CERN Accelerating science

This website is no longer maintained. Its content may be obsolete. Please visit for current CERN information.

next up previous
Next: General Up: CNL227 Previous: If you need Help

Letters to the Editor

How to search/find information from past CNL issues

CNL articles are often reference material about services, features and other information otherwise unpublished. Maybe you could publicise in the next issue how to search/find information from past issues, perhaps turn it into a fixed section of your "Editorial Notes". I find that a very useful feature and other readers may appreciate making use of it.

Miguel Marquina, CERN/IT

Dear Miguel,

This is probably a good idea to write down that information, and possibly to repeat it in a regular way, as I am not sure that many of our readers know that it is, in fact, possible and quite easy.
The basic recipe is to use the "Search & View" facility for "IT services, documentation and more", that is replacing the old but powerful "XFIND" utility on the now defunct CERNVM. It is accesible on the Web, using any kind of Web browser, at URL:
The "search" is quicker, and the number of answers less considerable, if you restrict it to a given category (by pressing the corresponding button, just below the input text area where you must enter the keyword(s) to be searched). One pre-defined "category" is precisely "CNLs": by selecting it, and giving one (or several) keyword(s) related to the information you are looking for, you will get very quickly a list of past CNLs that contained article(s) on that subject.
Trying, for instance, the two keywords "mail forward", you will get:

Xfind search result for MAIL FORWARD :

              CERN computer News Letters (CNL)
No. 226 January -- March 1997
Special Chapter: Mail Issues
The End of AFSmail

No. 225 October -- December 1996
Questions and Answers from the UCO

No. 224 July -- September 1996
Using MAIL on the VXCERN Cluster

No. 222 January - March 1996
Mail Issues
Roadmap to MAIL Services
How to Migrate your Mail out of CERNVM
AFSmail and the MailServer
Mailforwarding -- Make Sure You Do Not ``Lose'' Mail
N.B. By adding more keywords you will get a more precise search.

Nicole Cremel (CNL editor).

Passwords ...

I read with interest the latest guidelines for passwords. I believe the situation is getting out of hand. You suggest some fairly extreme measures for generating (marginally) memorable passwords, and severly caution against using the same passwords on other accounts, disallow reuse of previous passwords and of course enjoin writing down passwords anywhere. However, other factors intervene. The passwords are also to be changed regularly, and most important, people have MANY accounts. At last count, I need to keep track of 19 different passwords to do my work. I do not need most of these systems on a day to day basis, but they are all essential for some aspect of my work. Since the time scale for changing passwords and the rules for what constitutes a valid password vary from system to system, I am not capable of remembering them all once, much less as they change with time. Nor does hardly anyone else I know. So they are written down, and people in self defense do use the same passwords on multiple systems, not because they are perverse, or love hackers and hate system managers, but because the set of rules for keeping secure passwords are incompatible with the capabilities of most humans.

Jim Linnemann / MSU

Dear Mr. Linnemann,

You sent your e-mail to the CNL editor but it is not clear to which article you are referring and in which CNL issue. The "reference" information regarding "password rules" are part of the "CERN Security Handbook" that I wrote and you can find at URL:
What we try to do regarding passwords is to enforce some rules (like minimum length) in order to raise the quality of the passwords and therefore increase the security of CERN computers. The rules are just the ones that most cracking programs (to guess passwords) will try. If these rules may seem quite complex, it does not mean that a good password is not easy to remember. We try to give some hints, in the "CERN Security Handbook", to help you finding a good password. A quick recipe is, for instance, to take two short words (only 8 characters are meaningful on UNIX) that are easy to remember for you, to combine them with a special character (e.g. -, +, /), and to mix upper and lower cases.
Of course, if we get too strict, the passwords will become hard to remember and users will write them down. This is, of course, not what we want. I believe that the current rules (allowing passwords like "mineISgood" or "very/easy") still gives a vast choice for users. Maybe we should explain this more and teach our users how to find simply a good but easy to remember password.
On the question of the different accounts, one section of my guide ends with:
"So, in our opinion, the best thing is to have different passwords for all your accounts with no obvious similarities. If you can't (for instance because you have too many accounts), it's acceptable to have the same password if it's a really good one and if you change it often (for instance once per month)."
I still think that this is not too bad.
Feel free to contact me to discuss more about this topic.
Thanks for your comments,

Lionel Cons, IT/DIS

Comments from the Security Officer:

As Lionel Cons has conveyed in his reply, password security is important. I don't think it is exaggerated to say that if a hacker manages to get access to a normal user's account then it is fairly easy to gain root privileges. In the past few days over half a dozen such exploits have been posted on the net for SGI computers alone. For most of the services provided by IT division a single password is provided through the use of AFS and the inherent Kerberos authentication used by AFS. The AFS service is not restricted to just IT and others are welcome to "join".
Why should a single password be OK for AFS and not without it? This is a question on how hackers "crack" passwords. With AFS the password file is not available and therefore cannot be cracked. Of course, even AFS passwords are vulnerable to being "sniffed", either off the network or from a computer that has been hacked. This is why they should also be changed frequently until the technology for not transmitting passwords in plain text over the network is ubiquitous.

John Gamble (CERN Computer Security Officer)

next up previous
Next: General Up: CNL227 Previous: If you need Help