Computer Security: A final dash to protect your account

The past two years have brought a lot of new computer-security deployments at CERN. Spurred on by the 2023 cybersecurity audit, a lot has already been achieved and 2026 should see the successful implementation of all remaining work packages. We already discussed mandatory requirements for IT service managers in a past issue of the Bulletin. This time we present upcoming changes to passwords and improvements to two-factor authentication, while the focus will be on networking in a future article.

Very early 2026 should bring an evolution of CERN's password policy. The audit deemed that eight characters, even if a combination of lower-case and capital letters, symbols and numbers, are too few. Following best practice, like that of the NIST 800-63b standard, the CERN Computing Rules require a minimum length of 15 characters, making passwords "passphrases". That is a lot to memorise. But it is also a lot more secure and harder to crack. And since the need for letter/number/symbol complexity has been dropped, any kind of sentence - the passphrase − would do. Gone are the days of "B055man69", "Joshua", "SamFox99" or "a^2+b**2=sqr(c)". "Last Christmas", "Strangers in the night" or "Boom Boom Pow" are the new way to go.

At the same time, and still linked to "accounts", the Computer Security Office will conclude a penetration test conducted by an external company against CERN's Active Directory (AD) - the holy grail of all computer knowledge at CERN and the usual and obvious target for any ransomware attack. With the AD lost, CERN's IT systems would be considered to be fully, deeply and entirely compromised. With tremendous cost. Thus, it is imperative to review the current AD's settings, poke for any possible weaknesses, identify potential vulnerabilities and get them subsequently and swiftly fixed before they can be exploited.

The first quarter of 2026 should also see the termination of the roll-out of two-factor authentication (2FA) to the Organization. While 2FA was deployed to the CERN Single Sign-On in 2023 and 2024, it was activated on the CERN Windows Terminal Services and LXPLUS interactive Linux service for remote desktop (RDP) and SSH access only last September. While this process went generally smoothly, the non-persistence of RDP and SSH connections, i.e. the loss of the RDP/SSH session once the Wi-Fi connection is lost or the laptop is put in sleep mode, is still an issue requiring further improvement. But for that we need your feedback. On our side, however, the game changer should arrive before Easter 2026 with the establishment of a new VPN service. Terminated in 2007 because CERN's brilliant internet connectivity then also channelled all private/home traffic through CERN, posing a risk to the end users' privacy and CERN's reputation, CERN's VPN service will be resurrected with better functionality* and, this time, a split tunnel configuration so that only traffic towards CERN can get through.

Stay tuned for these changes, hopefully to your benefit and making your (remote) life easier. And check out the next article on sprinting to the networking finish line.

*Linux, MacOS and Windows clients are supported, as is the "WireGuard UDP" protocol. Android and iOS users should also be able to connect, but due to the cacophony of possible clients, they can be supported centrally.

_______

Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at [email protected].