Different Admin Password for ACP

https://www.phpbb.com/ideas/
Post Reply
Ideas Bot
Registered User
Posts: 309
Joined: Sat Oct 13, 2012 10:06 am

Different Admin Password for ACP

Post by Ideas Bot » Sat Sep 23, 2017 7:18 am

Currently an Admin only has one password that will allow access to both the "front end" and the ACP. If that password is compromised in any way (possibly by a rogue extension) then the "hacker" could have access to the ACP.

By having a separate password for the ACP then the level of security would be increased for the board.

There would need to be checks in place that the two passwords were different and also that they were not similar - "admin" and "admin1" for example should not be allowed.

tojag
Registered User
Posts: 54
Joined: Thu Aug 07, 2014 8:00 am

Re: Different Admin Password for ACP

Post by tojag » Sat Sep 23, 2017 3:46 pm

And... enforcing password change for the admin or group only, not for all users.

User avatar
AmigoJack
Registered User
Posts: 4884
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: Different Admin Password for ACP

Post by AmigoJack » Tue Oct 17, 2017 7:45 am

david63 wrote:the level of security would be increased for the board
No: having two passwords for one account would cut the security in half, as then only one of both has to be found. Why not using an administrator account just for that and using a separate account for being a board member?
david63 wrote:also that they were not similar - "admin" and "admin1"
This is not possible, as only passwords hashes are stored - and comparing hashes won't show how similar their source is.
The worst thing about censorship is ███████████

User avatar
david63
Jr. Extension Validator
Posts: 12814
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Name: David Wood
Contact:

Re: Different Admin Password for ACP

Post by david63 » Tue Oct 17, 2017 9:15 am

AmigoJack wrote:
Tue Oct 17, 2017 7:45 am
having two passwords for one account would cut the security in half, as then only one of both has to be found
Incorrect - if you have a different password for the ACP to the one you are using to logon with then you are doubling the security as both passwords would have to be found.
AmigoJack wrote:
Tue Oct 17, 2017 7:45 am
This is not possible, as only passwords hashes are stored - and comparing hashes won't show how similar their source is.
But it would be possible if it was checked on install and if you were changing the ACP password you also had to enter them both.
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email or as they will be ignored

User avatar
AmigoJack
Registered User
Posts: 4884
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: Different Admin Password for ACP

Post by AmigoJack » Tue Oct 17, 2017 2:11 pm

This implies that changing the "normal" password would also need me to enter the "ACP" password in order to see if it's not too similar. But this time it's outside the ACP, which in turn exposes them both to the same danger of being captured.
The worst thing about censorship is ███████████

Post Reply

Return to “phpBB Ideas”

Who is online

Users browsing this forum: Crizzo and 3 guests

cron