Departmental MembersIT HelpFAQsSecurityGeneral Security Issues

General Security Issues

Security is an important issue in the Institute - security depends on each one of us.

Passwords

The first line of security against an attack is a users password. You should guard your password as though it were a pin number for a bank card or a piece of very confidential information. Never disclose your password to another user - no other user would ever need to know anothers password. In addition, never record your password in writing in a place where it could be identified as your password.

The choice of a good password is important. We have a script at the Institute which checks each new password to make sure it is not something obviously guessed by an attacker. The best password would be a random string of upper and lower case letters mixed in with numbers and punctuation marks, such as j^P1-oqs, but obviously this would be hard to remember.

Password changing frequency

There is no enforced password changing frequency at present. However, it is still good practice to change you password from time to time, e.g. once every year or so. If you change your password it is not advisable to simply change back to one you have used before.

Password sharing or caching

It is generally recommended that you use different passwords for different systems (e.g. one for your departmental computer account but a separate one for say your gmail account). By doing this you ensure that if one password is compromised or someone gains access via some other means (e.g. you leave yourself logged in with the screen unlocked etc) the security breach is limited to the single system that uses it. As more and more organisations converge to single sign on systems for their services the value of a single password increases, e.g. in the past you may have used separate passwords for each service provided by an organisation whereas now you may use a single password and hence if compromised access to all those services is compromised.

It is also now common place for certain applications (e.g. email clients, web browsers, messsaging systems etc) to offer to cache/store your password for the service they are used to access. It is up to the individual to consider whether to allow their password to be cached. If you are using an application to access a remote service, e.g. remote email or messaging system, and you allow the application to cache this separate password then if your account password is compromised the account can then be used to access this remote service without the need to compromise the password for it. There are of course ease of use benefits to caching and storing password and the individual needs to weigh up the risks associated with extending the network of trust associated with an account versus the possible benefits.

Physical Security

You must also be aware that our buildings contain a large number of computers. Always be careful to close and lock the doors marked to be closed, and never let in anyone that does not have a key. Anyone who should have access to a room will have a key. You must be very careful about letting anyone into a room. It is not uncommon for a thief to let their face be known in a building for a long while, then to gain access to restricted areas and to steal equipment. The same rule holds for giving people access to the buildings outside office hours or at weekends.

In addition, be careful about disclosing information about our computers to other people - computers are often stolen to order.

Last updated by Keith A. Gillow on Tue, 30/10/2007 - 12:48pm from a page originally created by Waldemar Schlackow.
This page is maintained by Keith A. Gillow. Please use the contact form for feedback and comments.