Miguel Marquina, CERN/IT
This is probably a good idea to write down that information,
and possibly to repeat it in a regular way,
as I am not sure that many of our readers know
that it is, in fact, possible and quite easy.
The basic recipe is to use the "Search & View" facility for "IT services, documentation and more", that is replacing the old but powerful "XFIND" utility on the now defunct CERNVM. It is accesible on the Web, using any kind of Web browser, at URL:
The "search" is quicker, and the number of answers less considerable, if you restrict it to a given category (by pressing the corresponding button, just below the input text area where you must enter the keyword(s) to be searched). One pre-defined "category" is precisely "CNLs": by selecting it, and giving one (or several) keyword(s) related to the information you are looking for, you will get very quickly a list of past CNLs that contained article(s) on that subject.
Trying, for instance, the two keywords "mail forward", you will get:
Xfind search result for MAIL FORWARD : CERN computer News Letters (CNL) No. 226 January -- March 1997 Special Chapter: Mail Issues The End of AFSmail No. 225 October -- December 1996 Questions and Answers from the UCO No. 224 July -- September 1996 General Using MAIL on the VXCERN Cluster No. 222 January - March 1996 Mail Issues Roadmap to MAIL Services How to Migrate your Mail out of CERNVM AFSmail and the MailServer Mailforwarding -- Make Sure You Do Not ``Lose'' MailN.B. By adding more keywords you will get a more precise search.
Nicole Cremel (CNL editor).
Jim Linnemann / MSU
Dear Mr. Linnemann,
You sent your e-mail to the CNL editor but it is not clear to which
article you are referring and in which CNL issue. The "reference"
information regarding "password rules" are part of the
"CERN Security Handbook" that I wrote and you can find at URL:
What we try to do regarding passwords is to enforce some rules (like minimum length) in order to raise the quality of the passwords and therefore increase the security of CERN computers. The rules are just the ones that most cracking programs (to guess passwords) will try. If these rules may seem quite complex, it does not mean that a good password is not easy to remember. We try to give some hints, in the "CERN Security Handbook", to help you finding a good password. A quick recipe is, for instance, to take two short words (only 8 characters are meaningful on UNIX) that are easy to remember for you, to combine them with a special character (e.g. -, +, /), and to mix upper and lower cases.
Of course, if we get too strict, the passwords will become hard to remember and users will write them down. This is, of course, not what we want. I believe that the current rules (allowing passwords like "mineISgood" or "very/easy") still gives a vast choice for users. Maybe we should explain this more and teach our users how to find simply a good but easy to remember password.
On the question of the different accounts, one section of my guide ends with:
"So, in our opinion, the best thing is to have different passwords for all your accounts with no obvious similarities. If you can't (for instance because you have too many accounts), it's acceptable to have the same password if it's a really good one and if you change it often (for instance once per month)."
I still think that this is not too bad.
Feel free to contact me to discuss more about this topic.
Thanks for your comments,
Lionel Cons, IT/DIS
Comments from the Security Officer:
As Lionel Cons has conveyed in his reply, password security is important. I
don't think it is exaggerated to say that if a hacker manages to get access
to a normal user's account then it is fairly easy to gain root privileges.
In the past few days over half a dozen such exploits have been posted on the
net for SGI computers alone. For most of the services provided by IT division
a single password is provided through the use of AFS and the inherent Kerberos
authentication used by AFS. The AFS service is not restricted to just IT and
others are welcome to "join".
Why should a single password be OK for AFS and not without it? This is a question on how hackers "crack" passwords. With AFS the password file is not available and therefore cannot be cracked. Of course, even AFS passwords are vulnerable to being "sniffed", either off the network or from a computer that has been hacked. This is why they should also be changed frequently until the technology for not transmitting passwords in plain text over the network is ubiquitous.
John Gamble (CERN Computer Security Officer)