Safety note

System security requires that every account in the system is protected as well as possible against unauthorised use. Each user must feel responsible for the security of his or her account. Because: once an intrusion into a poorly secured account has succeeded, then not only can the system resources be misused in the name of this user, but all other users are also threatened by the burglar's new possibilities.

General rules

• Report recognised security deficiencies and do not exploit them.
• Do not allow a "good friend" to use your account.
• log out at the end of the session (log off)
• Lock the computer or lock the room even if you are absent for a short time.

Rules for passwords

• at least 8 characters long
• not a word with meaning and/or from a dictionary
• not derived from personal data
• not formed from known abbreviations
• the password should contain characters from all of the following groups:
  • Upper case letters
  • Lower case letters
  • Numbers
  • Special characters
    Be careful with characters such as ' (apostrophe), because some keyboard drivers turn 'a' into á.
    Be careful with non-ASCII characters such as §, ä, ß, ², ... whose encoding may not be uniform across system boundaries.
    Unproblematic are: !#$%&()*+,-./:;<=>?@[]_{|}
• the password must be kept secret
• change the password regularly (approx. every 3 months)
• choose different passwords on different systems
• Do not store passwords in plain text on the computer (in scripts, etc.).

A useful technique for good passwords:
Choose a sentence with a meaning that you can remember. Take the first letter of each word in turn (including upper/lower case) and the punctuation marks as your password.

Rules for Unix users

• no world-write access to the home directory and all own files
• no world access to point files such as .login, .cshrc, .profile, etc.
• no world-exec access to own programmes (risk for the caller)
• world-read access to own files only in exceptional cases
• no set-UID programmes with World Exec access
• no set-UID or set-GID scripts
• set umask to value 077
• check own files for plausibility (name, owner, access protection, date) from time to time using "ls -alc
• include only secure directories in the definition of the command search path (CSH variable path, SH variable PATH, environment variable PATH).
• do not enter the current directory (".") at all or only as the last directory in PATH or path.
• no "+" in the .rhosts file
• No computer and user from another security cluster in the .rhosts file.
• no entry without user in the .rhosts file
• no "old" entries (hosts, users) in the .rhosts file
• in .netrc file only entries for access to anonymous FTP, no passwords
• be careful when executing programmes from other user directories (unwanted side effect, Trojan horse)
• do not give the command "xhost +" or "xhost +computer name".
• enter passwords via xterm only in secure mode (option secure-keyboard or secureonpwd)