CERN Accelerating science

This website is no longer maintained. Its content may be obsolete. Please visit for current CERN information.

CERN home pageCERN home pageDocuments by ReferenceDocuments by ReferenceCNLsCNLsYear 2001Year 2001Help, Info about this page


Editorial Information
If you need help
Announcements Special 35th Anniversary Physics Computing Desktop Computing Internet Services and Network Scientific Applications and Software Engineering Desktop Publishing The Learning Zone User Documentation Just For Fun ...
Previous:Computer Security: Prevent Viruses and Worms
Next:HEPiX News
 (See printing version)

Password Recommendations at CERN

Lionel Cons , IT/PDP


The password is the most vital part of account security. This article explains why and how to choose good passwords.

Why you need good passwords

The password is the most vital part of account security. If an attacker can discover your password, he/she can use your account to attack systems in or outside CERN, as well as read, modify or delete all your files. CERN's Computing Rules require that you protect your accounts with a good password:

III.11: All accounts must have appropriate access protection, such as account codes or passwords.

III.12: The user shall take the necessary precautions to protect his personal computer or work station against unauthorized access. The user shall also protect details of his personal account, particularly by avoiding obvious passwords and shall not divulge his passwords to any third party, unless expressly authorized by his Division Leader. Upon request from the CERN Computer Security Officer or the service manager concerned, the user shall select a new password.

How to choose good passwords

A good password is:

  • private: it is used and known by one person only
  • secret: it does not appear in clear text in any file or program or on a piece of paper pinned to the terminal
  • easily remembered: so there is no need to write it down
  • not guessable by any program in a reasonable time, for instance less than one week.
  • longer than 7 characters
  • a mixture of upper/lower case, letters, digits and punctuation

Here are some hints to help you choose good passwords:

  • Choose a line or two from a song or poem, and use the first letter of each word. For example, `In Xanadu did Kubla Kahn a stately pleasure dome decree' becomes `IXdKKaspdd'.
  • Alternate between one consonant and one or two vowels with mixed upper/lower case. This provides nonsense words that are usually pronounceable, and thus easily remembered. For example: `roUtboo' or `quADpop'.
  • Choose two short words (or a big one that you split) and concatenate them together with one or more punctuation characters between them For example: `dog+F18' or `comP!!UTer'.

Attackers and programs that can try to break in to your account know a large number of "frequently used" passwords. Here are some guidelines to avoid guessable passwords:

  • don't use your login name in any form (as-is, reversed, capitalised, doubled, with a prefix, with a suffix...).
  • don't use in any form your first or last name and, more generally, any information easily obtained about you. This includes car license plate numbers, telephone numbers, insurance numbers, the brand of your car, the name of the street you live on, the name of your spouse or of your children...
  • don't use a word contained in any dictionary of any language, spelling lists, or other lists of words (acronyms, sequences of letters like 'abcdef' or 'qwerty', place names, car names, cartoon heroes...).

Why you must change passwords

Even if you choose a good password, it can still be discovered: someone may see you typing it or capture it by snooping on the computer or network. If you accidentally type your password in place your login name, it may appear in system log files:

   joe      ttyp9        Wed Apr 28 09:37 
    XSecret! pty/ttys0    Fri Feb 26 15:15 - 15:16  (00:00) 
    fred     pty/ttys0    Fri Feb 26 15:16 - 14:27 (87+22:11) 

For all these reasons you must change your passwords from time to time. We recommend that you change your passwords whenever you return from a trip that could have exposed them and with a minimum frequency of twice a year.


For more information, you can consult:

About the author(s): Lionel Cons is a member of the CERN security team (

For matters related to this article please contact the author.

Vol. XXXVI, issue no 3

Last Updated on Fri Dec 07 14:18:28 CET 2001.
Copyright © CERN 2001 -- European Organization for Nuclear Research