Nevis Security Issues
Some tips on mail security can be found
here.
The harsh reality
As research scientists, we normally don't like to think about system security. We don't do anything "secret" at Nevis; in fact, part of our job is to share our results with the public. However, although we are not as prominent a target as a bank or a government office, break-in attempts
do occur. Not an hour passes at Nevis that one of our systems isn't probed, with access attempts made against current accounts.
What follows are some tips on creating a password. These tips were great... in 2008. Since then the skills and technical resources available to password crackers have increased exponentially. For a truly scary article on the effectiveness of the modern password cracker, see
Anatomy of a Hack
. For a more comprehensive password strategy, see
this one-page PDF summary of the password-management strategy described Joe Kissell's
Take Control of Your Passwords
.
Creating a password
Kissell's strategy of using a password manager for your web accounts does not generally work for physicists, who must maintain login accounts on several different computers systems and must type in those passwords by hand each time (
ssh without passwords
can help). We need a way to craft passwords that we can remember, but have a reasonably high entropy to interfere with password cracking.
An excellent way to create a password is to start with a phrase that you're not likely to forget. Take the initials of the phrase, and substitute numbers or symbols for letters where appropriate. For example:
- Start with "I want to rock n' roll all night"
- The initials are
iwtrnran
- Substitute "1" for "i"
- "2" for "t" (since it stands for "to")
- "&" for "n" (since it stands for "and")
- "L" for "a" (since it stands for "all", which sounds like "ell")
- ...and the result is
1w2r&rLn
which is easy to re-derive, and (with a little practice) easy to type
Eight characters is short, so we can add "and party every day, by the Rolling Stones" to extend that password to
1w2r&rLn&pedbtRS
to give us 16 characters.
To vary that password between sites, we can further prefix, suffix, or infix it with a string associated with each site; e.g.,
C3rn
,
b*Nl
,
N3^is
, or
in2p3
. Actually, this strategy will barely be a delay to a dedicated cracker who recognizes that you're a physicist; you may wish to use extensions that have nothing to do with the site's actual name.
Another quick way to generate a password is with the
apg
program, which generates passwords that are relatively easy to memorize, but hard to guess. A reasonable command is
apg -M SNCL -m 16 -n 1
The value of the
-m
option is the length of the password.
There are web sites that can help you generate a random password if you have trouble composing one. Here is one such
password generator
, another that generates
semi-pronouncable words
, and another that generates
diceware words
.
Ineffective passwords
Any dictionary word or name, whether it's capitalized or not, will be easily guessed. Simple variations, such as spelling a word backwards or adding a number to the end, will also be guessed.
Leet speak
(if you know what that is) will not prevent a cracker from recognizing a dictionary word. The crackers speak 'leet too.
The simpler and less-inspired your password, the more likely it is that the attacker can crack it. For example, it would take less than a second for the attacker to crack my password if I were foolish enough to pick "namgiles1" as my password (my last name, spelled backwards, followed by a number).
Other sites force you to change your password every six months. That's not done at Nevis, because it's hard to resist the temptation to write the passwords down and it provides no additional security (CUIT's standards notwithstanding). If you pick a complex, well-chosen password that appears to be a jumble of letters and symbols, it will be harder to crack.
Never give out any password to anyone.
The job of the systems administrator is to keep the crackers from gaining access to files of encrypted passwords. This job is shared with you: if a cracker has access to the system, access to the encrypted password file is much easier. System crackers can "piggy-back" access into systems using various methods, and one defense is to keep outside access to a minimum. Please don't share your Nevis account with anyone else. If someone needs to access a system at Nevis for research purposes, just ask
a systems administrator
. I will be happy to create a temporary account for them.
In general, we discourage the use of "group" or "guest" accounts, since it's impossible to keep track of who knows the password or who signs on. It takes only seconds for a new account to be created on our systems. If a large number of people need to access data on the system, then there are many schemes for allowing unrestricted access, including
WWW. Please don't give out a password as a shortcut to less restricted access.
Warnings
We do occasional security scans of our own systems to look for issues like those described above. If we spot a security hole associated with your account, we will contact you immediately.
If there are any questions, please contact
a systems administrator
.