With the new Single Sign-On portal ("New CERN Single Sign-On (SSO) Portal") and the upcoming deployment of a multi-factor authentication solution for CERN ("A second factor to the rescue"), the Identity Management and Computer Security teams have also started reviewing the use of passwords at CERN. Expect some small revolutions ahead.
Your CERN account password is the primary token for accessing CERN computing resources: CERN e-mail, INDICO, EDH, EDMS, LXPLUS, etc. One password to rule them all. And one password, if you were to lose it, that would put your work, your data and CERN at serious risk ("Protect your family"). On the underground market, similar passwords are traded with a value of $50 each, as malicious actors can misuse a CERN account, e.g. for sending SPAM, running unauthorised computing tasks on our computing clusters (like crypto-currency mining; "Computing power for professionals… only!"), or downloading CERN-licensed software or publications from our digital libraries for "free". Worse, a stolen password might allow a targeted attacker to take over computing services or even try to manipulate the operations of accelerators or experiments. Hence our push towards a central multi-factor authentication solution for critical services ("A second factor to the rescue").
But how are passwords lost today? The main vector is lack of user diligence, where a user is convinced to send his or her password to an attacker (so-called "Phishing") or where the user is lulled into clicking a link, leading to the full infection of his or her computer and thus allowing an attacker to extract passwords and do more harm ("Click me - NOT!"). Brute-forcing, i.e. trying to sign in with any kind of potential password and hoping for a successful match, is a second vector. And stealing CERN's central database of hashed and salted passwords is a remote third possibility. The IT department is following standard IT practices to protect all secrets from unauthorised access, and to protect CERN users from falling victim to phishing or their computer being infected ("Protect your click"). Dedicated security campaigns ("I love you") are supposed to train users to STOP - THINK - DON'T CLICK in order to protect their digital assets. But we can do better.
This is where the small revolution enters. With the new authentication and authorisation system, we will drop the requirement for annual password changes. Instead, you will select a strong and unique password once and for all. This better password can be either very complex, as today consisting of capital and small letters, symbols and numbers, or a very long passphrase (i.e. more than 24 characters) without such a sophisticated mixture of letters/numbers/symbols. It is your choice: compact & complex or long & light. Of course, your password must not contain just words that can be found in dictionaries or variations of such words (like "C3RN"). In addition, it is important that you do not reuse your CERN password for computing services external to CERN. The Instagrams, Amazons and Facebooks of this world deserve their own, dedicated passwords. Automatic checks at CERN will regularly verify whether a password similar to your CERN one has been exposed and disclosed , using the "HaveIBeenPwned" database ("The easy way to lose passwords") and similar databases of exposed passwords. If there's a hit, you will be asked to change your password to something better. And finally, remember that your password is like a toothbrush: you don't share it. Not with your colleagues. Not with your supervisor. Not with us or the Service Desk.
Last but not least, we will ramp up our brute-force protection: if logging into your account fails 30 times within a minute, your account will be blocked for another minute. And if the failed attempts continue we will add more minutes (up to blocking any login attempt for 15 minutes). More holistically, if a particular IP address is trying to sign into CERN on one or more accounts and fails 20 or more times within an hour, we will block that particular IP address from any further attempt for another hour (using open source software named "Fail2Ban").
To recap: with the new authentication system, we will relieve you of the burden of inventing a new password every 12 months. However, in order to keep a high level of protection of your digital assets, we will review the quality of your current password on a regular basis and block your account when we see a risk to it (due to the fact that such a password has been publicly exposed or that someone has failed too many times to sign in to your account). Does this sound like an acceptable deal?
______
