Score:0

Securing admin account, silly "solution" found

ng flag

Hello fellow Drupalers,

I've been given the task of securing our admin account, on our websites (drupal 7) from outsiders.

My first thought was 2FA and I looked at some of the modules (tfa, google auth, etc) and they seem to be doing the job okay.

But as I was fiddling around I accidentally deleted the admin password.

Now I cannot login through the website with the admin account, but I can via drush uli.

Do you guys consider this to be an okay solution for securing the admin account? I personally have my doubts about it, because it seems so simple...

No Sssweat avatar
ua flag
How exactly did you delete the password?
ng flag
Via the database, just fiddling around.
ng flag
It was on my local dev version...
No Sssweat avatar
ua flag
Curious, if you inspect element on password field and remove the `required="required"` and leave password empty does it log you in?
ng flag
That was a good question. I've tested it, and I still cannot login even though the required has been removed.
Score:0
cn flag

Definitely not a solution I would rely on. "Securing admin account" is a wide topic that needs to be handled carefully, but answering specifically to your question, if what you want is to "protect" the password, you can run a cronjob that changes the password string to a random, SHA value, every X time. I've seen that in some clients.

Talking about MFA (2FA), yes, this adds a pretty solid and common layer of security. Also implemented it for some clients.

ng flag
I think I've found part of the solution here: https://www.drupal.org/project/restrict_by_ip I've also found this page: https://www.drupal.org/node/947312 It has some good tips for securing the admin user. Thank you for your answer.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.