Security guidance for Melbourne Bioinformatics (formerly VLSCI) users

Background

For any shared facility the security of all its users data rests on the choices and actions of the people who use it day to day. To keep your data secure against attackers it's important that all Melbourne Bioinformatics users choose good passwords and passphrases and never share them with others, even with members of their own project or Melbourne Bioinformatics staff.

Choosing a good password

Internet connected sites like Melbourne Bioinformatics are under constant attack from hackers trying to guess your password, so picking a strong passwords is a vital part of keeping your account, and everyone else's, safe here at Melbourne Bioinformatics so knowing what makes a good password is really important. In short we advise:

  • Use as long a password as you can remember (at least 8 characters long)
  • Use a mixture of upper and lower case characters, numbers and special characters like !@#$%
  • Don't use a single dictionary word, even if you replace characters with numbers
  • Don't use your Melbourne Bioinformatics password anywhere else, especially other HPC centres or supercomputers.

One possible recipe is to pick a few words and glue them together with some numbers and special characters. For instance:

StageText
Initial wordsDo Not Use This Text
Final PasswordDo2Not4Use6This8Text!

There's a lot of good guidance on picking passwords, including this Google page, this AUSCERT page and this US-CERT page.

Protecting your SSH private keys

SSH keys can be used to authenticate ssh connections instead of passwords. If done correctly they can be convenient and more secure, but if done badly they can seriously compromise your security and that of the systems you use. If you need to use SSH keys to access Melbourne Bioinformatics you need to be very careful with them. We suggest, as a minimum:

  • When you generate SSH keys ALWAYS use a long, complex passphrase.
  • Only use SSH keys that had a strong passphrase set when they were first generated. Never use a private key that has ever been unprotected.
  • Never copy an SSH private key generated at Melbourne Bioinformatics to anywhere else. SSH keys are generated in two parts, public and private, its fine and often necessary to make your public key 'public' but you must keep the private key under your own control always.
  • Never put an SSH private key on a shared system
  • If you don't protect your keys you could find that someone could break into a system you have put them on, steal them, and then use them from another system to login to other machines you have access to. Sadly this is a fairly common attack.

Choosing a good passphrase for SSH private keys

SSH is more forgiving about spaces in passphrases than UNIX passwords, so you can happily pick a longer sentence and use that with the sorts of mix mentioned about passwords above. So this could be a good passphrase (but don't use it!):

This could be a good SSH passphrase for 3 months!