Difference: Security (1 vs. 6)
Revision 62017-09-11 - WilliamSeligman
| Line: 1 to 1 | ||||||||
|---|---|---|---|---|---|---|---|---|
Nevis Security Issues | ||||||||
| Line: 12 to 12 | ||||||||
| As research scientists, we normally don't like to think about system security. We don't do anything "secret" at Nevis; in fact, part of our job is to share our results with the public. However, although we are not as prominent a target as a bank or a government office, break-in attempts do occur. Not an hour passes at Nevis that one of our systems isn't probed, with access attempts made against current accounts. | ||||||||
| Changed: | ||||||||
| < < | What follows are some tips on creating a password These tips were great... in 2008. Unfortunately for system security, the skills and technical resources available to password crackers has increased exponentially. For a truly scary article on the effectiveness of the modern password cracker, see Anatomy of a Hack . For a more comprehensive password strategy, see this one-page PDF summary of the password-management strategy. described Joe Kissell's Take Control of Your Passwords. | |||||||
| > > | What follows are some tips on creating a password. These tips were great... in 2008. Since then the skills and technical resources available to password crackers have increased exponentially. For a truly scary article on the effectiveness of the modern password cracker, see Anatomy of a Hack. For a more comprehensive password strategy, see this one-page PDF summary of the password-management strategy. described Joe Kissell's Take Control of Your Passwords. | |||||||
Creating a password | ||||||||
| Changed: | ||||||||
| < < | Kissell's strategy of using a password manager for your web accounts does not generally work for physicists, who must maintain login accounts on several different computers systems and must type in those passwords by hand each time. We need a way to craft passwords that we can remember, but have a reasonably high entropy to interfere with password cracking. | |||||||
| > > | Kissell's strategy of using a password manager for your web accounts does not generally work for physicists, who must maintain login accounts on several different computers systems and must type in those passwords by hand each time (ssh without passwords can help). We need a way to craft passwords that we can remember, but have a reasonably high entropy to interfere with password cracking. | |||||||
| An excellent way to create a password is to start with a phrase that you're not likely to forget. Take the initials of the phrase, and substitute numbers or symbols for letters where appropriate. For example: | ||||||||
| Line: 30 to 30 | ||||||||
Eight characters is short, so we can add "and party every day, by the Rolling Stones" to extend that password to 1w2r&rLn&pedbtRS to give us 16 characters. | ||||||||
| Changed: | ||||||||
| < < | To vary that password between sites, we can further prefix, suffix, or infix it with a string associated with each site; e.g., C3rn, b*Nl, N3^is, or in2p3. Actually, this strategy will barely be a delay in a dedicated cracker who recognizes that you're a physicist; you may wish to use extensions that have nothing to do with the site's actual name. | |||||||
| > > | To vary that password between sites, we can further prefix, suffix, or infix it with a string associated with each site; e.g., C3rn, b*Nl, N3^is, or in2p3. Actually, this strategy will barely be a delay to a dedicated cracker who recognizes that you're a physicist; you may wish to use extensions that have nothing to do with the site's actual name. | |||||||
Another quick way to generate a password is with the apg program, which generates passwords that are relatively easy to memorize, but hard to guess. A reasonable command is apg -M SNCL -m 16 -n 1The value of the -m option is the length of the password.
| ||||||||
| Changed: | ||||||||
| < < | There are web sites that can help you generate a nice, random password if you have trouble thinking of one. Here is one such password generator, and another that generates semi-pronouncable words. | |||||||
| > > | There are web sites that can help you generate a random password if you have trouble composing one. Here is one such password generator, another that generates semi-pronouncable words, and another that generates diceware words. | |||||||
Ineffective passwords | ||||||||
| Line: 44 to 44 | ||||||||
| The simpler and less-inspired your password, the more likely it is that the attacker can crack it. For example, it would take less than a second for the attacker to crack my password if I were foolish enough to pick "namgiles1" as my password (my last name, spelled backwards, followed by a number). | ||||||||
| Changed: | ||||||||
| < < | Other sites force you to change your password every six months. That's not done at Nevis, because it's hard to resist the temptation to write the passwords down. If you pick a complex, well-chosen password that appears to be a jumble of letters and symbols, it will be harder to crack. | |||||||
| > > | Other sites force you to change your password every six months. That's not done at Nevis, because it's hard to resist the temptation to write the passwords down and it provides no additional security (CUIT's standards notwithstanding). If you pick a complex, well-chosen password that appears to be a jumble of letters and symbols, it will be harder to crack. | |||||||
Never give out any password to anyone. | ||||||||
Revision 52013-07-15 - WilliamSeligman
| Line: 1 to 1 | ||||||||
|---|---|---|---|---|---|---|---|---|
Nevis Security Issues | ||||||||
| Line: 12 to 12 | ||||||||
| As research scientists, we normally don't like to think about system security. We don't do anything "secret" at Nevis; in fact, part of our job is to share our results with the public. However, although we are not as prominent a target as a bank or a government office, break-in attempts do occur. Not an hour passes at Nevis that one of our systems isn't probed, with access attempts made against current accounts. | ||||||||
| Changed: | ||||||||
| < < | What follows are some tips on creating a password These tips were great... in 2008. Unfortunately for system security, the skills and technical resources available to password crackers has increased exponentially. For a truly scary article on the effectiveness of the modern password cracker, see [http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/][Anatomy of a Hack]]. For a more comprehensive password strategy, see this one-page PDF summary of the password-management strategy. described Joe Kissell's Take Control of Your Passwords. | |||||||
| > > | What follows are some tips on creating a password These tips were great... in 2008. Unfortunately for system security, the skills and technical resources available to password crackers has increased exponentially. For a truly scary article on the effectiveness of the modern password cracker, see Anatomy of a Hack. For a more comprehensive password strategy, see this one-page PDF summary of the password-management strategy. described Joe Kissell's Take Control of Your Passwords. | |||||||
Creating a password | ||||||||
Revision 42013-07-03 - WilliamSeligman
| Line: 1 to 1 | ||||||||
|---|---|---|---|---|---|---|---|---|
Nevis Security Issues | ||||||||
| Line: 6 to 6 | ||||||||
| Changed: | ||||||||
| < < | This is a general list of security tips at Nevis. Some tips on mail security can be found here. | |||||||
| > > | Some tips on mail security can be found here. | |||||||
| Changed: | ||||||||
| < < | As research scientists, we normally don't like to think about system security. We don't do anything "secret" at Nevis; in fact, part of our job is to share our results with the public. However, although we are not as prominate a target as a bank or a government office, break-in attempts do occur. Please do your part to keep the system free of malicious or inappropriate use by following the guidelines below. | |||||||
| > > | The harsh reality | |||||||
| Changed: | ||||||||
| < < | Password Protection | |||||||
| > > | As research scientists, we normally don't like to think about system security. We don't do anything "secret" at Nevis; in fact, part of our job is to share our results with the public. However, although we are not as prominent a target as a bank or a government office, break-in attempts do occur. Not an hour passes at Nevis that one of our systems isn't probed, with access attempts made against current accounts. | |||||||
| Changed: | ||||||||
| < < | Choose a password with care. | |||||||
| > > | What follows are some tips on creating a password These tips were great... in 2008. Unfortunately for system security, the skills and technical resources available to password crackers has increased exponentially. For a truly scary article on the effectiveness of the modern password cracker, see [http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/][Anatomy of a Hack]]. For a more comprehensive password strategy, see this one-page PDF summary of the password-management strategy. described Joe Kissell's Take Control of Your Passwords. | |||||||
| Changed: | ||||||||
| < < | Although the user passwords are protected from simple cracking attempts, this protection does not work if your password is easily guessed. Avoid the use of your name, the names of relatives, or any word in any language. | |||||||
| > > | Creating a passwordKissell's strategy of using a password manager for your web accounts does not generally work for physicists, who must maintain login accounts on several different computers systems and must type in those passwords by hand each time. We need a way to craft passwords that we can remember, but have a reasonably high entropy to interfere with password cracking. | |||||||
| An excellent way to create a password is to start with a phrase that you're not likely to forget. Take the initials of the phrase, and substitute numbers or symbols for letters where appropriate. For example: | ||||||||
| Line: 26 to 28 | ||||||||
| ||||||||
| Changed: | ||||||||
| < < | Another quick way to generate a password is with the apg program, which generates passwords that are relatively easy to memorize, but hard to guess. | |||||||
| > > | Eight characters is short, so we can add "and party every day, by the Rolling Stones" to extend that password to 1w2r&rLn&pedbtRS to give us 16 characters.
To vary that password between sites, we can further prefix, suffix, or infix it with a string associated with each site; e.g., C3rn, b*Nl, N3^is, or in2p3. Actually, this strategy will barely be a delay in a dedicated cracker who recognizes that you're a physicist; you may wish to use extensions that have nothing to do with the site's actual name.
Another quick way to generate a password is with the apg program, which generates passwords that are relatively easy to memorize, but hard to guess. A reasonable command is apg -M SNCL -m 16 -n 1The value of the -m option is the length of the password. | |||||||
| Changed: | ||||||||
| < < | There are web sites that can help you generate a nice, random
password if you have trouble thinking of one. Here is one such password generator, and
another that generates semi-pronouncable words. | |||||||
| > > | There are web sites that can help you generate a nice, random password if you have trouble thinking of one. Here is one such password generator, and another that generates semi-pronouncable words. | |||||||
| Changed: | ||||||||
| < < | Other tips | |||||||
| > > | Ineffective passwords | |||||||
| Any dictionary word or name, whether it's capitalized or not, will be easily guessed. Simple variations, such as spelling a word backwards or adding a number to the end, will also be guessed. | ||||||||
| Changed: | ||||||||
| < < | Leet speak (if you
know what that is) will not prevent a cracker from recognizing a
dictionary word. The crackers speak 'leet too.
The more complex the password, the better. The simpler and
less-inspired your password, the more likely it is that the
attacker can crack it. For example, it would take less than a
second for the attacker to crack my password if I were foolish
enough to pick "namgiles1" as my password (my last name, spelled
backwards, followed by a number).
Other sites force you to change your password every six months.
That's not done at Nevis, because it's hard to resist the
temptation to write the passwords down. If you pick a complex,
well-chosen password that appears to be a jumble of letters and
symbols, it will be almost impossible to crack. Please make life
harder for attackers.
Never give out any password to anyone.If someone you trust needs to access a system at Nevis, just ask a systems administrator. I will be happy to create a temporary account for them.
In general, we discourage the use of "group" or "guest" accounts, since it's impossible to keep track
of who knows the password or who signs on. It takes only seconds for a new account to be created on
our systems. If a large number of people need to access data on the system, then there are many schemes for
allowing unrestricted access, including
WWW. Please don't give out a password as a shortcut to less
restricted access.
Use scp or sftp instead of ftpftp
has a major security flaw: an account name and password may be required
to access a remote system, but the password is transmitted in clear text.
A system cracker who is monitoring network traffic may be able to intercept
your password.
If you use
sftp
or
scp
instead, your password will be encrypted before it goes over the network.
A casual system cracker will not be able to intercept it. | |||||||
| > > | Leet speak (if you know what that is) will not prevent a cracker from recognizing a dictionary word. The crackers speak 'leet too.
The simpler and less-inspired your password, the more likely it is that the attacker can crack it. For example, it would take less than a second for the attacker to crack my password if I were foolish enough to pick "namgiles1" as my password (my last name, spelled backwards, followed by a number).
Other sites force you to change your password every six months. That's not done at Nevis, because it's hard to resist the temptation to write the passwords down. If you pick a complex, well-chosen password that appears to be a jumble of letters and symbols, it will be harder to crack.
Never give out any password to anyone.The job of the systems administrator is to keep the crackers from gaining access to files of encrypted passwords. This job is shared with you: if a cracker has access to the system, access to the encrypted password file is much easier. System crackers can "piggy-back" access into systems using various methods, and one defense is to keep outside access to a minimum. Please don't share your Nevis account with anyone else. If someone needs to access a system at Nevis for research purposes, just ask a systems administrator. I will be happy to create a temporary account for them.
In general, we discourage the use of "group" or "guest" accounts, since it's impossible to keep track of who knows the password or who signs on. It takes only seconds for a new account to be created on our systems. If a large number of people need to access data on the system, then there are many schemes for allowing unrestricted access, including WWW. Please don't give out a password as a shortcut to less restricted access. | |||||||
Warnings | ||||||||
| Deleted: | ||||||||
| < < | We do occasional security scans of our own systems to look for issues
like those described above. If we spot a security hole associated with your
account, we will contact you immediately.
If there are any
questions, please contact a systems administrator. | |||||||
| \ No newline at end of file | ||||||||
| Added: | ||||||||
| > > | We do occasional security scans of our own systems to look for issues like those described above. If we spot a security hole associated with your account, we will contact you immediately.
If there are any questions, please contact a systems administrator.
| |||||||
Revision 32011-07-12 - WilliamSeligman
| Line: 1 to 1 | ||||||||
|---|---|---|---|---|---|---|---|---|
Nevis Security Issues | ||||||||
| Line: 63 to 63 | ||||||||
| of who knows the password or who signs on. It takes only seconds for a new account to be created on our systems. If a large number of people need to access data on the system, then there are many schemes for allowing unrestricted access, including | ||||||||
| Changed: | ||||||||
| < < | WWW. Please don't give out a password as a shortcut to less | |||||||
| > > | WWW. Please don't give out a password as a shortcut to less | |||||||
restricted access.
Use scp or sftp instead of ftp | ||||||||
Revision 22010-09-28 - WilliamSeligman
| Line: 1 to 1 | ||||||||
|---|---|---|---|---|---|---|---|---|
Nevis Security Issues | ||||||||
| Changed: | ||||||||
| < < | This is a general list of security tips at Nevis. Some tips on mail security can be found here. | |||||||
| > > | ||||||||
| Changed: | ||||||||
| < < | ||||||||
| > > | This is a general list of security tips at Nevis. Some tips on mail security can be found here. | |||||||
| As research scientists, we normally don't like to think about system security. We don't do anything "secret" at Nevis; in fact, part of our job is to share our results with the public. However, although we are not as prominate a target as a bank or a government office, break-in attempts do occur. Please do your part to keep the system free of malicious or inappropriate use by following the guidelines below. | ||||||||
Revision 12010-05-17 - WilliamSeligman
| Line: 1 to 1 | ||||||||
|---|---|---|---|---|---|---|---|---|
| Added: | ||||||||
| > > |
Nevis Security IssuesThis is a general list of security tips at Nevis. Some tips on mail security can be found here.Password ProtectionChoose a password with care.Although the user passwords are protected from simple cracking attempts, this protection does not work if your password is easily guessed. Avoid the use of your name, the names of relatives, or any word in any language. An excellent way to create a password is to start with a phrase that you're not likely to forget. Take the initials of the phrase, and substitute numbers or symbols for letters where appropriate. For example:
program, which generates passwords that are relatively easy to memorize, but hard to guess.
There are web sites that can help you generate a nice, random
password if you have trouble thinking of one. Here is one such password generator, and
another that generates semi-pronouncable words.
Other tipsAny dictionary word or name, whether it's capitalized or not, will be easily guessed. Simple variations, such as spelling a word backwards or adding a number to the end, will also be guessed. Leet speak (if you
know what that is) will not prevent a cracker from recognizing a
dictionary word. The crackers speak 'leet too.
The more complex the password, the better. The simpler and
less-inspired your password, the more likely it is that the
attacker can crack it. For example, it would take less than a
second for the attacker to crack my password if I were foolish
enough to pick "namgiles1" as my password (my last name, spelled
backwards, followed by a number).
Other sites force you to change your password every six months.
That's not done at Nevis, because it's hard to resist the
temptation to write the passwords down. If you pick a complex,
well-chosen password that appears to be a jumble of letters and
symbols, it will be almost impossible to crack. Please make life
harder for attackers.
Never give out any password to anyone.If someone you trust needs to access a system at Nevis, just ask a systems administrator. I will be happy to create a temporary account for them.
In general, we discourage the use of "group" or "guest" accounts, since it's impossible to keep track
of who knows the password or who signs on. It takes only seconds for a new account to be created on
our systems. If a large number of people need to access data on the system, then there are many schemes for
allowing unrestricted access, including
WWW. Please don't give out a password as a shortcut to less
restricted access.
Use scp or sftp instead of ftpftp
has a major security flaw: an account name and password may be required
to access a remote system, but the password is transmitted in clear text.
A system cracker who is monitoring network traffic may be able to intercept
your password.
If you use
sftp
or
scp
instead, your password will be encrypted before it goes over the network.
A casual system cracker will not be able to intercept it.
WarningsWe do occasional security scans of our own systems to look for issues like those described above. If we spot a security hole associated with your account, we will contact you immediately. If there are any questions, please contact a systems administrator. | |||||||
View topic | History: r6 < r5 < r4 < r3 | More topic actions...
Copyright © 2008-2020 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding TWiki? Send feedback