Line: 1 to 1 | ||||||||
---|---|---|---|---|---|---|---|---|
Nevis Security Issues | ||||||||
Line: 12 to 12 | ||||||||
As research scientists, we normally don't like to think about system security. We don't do anything "secret" at Nevis; in fact, part of our job is to share our results with the public. However, although we are not as prominent a target as a bank or a government office, break-in attempts do occur. Not an hour passes at Nevis that one of our systems isn't probed, with access attempts made against current accounts. | ||||||||
Changed: | ||||||||
< < | What follows are some tips on creating a password. These tips were great... in 2008. Since then the skills and technical resources available to password crackers have increased exponentially. For a truly scary article on the effectiveness of the modern password cracker, see Anatomy of a Hack![]() ![]() | |||||||
> > | What follows are some tips on creating a password. These tips were great... in 2008. Since then the skills and technical resources available to password crackers have increased exponentially. For a truly scary article on the effectiveness of the modern password cracker, see Anatomy of a Hack![]() ![]() | |||||||
Creating a password |
Line: 1 to 1 | ||||||||
---|---|---|---|---|---|---|---|---|
Nevis Security Issues | ||||||||
Line: 12 to 12 | ||||||||
As research scientists, we normally don't like to think about system security. We don't do anything "secret" at Nevis; in fact, part of our job is to share our results with the public. However, although we are not as prominent a target as a bank or a government office, break-in attempts do occur. Not an hour passes at Nevis that one of our systems isn't probed, with access attempts made against current accounts. | ||||||||
Changed: | ||||||||
< < | What follows are some tips on creating a password These tips were great... in 2008. Unfortunately for system security, the skills and technical resources available to password crackers has increased exponentially. For a truly scary article on the effectiveness of the modern password cracker, see Anatomy of a Hack![]() ![]() | |||||||
> > | What follows are some tips on creating a password. These tips were great... in 2008. Since then the skills and technical resources available to password crackers have increased exponentially. For a truly scary article on the effectiveness of the modern password cracker, see Anatomy of a Hack![]() ![]() | |||||||
Creating a password | ||||||||
Changed: | ||||||||
< < | Kissell's strategy of using a password manager for your web accounts does not generally work for physicists, who must maintain login accounts on several different computers systems and must type in those passwords by hand each time. We need a way to craft passwords that we can remember, but have a reasonably high entropy to interfere with password cracking. | |||||||
> > | Kissell's strategy of using a password manager for your web accounts does not generally work for physicists, who must maintain login accounts on several different computers systems and must type in those passwords by hand each time (ssh without passwords![]() | |||||||
An excellent way to create a password is to start with a phrase that you're not likely to forget. Take the initials of the phrase, and substitute numbers or symbols for letters where appropriate. For example: | ||||||||
Line: 30 to 30 | ||||||||
Eight characters is short, so we can add "and party every day, by the Rolling Stones" to extend that password to 1w2r&rLn&pedbtRS to give us 16 characters. | ||||||||
Changed: | ||||||||
< < | To vary that password between sites, we can further prefix, suffix, or infix it with a string associated with each site; e.g., C3rn , b*Nl , N3^is , or in2p3 . Actually, this strategy will barely be a delay in a dedicated cracker who recognizes that you're a physicist; you may wish to use extensions that have nothing to do with the site's actual name. | |||||||
> > | To vary that password between sites, we can further prefix, suffix, or infix it with a string associated with each site; e.g., C3rn , b*Nl , N3^is , or in2p3 . Actually, this strategy will barely be a delay to a dedicated cracker who recognizes that you're a physicist; you may wish to use extensions that have nothing to do with the site's actual name. | |||||||
Another quick way to generate a password is with the apg![]() apg -M SNCL -m 16 -n 1The value of the -m option is the length of the password.
| ||||||||
Changed: | ||||||||
< < | There are web sites that can help you generate a nice, random password if you have trouble thinking of one. Here is one such password generator![]() ![]() | |||||||
> > | There are web sites that can help you generate a random password if you have trouble composing one. Here is one such password generator![]() ![]() ![]() | |||||||
Ineffective passwords | ||||||||
Line: 44 to 44 | ||||||||
The simpler and less-inspired your password, the more likely it is that the attacker can crack it. For example, it would take less than a second for the attacker to crack my password if I were foolish enough to pick "namgiles1" as my password (my last name, spelled backwards, followed by a number). | ||||||||
Changed: | ||||||||
< < | Other sites force you to change your password every six months. That's not done at Nevis, because it's hard to resist the temptation to write the passwords down. If you pick a complex, well-chosen password that appears to be a jumble of letters and symbols, it will be harder to crack. | |||||||
> > | Other sites force you to change your password every six months. That's not done at Nevis, because it's hard to resist the temptation to write the passwords down and it provides no additional security (CUIT's standards notwithstanding). If you pick a complex, well-chosen password that appears to be a jumble of letters and symbols, it will be harder to crack. | |||||||
Never give out any password to anyone. |
Line: 1 to 1 | ||||||||
---|---|---|---|---|---|---|---|---|
Nevis Security Issues | ||||||||
Line: 12 to 12 | ||||||||
As research scientists, we normally don't like to think about system security. We don't do anything "secret" at Nevis; in fact, part of our job is to share our results with the public. However, although we are not as prominent a target as a bank or a government office, break-in attempts do occur. Not an hour passes at Nevis that one of our systems isn't probed, with access attempts made against current accounts. | ||||||||
Changed: | ||||||||
< < | What follows are some tips on creating a password These tips were great... in 2008. Unfortunately for system security, the skills and technical resources available to password crackers has increased exponentially. For a truly scary article on the effectiveness of the modern password cracker, see [http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/][Anatomy of a Hack]]. For a more comprehensive password strategy, see this one-page PDF summary of the password-management strategy. described Joe Kissell's Take Control of Your Passwords![]() | |||||||
> > | What follows are some tips on creating a password These tips were great... in 2008. Unfortunately for system security, the skills and technical resources available to password crackers has increased exponentially. For a truly scary article on the effectiveness of the modern password cracker, see Anatomy of a Hack![]() ![]() | |||||||
Creating a password |
Line: 1 to 1 | ||||||||
---|---|---|---|---|---|---|---|---|
Nevis Security Issues | ||||||||
Line: 6 to 6 | ||||||||
Changed: | ||||||||
< < | This is a general list of security tips at Nevis. Some tips on mail security can be found here. | |||||||
> > | Some tips on mail security can be found here. | |||||||
Changed: | ||||||||
< < | As research scientists, we normally don't like to think about system security. We don't do anything "secret" at Nevis; in fact, part of our job is to share our results with the public. However, although we are not as prominate a target as a bank or a government office, break-in attempts do occur. Please do your part to keep the system free of malicious or inappropriate use by following the guidelines below. | |||||||
> > | The harsh reality | |||||||
Changed: | ||||||||
< < | Password Protection | |||||||
> > | As research scientists, we normally don't like to think about system security. We don't do anything "secret" at Nevis; in fact, part of our job is to share our results with the public. However, although we are not as prominent a target as a bank or a government office, break-in attempts do occur. Not an hour passes at Nevis that one of our systems isn't probed, with access attempts made against current accounts. | |||||||
Changed: | ||||||||
< < | Choose a password with care. | |||||||
> > | What follows are some tips on creating a password These tips were great... in 2008. Unfortunately for system security, the skills and technical resources available to password crackers has increased exponentially. For a truly scary article on the effectiveness of the modern password cracker, see [http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/][Anatomy of a Hack]]. For a more comprehensive password strategy, see this one-page PDF summary of the password-management strategy. described Joe Kissell's Take Control of Your Passwords![]() | |||||||
Changed: | ||||||||
< < | Although the user passwords are protected from simple cracking attempts, this protection does not work if your password is easily guessed. Avoid the use of your name, the names of relatives, or any word in any language. | |||||||
> > | Creating a passwordKissell's strategy of using a password manager for your web accounts does not generally work for physicists, who must maintain login accounts on several different computers systems and must type in those passwords by hand each time. We need a way to craft passwords that we can remember, but have a reasonably high entropy to interfere with password cracking. | |||||||
An excellent way to create a password is to start with a phrase that you're not likely to forget. Take the initials of the phrase, and substitute numbers or symbols for letters where appropriate. For example: | ||||||||
Line: 26 to 28 | ||||||||
| ||||||||
Changed: | ||||||||
< < | Another quick way to generate a password is with the apg![]() | |||||||
> > | Eight characters is short, so we can add "and party every day, by the Rolling Stones" to extend that password to 1w2r&rLn&pedbtRS to give us 16 characters.
To vary that password between sites, we can further prefix, suffix, or infix it with a string associated with each site; e.g., C3rn , b*Nl , N3^is , or in2p3 . Actually, this strategy will barely be a delay in a dedicated cracker who recognizes that you're a physicist; you may wish to use extensions that have nothing to do with the site's actual name.
Another quick way to generate a password is with the apg![]() apg -M SNCL -m 16 -n 1The value of the -m option is the length of the password. | |||||||
Changed: | ||||||||
< < | There are web sites that can help you generate a nice, random
password if you have trouble thinking of one. Here is one such password generator![]() ![]() | |||||||
> > | There are web sites that can help you generate a nice, random password if you have trouble thinking of one. Here is one such password generator![]() ![]() | |||||||
Changed: | ||||||||
< < | Other tips | |||||||
> > | Ineffective passwords | |||||||
Any dictionary word or name, whether it's capitalized or not, will be easily guessed. Simple variations, such as spelling a word backwards or adding a number to the end, will also be guessed. | ||||||||
Changed: | ||||||||
< < | Leet speak![]() Never give out any password to anyone.If someone you trust needs to access a system at Nevis, just ask a systems administrator![]() Use scp or sftp instead of ftpftp![]() ![]() ![]() | |||||||
> > | Leet speak![]() Never give out any password to anyone.The job of the systems administrator is to keep the crackers from gaining access to files of encrypted passwords. This job is shared with you: if a cracker has access to the system, access to the encrypted password file is much easier. System crackers can "piggy-back" access into systems using various methods, and one defense is to keep outside access to a minimum. Please don't share your Nevis account with anyone else. If someone needs to access a system at Nevis for research purposes, just ask a systems administrator![]() | |||||||
Warnings | ||||||||
Deleted: | ||||||||
< < | We do occasional security scans of our own systems to look for issues
like those described above. If we spot a security hole associated with your
account, we will contact you immediately.
If there are any
questions, please contact a systems administrator![]() | |||||||
\ No newline at end of file | ||||||||
Added: | ||||||||
> > | We do occasional security scans of our own systems to look for issues like those described above. If we spot a security hole associated with your account, we will contact you immediately.
If there are any questions, please contact a systems administrator![]()
|
Line: 1 to 1 | ||||||||
---|---|---|---|---|---|---|---|---|
Nevis Security Issues | ||||||||
Line: 63 to 63 | ||||||||
of who knows the password or who signs on. It takes only seconds for a new account to be created on our systems. If a large number of people need to access data on the system, then there are many schemes for allowing unrestricted access, including | ||||||||
Changed: | ||||||||
< < | WWW![]() | |||||||
> > | WWW. Please don't give out a password as a shortcut to less | |||||||
restricted access.
Use scp or sftp instead of ftp |
Line: 1 to 1 | ||||||||
---|---|---|---|---|---|---|---|---|
Nevis Security Issues | ||||||||
Changed: | ||||||||
< < | This is a general list of security tips at Nevis. Some tips on mail security can be found here. | |||||||
> > | ||||||||
Changed: | ||||||||
< < | ||||||||
> > | This is a general list of security tips at Nevis. Some tips on mail security can be found here. | |||||||
As research scientists, we normally don't like to think about system security. We don't do anything "secret" at Nevis; in fact, part of our job is to share our results with the public. However, although we are not as prominate a target as a bank or a government office, break-in attempts do occur. Please do your part to keep the system free of malicious or inappropriate use by following the guidelines below. |
Line: 1 to 1 | ||||||||
---|---|---|---|---|---|---|---|---|
Added: | ||||||||
> > |
Nevis Security IssuesThis is a general list of security tips at Nevis. Some tips on mail security can be found here.Password ProtectionChoose a password with care.Although the user passwords are protected from simple cracking attempts, this protection does not work if your password is easily guessed. Avoid the use of your name, the names of relatives, or any word in any language. An excellent way to create a password is to start with a phrase that you're not likely to forget. Take the initials of the phrase, and substitute numbers or symbols for letters where appropriate. For example:
![]() ![]() ![]() Other tipsAny dictionary word or name, whether it's capitalized or not, will be easily guessed. Simple variations, such as spelling a word backwards or adding a number to the end, will also be guessed. Leet speak![]() Never give out any password to anyone.If someone you trust needs to access a system at Nevis, just ask a systems administrator![]() ![]() Use scp or sftp instead of ftpftp![]() ![]() ![]() WarningsWe do occasional security scans of our own systems to look for issues like those described above. If we spot a security hole associated with your account, we will contact you immediately. If there are any questions, please contact a systems administrator![]() |