[SUGGESTION] Different password/PIN to ACP

[MNA]

Hi!

I use phpBB for many years and I would like to give you, phpBB developers, a security-related suggestion that you could implement in next phpBB releases.

As we all know, the Administrator of the board has one account for administration and discussion pruposes. It's not good, because when someone steal password while admin is logging in, he can destroy entire forum (I assume that admin is logging only to discuss, not to manage forum).

Of course, there are workarounds of this problem, like using two accounts (one for administering and one for discussion), deny access to /acp/ folder for foregin IPs etc.


But I would like to suggest something new:
- differrent password to ACP
OR
- PIN code for administrator

1) Different password
It would work like this: after admin has successfully been logged into forum, he can post new messages, create new topics etc. (like normal user). But when he will try to get into ACP, he will be requested to login again, but with different, earlier set (I mean: while he was creating forum) password.

2) PIN code
Like as above, but password would remain the same. However, there will be another text box to enter his PIN code (for ex. 8 digits, generated automatically while he registered) without which he will be unable to access ACP.


Please consider my proposition, I believe that it could be a good security echancement.


Greetings
MNA

[nuckfan15]

I have read your post. While your suggestions may very well make things secure by a small margin. Don't you think one secure password would do the same?

One password such as WagUca89 would be more secure then two passwords such as password and 1989. No administrator should have an easy to guess ( or hash ) password. It is also typically better to use multiple passwords with alot of characters rather then one universal password for your accounts. One difficult password on an admin account in phpBB is all you need.

It's up to you in the end; however.

BTW if your really interested in securing your board more....

http://www.phpbb.com/customise/db/mod/s ... user_name/

[Oleg]

when someone steal password while admin is logging in

What would prevent that person from stealing password and pin or another password while admin is logging in to admincp?

[tbackoff]

I would like to chime in too. phpBB has been through a paid security audit. If an administrator (as stated above) is using an insecure password, he or she shouldn't be an administratior at all.

By the way, a secure password (at least in my mind) is something along the lines of i!H0nd@&#U

[nuckfan15]

I would like to chime in too. phpBB has been through a paid security audit. If an administrator (as stated above) is using an insecure password, he or she shouldn't be an administratior at all.

By the way, a secure password (at least in my mind) is something along the lines of i!H0nd@&#U

http://strongpasswordgenerator.com/ Plenty of websites that make it easy enough to have a decent password. I don't like using symbols either, some websites prefer that you don't.

[Desdenova]

I believe that having the option to set an "admin password" would be a great feature, so long as it is kept an option and not the default.

I have read your post. While your suggestions may very well make things secure by a small margin. Don't you think one secure password would do the same?

This is actually a debate that goes on in the Linux world all the time, normally known as "sudo versus su". Here's an article on it, there's a bunch of comments on the pros and cons of each.
http://www.tuxmagazine.com/node/1000148




For the record, I have both sudo and su set up on my Linux installation, however sudo is setup to ask for root's password.

[Marshalrusty]

I believe that having the option to set an "admin password" would be a great feature, so long as it is kept an option and not the default.

I have read your post. While your suggestions may very well make things secure by a small margin. Don't you think one secure password would do the same?

This is actually a debate that goes on in the Linux world all the time, normally known as "sudo versus su". Here's an article on it, there's a bunch of comments on the pros and cons of each.
http://www.tuxmagazine.com/node/1000148

While the article's content is valid (for maximum safety, using sudo is better than logging in as root), it is not at all the same thing being brought up here.

What nn- is pointing out (and he is quite correct, of course) is that the real problem in the scenario is that someone managed to get the administrator's password. How did they do that? Is there a vulnerability in the software that allows them to intercept passwords? Is there malware on the admin's PC? Has the network connection been compromised? All of these cases would result in the attacker stealing the separate admin password as well. So how would it protect you anymore than the standard password?

As the root user, anything you run can seriously damage the system. That's why you don't want to run things as root; it has nothing to do with someone stealing your password. If someone can intercept your *nix user's password, the same question applies: how did they do it and what would prevent them from getting the password when you enter it (whether it's due to su or sudo).

[MNA]

Hi guys, thank you for your interests.


You did not understand me at all. I know that admin should have strong password etc etc etc.


BUT I'm talking about situation when Administrator would login only for discussion pruposes, without access to ACP (for example: on public computer). In my case, I have restricted access to /acp/ folder only to some IPs on my HTTP server, so I can safely login to forum from foregin computer.

Again: I'm talking only about additional admin authentication only when he is trying to access ACP. You have to admit, that when Admin would only talk or check some posts on forum, access to ACP is completly unnecessary. So, if someone steal his password in such situation, he will be only able to post or delete admin posts without possibility to damage forum, so admin can feel safer while he logging in.


I believe now it's clear



PS nuckfan15, thank you for that link!

[bantu]

If you need another layer of authentication, why not use something another layer already provides - like .htaccess/.htpasswd?

[MNA]

Yes, I have something like this.


But I am in good situation, because I've got access to server's shell, not everyone has that possibility, so let's help them.

[tbackoff]

Plenty of websites that make it easy enough to have a decent password

The "password" I posted is something random (actually, its a makes-no-sense sentence). It's substituting numbers / symbols for letters.

I don't like using symbols either, some websites prefer that you don't.

May I inquire as to why you dont like usnig them? Also, can you provide a few of those sites? I'd like to read their FAQ or some other document that states why they prefer you don't.

Let me make one thing clear; I have no problem with features that make a system or peice of software secure. As Marshalrusty pointed out, there are numerous scenarios in which an attacker can gain access to that second password. Could this second password feature be useful for some? Sure, but again, the website is only as secure as the administrator makes it (going backto my "if they are using an insecure password" arguement).

[Marshalrusty]

May I inquire as to why you dont like usnig them? Also, can you provide a few of those sites? I'd like to read their FAQ or some other document that states why they prefer you don't.

American Express's website limits you to 8 alphanumeric characters. I've asked them before what they could possibly be thinking, but received no response.

BUT I'm talking about situation when Administrator would login only for discussion pruposes, without access to ACP (for example: on public computer). In my case, I have restricted access to /acp/ folder only to some IPs on my HTTP server, so I can safely login to forum from foregin computer.

Again: I'm talking only about additional admin authentication only when he is trying to access ACP. You have to admit, that when Admin would only talk or check some posts on forum, access to ACP is completly unnecessary. So, if someone steal his password in such situation, he will be only able to post or delete admin posts without possibility to damage forum, so admin can feel safer while he logging in.

Keep in mind that even without access to the ACP, someone can delete every post on the board through the MCP. The only argument left is that it would prevent someone from getting a backup of the database.

Don't get me wrong, I'm all for added security, just not necessarily via adding a bunch of authentication layers.

[MNA]

Keep in mind that even without access to the ACP, someone can delete every post on the board through the MCP.

But he must be in 'Global moderators' group first

[tbackoff]

OK, then to gain access to the ACP, that person must be in the 'Administrators' group first.

[Desdenova]

While the article's content is valid (for maximum safety, using sudo is better than logging in as root), it is not at all the same thing being brought up here.

Bzzzt, wrong.

The similarities between both are quite obvious (and also, you shouldn't be presenting your opinion as die-hard fact).