Different Admin Password for ACP

https://www.phpbb.com/ideas/
User avatar
david63
Registered User
Posts: 20646
Joined: Thu Dec 19, 2002 8:08 am

Different Admin Password for ACP

Post by david63 »

Currently an Admin only has one password that will allow access to both the "front end" and the ACP. If that password is compromised in any way (possibly by a rogue extension) then the "hacker" could have access to the ACP.

By having a separate password for the ACP then the level of security would be increased for the board.

There would need to be checks in place that the two passwords were different and also that they were not similar - "admin" and "admin1" for example should not be allowed.
David
Remember: You only know what you know and - you don't know what you don't know!

I now no longer support any of my extensions but they will start to become available here
User avatar
tojag
Registered User
Posts: 422
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: Different Admin Password for ACP

Post by tojag »

And... enforcing password change for the admin or group only, not for all users.
User avatar
AmigoJack
Registered User
Posts: 6108
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: Different Admin Password for ACP

Post by AmigoJack »

david63 wrote:the level of security would be increased for the board
No: having two passwords for one account would cut the security in half, as then only one of both has to be found. Why not using an administrator account just for that and using a separate account for being a board member?
david63 wrote:also that they were not similar - "admin" and "admin1"
This is not possible, as only passwords hashes are stored - and comparing hashes won't show how similar their source is.
  • "The problem is probably not my English but you do not want to understand correctly. ... We will not come anybody anyway, nevertheless, it's best to shit this." Affin, 2018-11-20
  • "But this shit is not here for you. You can follow with your. Maybe the question, instead, was for you, who know, so you shoved us how you are." axe70, 2020-10-10
  • "My reaction is not to everyone, especially to you." Raptiye, 2021-02-28
User avatar
david63
Registered User
Posts: 20646
Joined: Thu Dec 19, 2002 8:08 am

Re: Different Admin Password for ACP

Post by david63 »

AmigoJack wrote: Tue Oct 17, 2017 7:45 am having two passwords for one account would cut the security in half, as then only one of both has to be found
Incorrect - if you have a different password for the ACP to the one you are using to logon with then you are doubling the security as both passwords would have to be found.
AmigoJack wrote: Tue Oct 17, 2017 7:45 am This is not possible, as only passwords hashes are stored - and comparing hashes won't show how similar their source is.
But it would be possible if it was checked on install and if you were changing the ACP password you also had to enter them both.
David
Remember: You only know what you know and - you don't know what you don't know!

I now no longer support any of my extensions but they will start to become available here
User avatar
AmigoJack
Registered User
Posts: 6108
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: Different Admin Password for ACP

Post by AmigoJack »

This implies that changing the "normal" password would also need me to enter the "ACP" password in order to see if it's not too similar. But this time it's outside the ACP, which in turn exposes them both to the same danger of being captured.
  • "The problem is probably not my English but you do not want to understand correctly. ... We will not come anybody anyway, nevertheless, it's best to shit this." Affin, 2018-11-20
  • "But this shit is not here for you. You can follow with your. Maybe the question, instead, was for you, who know, so you shoved us how you are." axe70, 2020-10-10
  • "My reaction is not to everyone, especially to you." Raptiye, 2021-02-28
Highgirl
Registered User
Posts: 7
Joined: Sat Dec 09, 2017 6:05 pm
Location: Amsterdam

Re: Different Admin Password for ACP

Post by Highgirl »

I don't realy understand the benfits makes managment more complicated
User avatar
david63
Registered User
Posts: 20646
Joined: Thu Dec 19, 2002 8:08 am

Re: Different Admin Password for ACP

Post by david63 »

Highgirl wrote: Sat Dec 09, 2017 6:22 pm I don't realy understand the benfits makes managment more complicated
It does not make management any different - you have to enter a password to get to the APC, it will just be a different password.

The advantage is that if your "front end" password is compromised then you will still have security to the "back end"
David
Remember: You only know what you know and - you don't know what you don't know!

I now no longer support any of my extensions but they will start to become available here
User avatar
warmweer
Jr. Extension Validator
Posts: 11234
Joined: Fri Jul 04, 2003 6:34 am
Location: Van Allen Bel ... gium
Contact:

Re: Different Admin Password for ACP

Post by warmweer »

david63 wrote: Sat Dec 09, 2017 6:52 pm ...
The advantage is that if your "front end" password is compromised then you will still have security to the "back end"
I'm not convinced.
If your login password is compromised then the "hacker" can change the email and thus lock you out. And unless the second password can't be changed without first logging into the ACP, that second password can be changed by the "hacker", in which case ACP access is doomed (luckily you still have database access so all is not lost.
That would be a NO from me, unless I'm missing (a lot of (things).
Spelling is freeware, which means you can use it for free.
On the other hand, it is not open source, which means you cannot change it or publish it in a modified form.


Time flies like an arrow, but fruit flies like a banana.
User avatar
Ger
Registered User
Posts: 2108
Joined: Wed Jan 02, 2008 7:35 pm
Location: 192.168.1.100
Contact:

Re: Different Admin Password for ACP

Post by Ger »

david63 wrote: Sat Dec 09, 2017 6:52 pm It does not make management any different - you have to enter a password to get to the APC, it will just be a different password.

The advantage is that if your "front end" password is compromised then you will still have security to the "back end"
Wouldn't it be better to use a two-factor approach, like sending an SMS?

A rogue extension would as easily compromise a second (ACP) password as a regular one I'd say. Principle would be the same, just the event would be different.

The best security comes from the combination of needing some secret you know (password) and something unique you have (like a phone).
My extensions:
Simple CMS, Feed post bot, Avatar Resize, Modbreak, Magic OGP, Live topic update, Modern Quote, Quoted Where (GDPR) and Autoresponder.
Newest: FAQ manager for 3.2

Like my work? Buy me a coffee to keep it coming. :ugeek:

-Don't PM me for support-
Bermudez
Registered User
Posts: 171
Joined: Mon Aug 15, 2011 11:56 pm
Location: Spain
Name: Juan Antonio
Contact:

Re: Different Admin Password for ACP

Post by Bermudez »

Ger wrote: Wed Feb 07, 2018 12:50 pm
david63 wrote: Sat Dec 09, 2017 6:52 pm It does not make management any different - you have to enter a password to get to the APC, it will just be a different password.

The advantage is that if your "front end" password is compromised then you will still have security to the "back end"
Wouldn't it be better to use a two-factor approach, like sending an SMS?

A rogue extension would as easily compromise a second (ACP) password as a regular one I'd say. Principle would be the same, just the event would be different.

The best security comes from the combination of needing some secret you know (password) and something unique you have (like a phone).
+1
User avatar
tojag
Registered User
Posts: 422
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: Different Admin Password for ACP

Post by tojag »

Gentlemen, vote for my idea of introducing 2FA. This solution is really needed nowadays.
viewtopic.php?f=436&t=2438306
Thanks!
User avatar
warmweer
Jr. Extension Validator
Posts: 11234
Joined: Fri Jul 04, 2003 6:34 am
Location: Van Allen Bel ... gium
Contact:

Re: Different Admin Password for ACP

Post by warmweer »

tojag wrote: Sun Feb 18, 2018 6:52 pm Gentlemen, vote for my idea of introducing 2FA. This solution is really needed nowadays.
viewtopic.php?f=436&t=2438306
Thanks!
Care to expand on what 2FA involves?
If it implies a verification code being necessary and sent by SMS ... a NO GO from me.
And whatever method is used, it second that it should be optional and not enforced.
Spelling is freeware, which means you can use it for free.
On the other hand, it is not open source, which means you cannot change it or publish it in a modified form.


Time flies like an arrow, but fruit flies like a banana.
User avatar
tojag
Registered User
Posts: 422
Joined: Thu Aug 07, 2014 8:00 am
Location: Warsaw, Poland, EU
Name: Gregory

Re: Different Admin Password for ACP

Post by tojag »

It should be an option in UCP, and a global on/off in ACP. Google Authenticator would be enough.
Of course it can be extension, but built in core will be better, because it ensures that it will always work in new version phpbb.
Paul develop an extension but it has a bugs and probably crashed 3.2.2 viewtopic.php?f=456&t=2341856
If it would be a good, official extension, it would be ok.
User avatar
Mick
Support Team Member
Support Team Member
Posts: 26508
Joined: Fri Aug 29, 2008 9:49 am

Re: Different Admin Password for ACP

Post by Mick »

tojag wrote: Sun Feb 18, 2018 6:52 pmvote for my idea of introducing 2FA
Please stay on topic, keep to your own idea(s) unless you’ve got something positive to add. Campaigning for your own idea(s) in someone else’s is frowned upon.
  • "The more connected we get the more alone we become" - Kyle Broflovski©
  • "The good news is hell is just the product of a morbid human imagination.
    The bad news is, whatever humans can imagine, they can usually create.
    " - Harmony Cobel
User avatar
Scanialady
Registered User
Posts: 421
Joined: Thu Jan 17, 2013 7:09 pm
Location: Germany
Name: Annette
Contact:

Re: Different Admin Password for ACP

Post by Scanialady »

it is easy to create an entry for .htaccess and a password file .htpasswd out of public_html for basic authentication to get a second password for acp. May be you can do it with your providers management console.
My 2 cents: Whether an extension is in the CDB says nothing about its quality. It is more important to read the support topics for it. Better to avoid authors who do not answer support questions themselves, who do not update their stuff, and who do not fix bugs for years.
Post Reply

Return to “phpBB Ideas”