As research scientists, we normally don't like to think about system security. We don't do anything "secret" at Nevis; in fact, part of our job is to share our results with the public. However, although we are not as prominate a target as a bank or a government office, break-in attempts do occur. Please do your part to keep the system free of malicious or inappropriate use by following the guidelines below.

Password Protection

Choose a password with care.

Although the user passwords are protected from simple cracking attempts, this protection does not work if your password is easily guessed. Avoid the use of your name, the names of relatives, or any word in any language.

An excellent way to create a password is to start with a phrase that you're not likely to forget. Take the initials of the phrase, and substitute numbers or symbols for letters where appropriate. For example:

• Start with "I want to rock n' roll all night"
• The initials are iwtrnran
• Substitute "1" for "i"
• "2" for "t" (since it stands for "to")
• "&" for "n" (since it stands for "and")
• "L" for "a" (since it stands for "all", which sounds like "ell")
• ...and the result is 1w2r&rLn which is easy to re-derive, and (with a little practice) easy to type

Another quick way to generate a password is with the apg program, which generates passwords that are relatively easy to memorize, but hard to guess.

There are web sites that can help you generate a nice, random password if you have trouble thinking of one. Here is one such password generator, and another that generates semi-pronouncable words.

Other tips

Any dictionary word or name, whether it's capitalized or not, will be easily guessed. Simple variations, such as spelling a word backwards or adding a number to the end, will also be guessed.

Leet speak (if you know what that is) will not prevent a cracker from recognizing a dictionary word. The crackers speak 'leet too.

The more complex the password, the better. The simpler and less-inspired your password, the more likely it is that the attacker can crack it. For example, it would take less than a second for the attacker to crack my password if I were foolish enough to pick "namgiles1" as my password (my last name, spelled backwards, followed by a number).

Other sites force you to change your password every six months. That's not done at Nevis, because it's hard to resist the temptation to write the passwords down. If you pick a complex, well-chosen password that appears to be a jumble of letters and symbols, it will be almost impossible to crack. Please make life harder for attackers.

Never give out any password to anyone.

If someone you trust needs to access a system at Nevis, just ask Bill. I will be happy to create a temporary account for them.

In general, we discourage the use of "group" or "guest" accounts, since it's impossible to keep track of who knows the password or who signs on. It takes only seconds for a new account to be created on our systems. If a large number of people need to access data on the system, then there are many schemes for allowing unrestricted access, including WWW. Please don't give out a password as a shortcut to less restricted access.

Use scp or sftp instead of ftp

ftp has a major security flaw: an account name and password may be required to access a remote system, but the password is transmitted in clear text. A system cracker who is monitoring network traffic may be able to intercept your password.

If you use sftp or scp instead, your password will be encrypted before it goes over the network. A casual system cracker will not be able to intercept it.

Warnings

We do occasional security scans of our own systems to look for issues like those described above. If we spot a security hole associated with your account, we will contact you immediately. If there are any questions, please contact Bill Seligman.

to the Nevis Home Page.

Send any comments or questions to the webmaster.