This page provides a summary of recommended security practices for managing your SHARCNET account authentication credentials.
How to choose a password
It's important to make sure your password is secure, in order to prevent others from using your account. The first part of this is choosing a good password. A "good" password will be one that you are able to remember yourself, but which others will not be able to guess. Not only do you need to guard against ordinary people attempting to log into your account by guessing based on what they know about you, you must also ensure that your password is resistant to the people who use programs to automate their hacking attempts, which can attempt thousands of password possibilities per second.
Here are a few simple guidelines to follow to make sure that your password is good:
- Make sure your password is long enough -- at least 8 or more characters. Longer passwords are harder to guess, and short passwords are easier.
- Do not use dictionary words as a password. Many automated password cracking attempts start with running through the dictionary and guessing each word as the password to try to break into an account. The things most vulnerable to this type of attack are:
- Normal words that appear in the dictionary (ie: password, dictionary, alphabet, ...)
- Combinations of two shorter dictionary words, with or without a number between them (ie: whatwhen, sing4you, ...)
- Passwords composed entirely of numbers (ie: 192837465, 987654321, ...)
- Passwords that are too short (ie: anything with six characters or less)
- Do not use names either. One common practice was to use the name of a pet or a child as your password, but anyone who knows that information about you would be able to use it to guess your password.
- Try using combinations of multiple words, or "initializations" of phrases, for example the phrase "The Rain In Spain Falls Mainly On The Plain" would become "Trisfmotp"
- Your password should include a mix of upper and lower case letters, numbers, and even symbols (such as the @, !, and &) - one common way is to replace letters or syllables with numbers or symbols that are pronounced the same, replacing "at" with "@", or replacing "i" with a one or "o" with a zero, such as in "Go0dG1rl", or "$ing4m3". Another way is to use multiple words, and/or put numbers or symbols them, like "not4h4ing". Applying this to the previous point's example to make "Tr1$fm0tP" would make it even better. Even so, you shouldn't use all numbers, or all symbols or all letters in your password -- again, that makes it easier for someone else to guess.
- Don't use "famous" passwords -- any password that is used on television, in a movie, a book, or a "how to choose a password" document, is a password that everyone has seen, and will be one of the first things that is tried by someone trying to break into an account. Thus, the password "trustno1" which was used by agent Mulder in the X-Files, while technically good by the rest of these guidelines, is still bad because millions of people know about it. Similarly, "$ing4m3" and "not4h4ing" are bad because most if not all of the other people using the same system as you have seen them as a password suggestion.
Your account contains all of your data, and all of your work. Having access to your account on SHARCNET's systems (or indeed any other system) means that anything that person is doing is being done in your name. If someone else has access to your account, that person is able to act in your name, and you would then be responsible for any action taken by that person with your account. Not only do you want to protect your own data from tampering and theft, you also need to make sure that your account is not used for any illicit activities.
Use SSH Keys Instead!
Rather than having to provide your password over and over every time you want to transfer a file, or open another login shell, with an SSH Key and an SSH Key agent set up, you can simply type in your passphrase once when you sit down at the computer, and it will remain open for as long as you are there.
It is also possible to set up an SSH Key with no passphrase, however it is strongly recommended against, since that would mean that anyone who found your USB stick lying around would be able to use it to access your account.
Choosing Good SSH Key Passphrases
Just like with choosing good passwords, passphrases do need to be selected with some care. If you have some personal catchphrase that everyone you know associates you with, it would be a bad choice to use as a passphrase for your SSH Key, since as with having no password, anyone who finds your USB stick can try that as your passphrase and use your account. On the other hand, passphrases that are too complex, like "Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtan" are also bad, since it's close to impossible to remember. The best way to pick a passphrase is to choose a sentence that is easy for you to remember, like "The rain in Spain falls mainly on the plain", or the first sentence from a book or story you like. If you want to make it more secure, you can also use the same kinds of letter replacement rules as with passwords, but a much lesser degree would be needed due to the length of the passphrase, thus "Th3 rain in Spain falls mainly on the plain" would be potentially just as effective as "Tr1$fm0tP", but much easier to remember.
How to Create an SSH Key
To use PuTTYgen to create an ssh key for your SHARCNET account, download and run the program, choose SSH-2 RSA or SSH-2 DSA (1024 bit size) and click on the "Generate" button, then follow the given instructions. Once the key is finished, add a passphrase to it, and then save your private key file - this will need to be imported into your ssh program (preferably using a key agent such as Pageant, the PuTTY Key Agent). The "public" key can be either saved and transferred, or cut-and-pasted directly from the box in the program into the .ssh/authorized_keys file in your home directory on your SHARCNET account.
ssh-keygen -t dsa
You will be prompted to give the program a file name to store your key in, (the program will recommend id_dsa, which is a good idea), and to type your passphrase in twice. After that, the program will create two files. One with the name you chose, and the other with ".pub" added to the end of it. The private file (without .pub) belongs in your .ssh directory on your local workstation, and the id_dsa.pub file belongs in your account on the server. If you log in, and copy it there, you should place it in a file named "authorized_keys" in the .ssh directory in your account on the SHARCNET clusters.
For Windows users, the files will also be created, and the .pub file (or "public key", depending on which program you use) is the file which should be placed on the server in the .ssh/authorized_keys file, and the private key file should be pointed at by your ssh client as the SSH Key to be used.
SSH Key Agents
Mac OS/X systems have an SSH key agent built in, which will automatically start up if you have either an id_dsa or id_rsa file in your .ssh/ directory. The first time you attempt to log into the server with your key in place, a dialog will ask you for your SSH passphrase, and will have a checkbox that can be turned on to store your passphrase in the key agent.
Linux systems also come with one built in, which can be started by typing "ssh-agent". To activate your SSH private key, as long as you put it in your .ssh directory and named it either id_rsa or id_dsa, you can simply run the command "ssh-add", type in your passphrase, and it will remain stored in the key agent. To kill the ssh key agent in linux, you can use the command "ssh-agent -k".
Being Careful with SSH Keys
Be careful not to leave the private key anywhere in your /home directory, especially not in the .ssh directory. If an attacker manages to guess your password and collect a copy of your private-key then they will be able to connect to your account again and again, even if the account password is changed! Try to keep your key on a system that only you will use, like a USB key or a laptop.