Hey
As a followup on the password scheme... I'm looking for something like this (as much as everyone else here I have a dozen passwords to remember) but I'm a little concerned about a thing. I'm sorry if this sounds newbish, I'm not so much of an admin :
LVL2: basically anything from mail accounts to administrative services go here, including sensitive access to the configuration of your web hosting provider, registrar and ISP... My problem is: if, say, your web client software is transmitting your credentials in plaintext, isn't that a problem? If any of the services you fit in this category doesn't make use of ssl for authenticating users, isn't that a problem to submit your all critical password onto the network in plain text?
LVL3: Admin access to the system... Very fine, but again... I assume your admin password to Joomla goes here. Isn't it a problem to transmit the password you use to ssh and sudo into the server in plain text over the network?
Otherwise it's pretty neat, I'm definitely going for something like this.
Asphyx wrote:
I may get flamed for this and maybe I deserve it....LOL
I am not a big fan of telling people to have 10 different passwords they use...
Neither am I a fan of changing these passwords often. Changing on a monthly basis is not really effective as any brute forcing of the password won't take that long. Unless you were changing it on a weekly basis it's effectiveness is limited.
I tell users that they should have no more than 3 levels of Passwords and webmasters no more than 5! And each level must be completely unrelated to the others in terms of what is used.
Level 5 - is the password you use on public sites. It is not imperative that you use a different password on every site. In Fact it's more effective to use a different username on every site than it is to use a different password truth be told! Knowing the username allows easy hacking...half the work is done! knowing the password is useless unless you know what account it goes to!
Level 4 (Webmaster) - Reserved for SQL Only. this is a password that would only be used by SQL and limited to a specific database in SQL. The best way to protect SQL is by limiting each account to just being able to do the minimum that DB requires. In some cases it is even wise to have a read only account for display and a seperate write account that the backend write functions use. But that doesn't apply to J! at all... for J! the best practice is to set up an individual account (not root for sure) that only has read and write access to the J! DB nothing else.
Level 3 (Webmaster) - FTP and Server Access. these can be the same user:pass combo since both if compromised can do the most damage. doesn't matter if the backend or Cpanel is safe if the FTP is not and the same goes the other way!
Level 2 - Personal Data Access. this password should be used for any sites or locations that contain personal data with the exception of Banking (see level 1). these sites are often used for social engineering data such as medical records, service accounts and any financial records not directly related to banking! You want these to be secure but also different from the real threat of security...your money!
Level 1 - Banking! this needs to be the most secure in fact if you have two different banks it actually pays to have a different user:pass for each just to be sure!
Ok that was a bit off topic but it does explain a bit about how webmasters should compartmentalize their security.
Login
Register
Rules
FAQ
The team
