No: having two passwords for one account would cut the security in half, as then only one of both has to be found. Why not using an administrator account just for that and using a separate account for being a board member?david63 wrote:the level of security would be increased for the board
This is not possible, as only passwords hashes are stored - and comparing hashes won't show how similar their source is.david63 wrote:also that they were not similar - "admin" and "admin1"
Incorrect - if you have a different password for the ACP to the one you are using to logon with then you are doubling the security as both passwords would have to be found.
But it would be possible if it was checked on install and if you were changing the ACP password you also had to enter them both.
It does not make management any different - you have to enter a password to get to the APC, it will just be a different password.
I'm not convinced.
Wouldn't it be better to use a two-factor approach, like sending an SMS?
+1Ger wrote: ↑Wed Feb 07, 2018 12:50 pmWouldn't it be better to use a two-factor approach, like sending an SMS?
A rogue extension would as easily compromise a second (ACP) password as a regular one I'd say. Principle would be the same, just the event would be different.
The best security comes from the combination of needing some secret you know (password) and something unique you have (like a phone).
Care to expand on what 2FA involves?
Please stay on topic, keep to your own idea(s) unless you’ve got something positive to add. Campaigning for your own idea(s) in someone else’s is frowned upon.