User credentials (e.g. passwords) in the MPI/CBS
Permanent Link:
Overview
You'll come into contact with several different credentials related to your employment at the institute. "Credentials" refer to any type of secret that you have to prove that you're actually you. All the relevant secrets are mentioned here. All you need to know in some sentences: (Legend:
an account/username, 
a secret (password or token), 
a service)
When you visit the departments upon first arrival at the institute, you'll receive your institute user account name and the associated institute password . As soon as your account is active (happens automatically when administration enters your contract data into a database), you'll be able to graphically log into all Linux computers at the institute network. You should then change your password to something memorable at https://userportal.cbs.mpg.de .
Your mail access should be ready by now. Go to https://mail.cbs.mpg.de and log in. Your address is your institute account name plus the institute domain @cbs.mpg.de . The mail server will insist that you (install and) open the "Google Authenticator" app on your phone and create a 2FA entry there. The app will serve as a TAN generator for logging into the web mail system.
You might want to access the institute remotely . Drop by IT (no appointment needed), bring your phone and a government issued ID. You'll receive the second "Google Authenticator" entry there.
There's a service facility which unfortunately requires its own set of credentials. You'll get an invitation for a GWDG account incl. an initial password via eMail. Make sure to process this ASAP - it's time sensitive! You'll need the GWDG account to access you pay stubs , MAX , the vacation request service , Eduroam , Cloud storage and a ton of other services. This account will get you the third entry in "Google Authenticator" . Make sure, not to choose their recommended app as 2FA method!
When trying to access MAX, the pay stub server or the vacation request service, you might encounter an "employeeNumber is missing" error. This means, administration didn't fully enter your contract details, yet. Use the mpgcheck command on a Linux command line to check.
Relevant credentials, how to change and how to reset them
Permanent Link:| Credentials | What's that? | Managed where | How to get it? | Credentials forgotten or broken? | Where to change it? Requirements? |
|---|---|---|---|---|---|
| Institut account password | Password for in-house login, RemoteLinux, Groupware(Mail) and ProxyLibrary | MPI CBS in-house | Initial password will be given to you on a sheet. Change it to something, you can remember immediately. | Forgot your password? Visit IT in Leipzig, bring your ID | Userportal  You have to be physically at the institute or have RemoteLinux / RemoteWindows access. You have to know the old password. |
| Institute Remote access 2FA | 2nd factor for RemoteLinux and RemoteWindows | Visit IT in Leipzig, bring your ID | Phone broken, lost or otherwise inaccessible? Visit IT in Leipzig, bring your ID | No self-service possible. | |
| Institute *Mail 2FA | 2nd factor just for MPI/CBS mail | Upon first logon at the Mail server Web-GUI | Request a 2FA-Reset at the Userportal You have to be physically in the institute or have RemoteLinux / RemoteWindows access. You have to know the institute account password for that! Processing the request takes a while, notification upon completion to a non-institute mail account is possible. |
||
| GWDG account password | MPS central services (e.g. MAX or SAP) | GWDG | Upon institute account creation, an initial password will be sent via email automatically. | You have access to the institute via RemoteLinux? Write a ticket, we'll send a new initial password via mail. No Remotelinux access? Visit IT in Leipzig, bring your ID |
GWDG-Account self service You have to know the GWDG account password for that! It takes a while for the new PW to sync e.g. to SAP . |
| GWDG 2FA | For MPI central services (e.g. MAX or SAP) | Self-service here. Make sure to write down the recovery code. | Visit https://id.academiccloud.de/mfareset , Use the recovery code, you received during 2FA setup. If you do not have access to this code anymore, please write a ticket. |
Self-service here You still have to have access to your 2FA device! |
|
FAQ
Expand all Collapse allWhich password/credential to use for which service?
Permanent Link:
If you have trouble, logging into one of these service, you might want to have a look at the specific ways of changing/resetting credentials #matrix.
| Service | Credentials to use |
|---|---|
| Groupware | Institute account password + Mail2FA |
| Linux workstations | Institute account password |
| Windows workstations | Institute account password |
| Apple workstations | Local password on the respective workstation |
| RemoteLinux | Institute account password + Remote access 2FA |
| RemoteWindows | Institute account password + Remote access 2FA |
| CentralWindows | Institute account password |
| ProxyLibrary | Institute account password |
| TicketSystem | Institute account password |
| Owncloud ("Max-Planck-Dropbox") | GWDG account password + GWDG 2FA |
| data.cbs.mpg.de | Institute account password |
| Eduroam | GWDG account password |
| Max | GWDG account password + GWDG 2FA |
| SAP | GWDG account password + GWDG 2FA |
| SoSci | GWDG account password + GWDG 2FA |
| MinervaMessenger | Independent user management. Find out more at MinervaMessenger |
| Confluence | Institute account password |
Back to FAQ start
Which rules apply for institute passwords
Permanent Link:
These are the rules
- Use at least a 12 character password (the more, the better but no more than 40)!
- Allowed characters are: A-Z, a-z, 0-9, ,.;:_/(){}[]@%&!+-*~=#?^
- The following rules apply to short passwords:
- Do not use or embed English or German words with more than 3 characters!
- Use at least 3 of the four character classes (minor, capital, numbers, "special")!
- Use 20 characters or more to void rules 1 and 2.
Back to FAQ start
Should I change my password on a regular basis?
You do not need to change your institute password on a regular basis.
Back to FAQ start
How to ensure security of my institute password?
Permanent Link:
There's only one rule: Never ever share your institute password with other people, services or organisations. Here is what that means (although these are only consequences of this sole rule):
- Never enter your institute password on a website that doesn't end with
cbs.mpg.de.- Examples for safe addresses
- Examples of attacks
- https://some.server.com/
- https://cbs.mpg.de.google.com/ (
cbs.mpg.denot at the end of the server name) - https://some.server.com/cbs.mpg.de (
cbs.mpg.deis not even part of the server name)
- You are obviously not allowed to give your password to a colleague. If you need a colleague to have access to some data, use permission delegation. If you don't know how to do that, please contact IT.
- Storing your password in an encrypting password management tool is OK.
- If you receive an email, pressuring you to enter your password on website with a shady URL, fight the urge to do so!
- Those are Phishing attacks.
- Be very careful, not to fall victim to such an attack because the institute will automatically lock your account in this case.
- You are not allowed to use your institute password as a password of another service (Google, GWDG, Live.Com, Facebook) - no matter how trustworthy this service is or seems to be.
- You may safely store your password in a piece of software on your computer to e.g. fetch mail in a mail client software. The same goes for apps on a phone
- However, you have to make sure, no software or app synchronizes this password to the cloud.
- You have to make sure that you understand the app, you're using. It is your responsibility!
- Example: Outlook for Android sends email passwords to Microsoft which then fetches emails in your name. Your are not allowed to do that!
- You are not allowed to let a service fetch email from your account (Google Mail, Live.Com, ...).
- You may use a mail forward on the institute's mail server to send emails somewhere else.
- Side note: You're not allowed to send personal data of other people outside the scope of EU law which makes forwarding emails a bit of a risk for you. It's your responsibility to only forward emails in compliance with GDPR.
- You may use a mail forward on the institute's mail server to send emails somewhere else.
Back to FAQ start
How does the password sync with GWDG work?
Back to FAQ start
I can not login at MAX or the SAP portal as external guest?
Unfortunately, this services are not available for you as an external guest.
Copyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding Foswiki? Send feedback