Several Linux machines within the College have been hacked because a user chose a weak password or used a public/private key pair without a good passphrase. If the same happens to us, all our Linux machines will have to be reinstalled, some data may be lost, and most of us will be without computers for weeks. Do you really want that?

To reduce the risks, please follow these rules below.

Password rules

  1. At least 6 characters, preferably 8 or more.

  2. Include at least 3 and preferably all 4 of the following character types:

    1. lower case letters
    2. upper case letters
    3. numerals
    4. other characters such as punctuation
  3. Do not use names or words that may be in a dictionary (in any language). Standard tricks such as replacing letters by numerals (later by 1ater) or text message abbreviations (l8er) do not help.

  4. Do not base passwords on information that can easily be discovered (your partner’s/pet’s/middle name; your date of birth...).

A good way to generate easily remembered passwords is to think of a phrase that has meaning to you but not to many other people (perhaps the words of an obscure song or poem) and pick, say, the first, second or last letter of each word in the phrase. Then find an easily remembered reason to add some numbers and/or punctuation.

You must change your password every 365 days. Warnings will appear at login if your password will expire within the next two weeks.

SSH key rules

  1. More important still is your ssh passphrase. This should indeed be a phrase—several words long and as difficult to guess as possible.
  2. Needless to say, you should always keep your password and passphrase secret. Avoid writing them down and do not tell them to anyone under any circumstances—not even other members of the group or people who say they are from ICT.
  3. Do not use passphrase-free ssh keys. To understand why, think what would happen if one of the computers you use became infected by a virus that installed a back door (there are now hundreds of thousands of such machines on the internet). If you have a passphrase-free ssh key, anyone who accessed the compromised PC would have immediate password/passphrase-free access to every computer you can ssh to. One malicious hacker could wipe every file on every computer you use.
  4. Keep your private key private. The public/private key pair is designed so that one half can be freely distributed without compromising security. Do not email your private key. It is best to use a different key for each machine you use.