Nevis Security Issues

Some tips on mail security can be found here.

The harsh reality

As research scientists, we normally don't like to think about system security. We don't do anything "secret" at Nevis; in fact, part of our job is to share our results with the public. However, although we are not as prominent a target as a bank or a government office, break-in attempts do occur. Not an hour passes at Nevis that one of our systems isn't probed, with access attempts made against current accounts.

What follows are some tips on creating a password. These tips were great... in 2008. Since then the skills and technical resources available to password crackers have increased exponentially. For a truly scary article on the effectiveness of the modern password cracker, see Anatomy of a Hack. For a more comprehensive password strategy, see this one-page PDF summary of the password-management strategy described Joe Kissell's Take Control of Your Passwords.

Creating a password

Kissell's strategy of using a password manager for your web accounts does not generally work for physicists, who must maintain login accounts on several different computers systems and must type in those passwords by hand each time (ssh without passwords can help). We need a way to craft passwords that we can remember, but have a reasonably high entropy to interfere with password cracking.

An excellent way to create a password is to start with a phrase that you're not likely to forget. Take the initials of the phrase, and substitute numbers or symbols for letters where appropriate. For example:

  • Start with "I want to rock n' roll all night"
  • The initials are iwtrnran
  • Substitute "1" for "i"
  • "2" for "t" (since it stands for "to")
  • "&" for "n" (since it stands for "and")
  • "L" for "a" (since it stands for "all", which sounds like "ell")
  • ...and the result is 1w2r&rLn which is easy to re-derive, and (with a little practice) easy to type

Eight characters is short, so we can add "and party every day, by the Rolling Stones" to extend that password to 1w2r&rLn&pedbtRS to give us 16 characters.

To vary that password between sites, we can further prefix, suffix, or infix it with a string associated with each site; e.g., C3rn, b*Nl, N3^is, or in2p3. Actually, this strategy will barely be a delay to a dedicated cracker who recognizes that you're a physicist; you may wish to use extensions that have nothing to do with the site's actual name.

Another quick way to generate a password is with the apg program, which generates passwords that are relatively easy to memorize, but hard to guess. A reasonable command is

apg -M SNCL -m 16 -n 1
The value of the -m option is the length of the password.

There are web sites that can help you generate a random password if you have trouble composing one. Here is one such password generator, another that generates semi-pronouncable words, and another that generates diceware words.

Ineffective passwords

Any dictionary word or name, whether it's capitalized or not, will be easily guessed. Simple variations, such as spelling a word backwards or adding a number to the end, will also be guessed.

Leet speak (if you know what that is) will not prevent a cracker from recognizing a dictionary word. The crackers speak 'leet too.

The simpler and less-inspired your password, the more likely it is that the attacker can crack it. For example, it would take less than a second for the attacker to crack my password if I were foolish enough to pick "namgiles1" as my password (my last name, spelled backwards, followed by a number).

Other sites force you to change your password every six months. That's not done at Nevis, because it's hard to resist the temptation to write the passwords down and it provides no additional security (CUIT's standards notwithstanding). If you pick a complex, well-chosen password that appears to be a jumble of letters and symbols, it will be harder to crack.

Never give out any password to anyone.

The job of the systems administrator is to keep the crackers from gaining access to files of encrypted passwords. This job is shared with you: if a cracker has access to the system, access to the encrypted password file is much easier. System crackers can "piggy-back" access into systems using various methods, and one defense is to keep outside access to a minimum. Please don't share your Nevis account with anyone else. If someone needs to access a system at Nevis for research purposes, just ask a systems administrator. I will be happy to create a temporary account for them.

In general, we discourage the use of "group" or "guest" accounts, since it's impossible to keep track of who knows the password or who signs on. It takes only seconds for a new account to be created on our systems. If a large number of people need to access data on the system, then there are many schemes for allowing unrestricted access, including WWW. Please don't give out a password as a shortcut to less restricted access.

Warnings

We do occasional security scans of our own systems to look for issues like those described above. If we spot a security hole associated with your account, we will contact you immediately.

If there are any questions, please contact a systems administrator.

Edit | Attach | Watch | Print version | History: r7 < r6 < r5 < r4 < r3 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r7 - 2020-08-27 - WilliamSeligman
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2023 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback