Hello,
As I have seen in other forum softwares, when an administrator is logged in the Administration Control Panel and wants to change important settings that affect website's peformance, that administrator must enter his password in order to validate the changes he wants to make.
If this was added to Mybb 2.0 ACP it would be good as it would increase security.
Thank you,
Pmx.pt
It wouldn't; actually.
Let's look at this logically for a moment. If you know an admins password, you gain access to the ACP in the first place, by asking for it every time a change is made, you're asking for a known variable, and so it doesn't actually increase anything. Except headaches.
Website "hacks", particularly MyBB hacks are because the Admin uses a password that is insecure.
(2016-08-25, 02:14 AM)Ben Cousins Wrote: [ -> ]It wouldn't; actually.
Let's look at this logically for a moment. If you know an admins password, you gain access to the ACP in the first place, by asking for it every time a change is made, you're asking for a known variable, and so it doesn't actually increase anything. Except headaches.
Website "hacks", particularly MyBB hacks are because the Admin uses a password that is insecure.
Exactly, 2 Factor Authentication is really good in most of the cases.
(2016-08-25, 02:38 AM)WallBB Wrote: [ -> ]Exactly, 2 Factor Authentication is really good in most of the cases.
If we're fighting for 2FA, you shouldn't need to be asked for your password for every change either. The end still doesn't justify the means!
Yes, but imagine that an administrato, with a strong password leaves the panel open for sometime and someone that has access to his computer starts changing settings. This would prevent that.
(2016-08-25, 08:28 AM)pmx.pt Wrote: [ -> ]Yes, but imagine that an administrato, with a strong password leaves the panel open for sometime and someone that has access to his computer starts changing settings. This would prevent that.
Lock your computer. Good habit to get into.
(2016-08-25, 08:28 AM)pmx.pt Wrote: [ -> ]Yes, but imagine that an administrato, with a strong password leaves the panel open for sometime and someone that has access to his computer starts changing settings. This would prevent that.
You're automatically logged out of the ACP after 2 hours. Also, if I have physical access to your computer for even 30 seconds you have much, much more to be worried about.
(2016-08-25, 01:06 PM)Nathan Malcolm Wrote: [ -> ] (2016-08-25, 08:28 AM)pmx.pt Wrote: [ -> ]Yes, but imagine that an administrato, with a strong password leaves the panel open for sometime and someone that has access to his computer starts changing settings. This would prevent that.
You're automatically logged out of the ACP after 2 hours. Also, if I have physical access to your computer for even 30 seconds you have much, much more to be worried about.
How about a new password?
You currently have the following options:
Your account password
Secret Pin
What if there was an option to enable "Require Unique Passcode to submit change"
So now you have:
Your account password
Secret Pin
AND a different passcode to make the changes
(And make this option configurable via the config file so no one can mess with it)
(2016-10-02, 07:21 PM)Josh H. Wrote: [ -> ]Your threat model is so far from reality that I don't know how we can get this through to you.
If you want more security:
1) Full HTTPS - if you aren't already running full HTTPS (and your signature suggests you aren't), you have far bigger problems to worry about than another 2FA PIN in the ACP.
2) HTTP Basic Auth (aka: htpasswd/"Password Protect Directories")
That, on top of having to log in with the correct credentials, will make your MyBB install pretty darn secure.
If someone gets access to your computer for enough time to run a cookie stealer, you're hosed no matter what. Keep your machine secure - encrypt your drive, set it to auto-lock after a short period of time, and have a secure user account password guarding the data on your drive.
https://docs.mybb.com/1.8/administration...rotection/ <-- if you follow this completely, you will never have any problems.
I'm not worried about my forum, I will bet $1,200 USD that no one can even guess where my ACP is at.
It was just a suggestion, and please note, I am not the OP of the thread.
Or maybe just different passwords for specific parts of the admin cp + the default login.
Disadvantage: If you forget one, rip.
