Best practices -- ACP Security settings

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Scam Warning
User avatar
P_I
Community Team Member
Community Team Member
Posts: 2400
Joined: Tue Mar 01, 2011 8:35 pm
Location: Western Canada 🇨🇦

Best practices -- ACP Security settings

Post by P_I »

I am trying to crowdsource some best practices for some of phpBB's General settings.

In particularly I have been reviewing the default settings in ACP-->Security settings and a few of the default settings leave me pondering whether or not they are current best practices for smooth operation of a phpBB board. So I thought it might be worthwhile to ask about them.

For example the "Remember Me" login key expiration length (in days): defaults to 0, or disabled. Is this wise? Since these are related to security, shouldn't there be a finite expiration length, say 365 days? Or lower?

I suspect that most end-users are aware of this functionality and that in their User Control Panel they have the ability to manage them via ucp.php?i=ucp_profile&mode=autologin_keys. This UCP page describes them
Manage “Remember Me” login keys wrote:The "Remember Me" login keys automatically log you in when you visit the board. If you logout, the remember me login key is deleted only on the computer you are using to logout. Here you can see remember login keys created on other computers you used to access this site.
Do any board admins change this setting? To what value and why?

Next up, the Password length: defaults to 6 characters. This seems quite outdated. For example NIST Special Publication 800-63B says
NIST wrote:Password length has been found to be a primary factor in characterizing password strength [Strength] [Composition]. Passwords that are too short yield to brute force attacks as well as to dictionary attacks using words and commonly chosen passwords.
Their minimum recommendation
NIST wrote:Verifiers SHALL require subscriber-chosen memorized secrets to be at least 8 characters in length.
Again do any board admins change this setting and follow the NIST guidelines for at least 8 characters in length?

Are there any other of the default settings in ACP-->Security settings that as part of your best practices you always change, and if so, what setting and what value to you recommend and why?
Normal people… believe that if it ain’t broke, don’t fix it. Engineers believe that if it ain’t broke, it doesn’t have enough features yet. – Scott Adams
User avatar
Kailey
Community Team Leader
Community Team Leader
Posts: 3777
Joined: Mon Sep 01, 2014 1:00 am
Location: sudo rm -rf /
Name: Kailey Snay

Re: Best practices -- ACP Security settings

Post by Kailey »

I keep most of them the same except for password:
P_I wrote: Tue Nov 14, 2023 4:10 pm Next up, the Password length: defaults to 6 characters. This seems quite outdated. For example NIST Special Publication 800-63B says
NIST wrote:Password length has been found to be a primary factor in characterizing password strength [Strength] [Composition]. Passwords that are too short yield to brute force attacks as well as to dictionary attacks using words and commonly chosen passwords.
Their minimum recommendation
NIST wrote:Verifiers SHALL require subscriber-chosen memorized secrets to be at least 8 characters in length.
Again do any board admins change this setting and follow the NIST guidelines for at least 8 characters in length?
I change this to 10 and make the requirements symbols.

For team members, the requirement is 13 (managed through an extension).
Kailey Snay - Community Team Leader
Knowledge Base | Documentation | Community rules
If you have any questions about the rules/customs of this website, feel free to send me a PM.

My little corner of the world | Administrator @ phpBB Modders

Return to “phpBB Discussion”