amazon and all other sites (see the article “The value of your password”). While this is all still valid, it might not be enough anymore…
Of course, making your password complex (with letters, symbols, numbers, using mathematical formulas, song titles or poems; see our recommendations) is still a must. It is still a necessity to avoid using the same password for several sites and essential not to share the password with anyone else (“your password is your toothbrush - you don’t share it and you change it regularly”). But this is not always sufficient. Passwords can be cracked not only through guessing or brute-force dictionary attacks (hence the requirement for a complex password not to be found in any dictionary) but also just by sniffing. An attacker can sniff out a simple password as easily as a complex one just by installing some keyboard logging software on your computer. “Stop, think, don’t click” is the only way to protect ourselves from such attacks and their consequences: do not click on suspicious links, only click if you trust their source. Unfortunately, as our latest clicking campaign has shown (“One click and BOOM…”), far too many of us are still clicking on malicious links, so putting such a keylogger in place would be easier than we would like for an attacker in our environment. The campaign showed that an attacker could easily have taken control of 10 to 20% of all Windows computers at CERN and could have sniffed out a large number of CERN passwords…
The consequences? Severe, if you manage computing services, operate accelerators or experiments, or handle CERN’s finances! Once they own your password and the attached rights, the attackers would just sit and listen. They would take the time to understand how you work. They would observe when and how you access your resources and services. They would gather information. And when the time came, they would be in a position to impersonate you and strike hard: they could try to bring down your computing service, manipulate your accelerators or experiment, or steal money – to your dismay and to the harm of the Organization.
The silver bullet? Pimping up your password (i.e. something you know)! Then enhancing it by using an additional second token - namely something you have: a piece of hardware like your smartphone, your CERN access card, or a dedicated USB stick. Banks very often ask their customers to use a small card reader to authenticate themselves. In technical jargon, this is called multifactor authentication, and in collaboration with the IT department, the BE department and the FAP/AIS group, we are looking into how to use such authentication methods to better protect access to computing services, financial systems and the accelerator network and its control systems. Of course, this will cause some inconvenience, but we will strive to make it as seamless and simple as possible. A little bit more time at login for much more security while working – is that a fair trade-off? For more details, check out this dedicated webpage or contact us at Computer.Security@cern.ch.
Think also of the value of your passwords at home: those you use for Facebook, Twitter, Google and Amazon, for example. What havoc could attackers create in your private life if they knew your passwords? They could enter your private sphere, post in your name, spend your money, etc. For reasons similar to the ones that drove CERN to turn to multifactor authentication, Google, Facebook and others allow you to opt in to such authentication too. We strongly recommend that you benefit from this, for your own protection.
For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report.
Access the entire collection of Computer Security articles here.
by Stefan Lueders, Computer Security Team