NERSCPowering Scientific Discovery for 50 Years

2004 User Survey Results

Security and One Time Passwords

Have any NERSC security procedures affected the way you work at NERSC?

 

AnswerResponsesPercent
Yes 27 13.4%
No 154 76.2%
Not Sure 21 10.4%

If so, how?

[Read all 27 responses]

 

10   Comments about passwords
4   Comments about access to HPSS
4   Need for shared accounts
4   Comments about network access / file transfers
5   Other comments

Do you have any experience accessing other sites using one-time passwords?

 

AnswerResponsesPercent
Yes 74 36.6%
No 104 51.5%
Not Sure 24 11.9%

Please make any comments that you think may be helpful to NERSC regarding one-time password authentication.

[Read all 52 responses]

 

20   Please don't use them / very inconvenient
9   If you have to, only one key for multiple sites
7   You should do this / works at our site
6   If it is implemented in a convenient way
5   OK / only a minor nuisance
5   Don't know / other

 

Have any NERSC security procedures affected the way you work at NERSC? If so, how?   27 responses

Comments about passwords:   10 responses

Choosing a valid password is close to impossible, the procedure is close to ridiculous and doesn't add security anyway. I use ssh keys to log in, that's far better. Unfortunately I have to change the regular password from time to time and that is most annoying. I always have to write down the new password if I manage to find one that the machine accepts.

I am always forgetting this awful password that I used on no other machines than this one. But that's fine if this is the way it has to be.

... Also, changing passwords under the tight controls is very difficult. Worse thing is that in the end, I almost always need to write it down somewhere because nearly anything memorable is not acceptable. But writing down passwords is almost always a bad idea. It seems ridiculous that the security folks pretend that this is not a problem.

In the past, the requirement to continually come up with new passwords has made accessing NERSC difficult.

Password updates are inconveniently frequent.

I often have problems with expired password

NIM, HPSS, and Seaborg etc. have different passwords as well as different mandatory update periods, which are difficult to keep track and manage.

Why can't I have one password for NERSC: nim, seaborg, .etc.?

Too much of the NERSC web info requires NIM password. Password should not be required except to manage accounts.

I don't know whether this is the right place make the following comment. I forgot my seaborg password every now and then. I called NERSC and they gave me a temporary password [after verifying the caller's identity]. I am glad the procedure is so simple.

Comments about access to HPSS:   4 responses

Access to HPSS from offsite was somewhat awkward, until I used it often enough for it to become routine.

They have made external access to HPSS less convenient.

In the way to remotely access HPSS, having to use proxy passwords. It also affected the way we could use Globus-based applications, such as gridftp. But this was mainly due to the learning process of running Globus on such a big system. It works well by now.

Continued existence of secure authenticated FTP into HPSS from remote sites is vital to our high speed data transfer.

Need for shared accounts:   4 responses

The inability to create a second account for the same user, a'la group account, causes some problems. Some of that could be eased by having a possibility to set different access defaults for the project directories: e.g. all users in the group to have write permission for all content of the project directory. [PDSF user]

The concept of a project account, while an anathema to NERSC policies, maps very well to the actual project work done. Unfortunately, as we transition through people's coming and goings it is difficult to have to transition the processing to each pipeline. [PDSF user]

The fact that you can only have one account per user. I would like to have a production account and other accounts for various tasks that people do and share responsibility. I understand that this is however what DOE no longer allows. [PDSF user]

Since we share data with several different collaborations, it would be very useful for us to have a group account for managing the data which is accessible by more than one (authorized) person. This is, of course, against the rules, and so for the past month or two we've been trying to find a way to get our data where it needs to go and accessible to the people who need to be able to access it. The NERSC support staff has been obliging, but it's still a problem which seems needlessly complicated, even though we understand the reasons underlying the rules. [PDSF user]

Comments about network access / file transfers:   4 responses

Difficulty in transferring data from seaborg to local machines.

move over to SSH and SFTP required new software for my Mac

After the supercomputer breakins 6 months ago, we are no longer able to move data back to NCAR automatically. We understand the necessity for closing this hole since it was exploited by the hacker. I do want to say that the security personnel who helped deal with the breakins including Steve Lau were all very understanding and helpful.

The transfer of data between sites can be frustrating. NESC is probably the best compromise between a secure site and ease of data transfer (ease of use).

Other comments:   5 responses

The requirement that the security banner flash on every file transfer and login is utterly ridiculous, whether or not it is a DOE policy. A person may read this once, but afterwards it is just a waste of bandwidth. ...

I get logged out too readily and have to keep logging back in. It is distracting. [Seaborg user]

New procedures always entail some startup effort, but so far there has not been any long-lasting impact that is significant.

Setting up accounts with the current Grid3 limited user model is often hard/time consuming, and potentially dissuades some use. Hopeful new Grid3 user/VO models will help. [PDSF/HPSS user]

One of my students who is from Iran cannot use NERSC. I understand that this is a DoE policy but wish it were changed.

 

Please make any comments that you think may be helpful to NERSC regarding one-time password authentication:   52 responses

Please don't use them / very inconvenient:   20 responses

One time password authentication will effectively halt all progress we have made in automating our scientific workflow in conjunction with the SciDAC Scientific Data Management ISIC Team. Continued automatic authentication within workflow automation scripts is vital to our efforts. Having to utilize cryptocards for one time authentication is a complete show-stopper for us!

From my understanding of how they works, one-time passwords would have a major negative impact on the way we are trying to automate our workflow. Presently, much of our data handling is manual; we are actively working to automate it. One-time passwords would seem to inhibit automation by setting up numerous roadblocks that require explicit human intervention. Productivity would thus suffer greatly.

Usually a pain and the increase in security is marginal. If we were doing classified work I could see it but not when we're just doing research and we're supposed to back up our stuff.

This was a long time ago using a device which delivered a new number to be added to a 4-digit password each time one accessed the frontend system. Because one had to access the compute system by first logging in to the frontend server, file transfers were a problem. In addition there was the problem that one had to have the device in order to login. I don't think one time passwords are desirable. I favor simpler methods of improving security such as removing the 8 character limit on passwords, using higher levels of encryption and using systems where the password file is itself encrypted, etc.

Relative to the current procedure, going to one-time passwords would not be desirable. It becomes cumbersome to access the machine.

It's a pain!!!!

I think it makes life difficult; I do not like it.

Time consuming and inconvenient.

I have used this type of access at my current place of work (LANL) and, while it adds to security it might be very inconvenient for users accessing from all across the country. I think the current access procedures seem fine - unless there has been many hacking attempts?

Why use that?

Currently using a keytag random number generator and web authentication for one system. Inconvenient; have to logon several times a day; number generator has failed once.

I would encourage NERSC to avoid the use of one-time passwords if at all possible.

I found it quite cumbersome, I don't like carrying things around when I want to quickly login somewhere. I am an avid user of SSH keys and a long passphrase, I think that this really should be offered as an alternative to the one-time passwords.

It sounds like a pain in the neck.

Not very enthused about the possibility.

Don't know much about this but it seems like a pain to have one-time passwords. I'd give it a try trough.

Please no.

It's obviously more secure - but also obviously more of a pain.

I'm not a big fan of this. It should only be considered if there is a pressing need.

Is it really necessary?

If you have to, only one key for multiple sites:   9 responses

It's a pain in the butt. Crypto cards/keys, etc. are never where you need them. They get munged, seem to need to be reset about every 6 weeks, are not made for fat fingered people; on and on. A universal one-time password authentication system for use at all DOE sites would be the best of a bad thing. Lets face it : multiple passwords for multiple sites requiring frequent change, just invite Post-Its on displays; or a pocket note book page...

I detest one time passwords, but I think that they may be necessary to keep hackers off our very expensive resources. It would be a great help to me if NERSC, LANL, NCAR, and ORNL all used the same CrypotCARD access so that my single CryptoCARD could be used for all the computers I work on.

If you're going to use RSA securID tags, please find a way to make then distinctive. I already have one, and having two is just a pain if they look identical. I suspect I'm not the only use in that situation.

I already have two OTP keys to carry around, for LLNL and PNNL. I do not want a third one! If the DOE sites can get together and use a single OTP key for all sites, that would be progress.

One-time password tokens are used at LLNL and work fine. Having multiple one-time password tokens to keep track of might be a hassle.

OTPs complicate access for me since I have to carry the token to wherever I'm working. Also, if I had more than one token, as some people in my group do, there might be some minor problem confusing one for the other.

Important to try to coordinate with "trusted" sites, e.g. other national labs, to accept their OTP tokens - a nuisance to carry around a stack of devices. Note that it might be a one-way agreement; they need not accept NERSC-issued tokens for this to be a big help.

There is only one disadvantage: one more secure card to carry !

If this refers to kerberos/SecureID based authentication, I use this to access DoD accounts. It works fine, but since I do a great deal of work at home at in the office, I must remember to carry the ID card back and forth. If I had to carry more than one of these, this would be annoying, and the chances increase tremendously that I couldn't do my job because my card is elsewhere.

You should do this / works at our site:   7 responses

I have no problem using the RSA SecurID for Livermore. If you were to implement it, I would be happy to do it if it makes Seaborg safer.

One-time password authentication provides more secure connection to NERSC, it is very critical and important.

Increases security at LLNL

I think it is very secure

works fine for me

Connect to fnal.

The PNL SecurID method works ok.

If it is implemented in a convenient way:   6 responses

Getting a key that would last for a good fraction of a day seems to work for me. However, some sites give you password that expires in a few mins, but that's extremely counter-productive.

Simply to make sure that change is managed in a timely fashion with regard to academic researchers sometimes being away or being more or less active at certain times.

It is very important to have some way for users to log in if they lose their password generator. The machine operators should have some way of helping such users since they are the only group that has someone available around the clock.

It will need to be integrated with single sign-on for grid services.

One time password will only be useful if they are well integrated into Grid usage.

1. Minimize the number of passwords that need to be entered to access the site.
2. Have some procedure that allows code and data to be migrated from other sites to NERSC without requiring use of a OTP

OK / only a minor nuisance:   5 responses

They are only a minor nuisance.

It will not change the way I work if NERSC introduces one-time password authentication to improve security, it is just a small nuisance.

SecureID tokens work fine but you do have to carry them with you at all time...

Sure, it is a bit onerous, but I think using one-time passwords at NERSC would be a completely understandable step in improving security.

It has been working for my case. There are some inconvenience, namely to constantly keep in mind to put it in a safe place, I do not dare to take it with while I travel.

Don't know / other:   5 responses

I don't know how this works, nor how much of a nuisance it'll be.

Don't know what one-time password means. I think constant forced change of password is of little value.

Not sure what one-time password is about.

No comment as no prior experience.

I think NERSC is doing a superb job in this area.