CERN Accelerating science

Password Security on VM

We have recently had an incident on one of our VM systems where a user's account was compromised and the intruder formatted his mini-disk. In this case the user had a rather easy-to-guess password.

A recent survey of passwords indicated that several VM users have ``easy-to-guess" passwords.

In order to try and increase the security of VM user's accounts we will soon be introducing rules aimed at encouraging users to select passwords that are more difficult to guess. In addition, regular checks will be made to ensure that an ``easy" password has not been selected.

Previous CNL articles (CNL212, 210 and 197) have given hints for users on choosing a ``good" password. Please bear these in mind when choosing your own.

The new rules will be that passwords must be at least six characters long and that they must contain at least one alphabetic character and at least one digit. These rules will be applied when a user changes his password and the user will be informed immediately if the new proposed password does not comply.

The proposed implementation will proceed as follows.

1. The new rules to be applied will be implemented. Users will be informed of this through VM NEWS.
2. All VM accounts will be checked for ``easy" passwords. On accounts with ``guessed" passwords we will do the following:
   1. If the account has not been used in the last six months then the account will be blocked.

   2. Otherwise the password of the account will be ``expired" and on the next login the user will be asked to select a new password.

If, during one of the regular checks, a password is guessed, then the user will be informed by E-mail and the procedure as outlined above will be followed. Should the user encounter problems in choosing a good password please contact the User Consultancy Office (user.support@cern.ch)

We count on your understanding that security is in everyone's interest.