Securing admin account, silly "solution" found

Lars Hansen

11/7/22, 9:31 AM

Hello fellow Drupalers,

I've been given the task of securing our admin account, on our websites (drupal 7) from outsiders.

My first thought was 2FA and I looked at some of the modules (tfa, google auth, etc) and they seem to be doing the job okay.

But as I was fiddling around I accidentally deleted the admin password.

Now I cannot login through the website with the admin account, but I can via drush uli.

Do you guys consider this to be an okay solution for securing the admin account? I personally have my doubts about it, because it seems so simple...

1 + 5

authentication-authorization

No Sssweat

11/7/22, 9:54 AM

How exactly did you delete the password?

Lars Hansen

11/7/22, 9:58 AM

Via the database, just fiddling around.

Lars Hansen

11/7/22, 10:06 AM

It was on my local dev version...

No Sssweat

11/7/22, 10:13 AM

Curious, if you inspect element on password field and remove the `required="required"` and leave password empty does it log you in?

Lars Hansen

11/7/22, 10:24 AM

That was a good question. I've tested it, and I still cannot login even though the required has been removed.

Score:0

Drupal

jbarrio

11/7/22, 10:45 AM

Definitely not a solution I would rely on. "Securing admin account" is a wide topic that needs to be handled carefully, but answering specifically to your question, if what you want is to "protect" the password, you can run a cronjob that changes the password string to a random, SHA value, every X time. I've seen that in some clients.

Talking about MFA (2FA), yes, this adds a pretty solid and common layer of security. Also implemented it for some clients.

0 + 1

Lars Hansen

11/7/22, 11:13 AM

I think I've found part of the solution here: https://www.drupal.org/project/restrict_by_ip I've also found this page: https://www.drupal.org/node/947312 It has some good tips for securing the admin user. Thank you for your answer.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Securing admin account, silly "solution" found

TH: การรักษาความปลอดภัยบัญชีผู้ดูแลระบบพบ "วิธีแก้ปัญหา" ที่โง่เขลา

RO: Securizarea contului de administrator, s-a găsit o „soluție” proastă

RU: Защита учетной записи администратора, глупое «решение» найдено

VI: Bảo mật tài khoản quản trị, tìm ra "giải pháp" ngớ ngẩn

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.