What is the best practice for restricting access to the site administration system?

3

I wanted to create an administration system for the site, I made it so that users have a level field associated with it and if it is a given value they can access the admin control, otherwise if they try they are directed to the index, I do not know if this is an efficient way.

I noticed another system for creating protected directories.

Can you tell me which way is more efficient and if there is any vulnerability in the way I decided to implement it?

    
asked by anonymous 14.05.2015 / 23:43

1 answer

3

There are many practices that can raise the security level of a system. I'll be listing some more common and important ones.

Password Strength

A highly recommended practice is to recommend / oblige the user (especially those with access to the administration system) to choose a password with a fairly strong force, containing lowercase letters, uppercase letters, numbers and perhaps even symbols, for example 3sSa.e.Minh4$3nH4 . This makes it very difficult to break it.

Make Passwords Expire

The practice of expiring the password is very common nowadays, especially in corporate environments. This keeps the environment constantly updated, and it may even be possible to update hashs from security from time to time. For example, by searching the 3sSa.e.Minh4$3nH4 password on the How Secure is my Password site, it shows that for a typical computer breaking this password can take 39 billion years but let's say the hacker has a number of zombie computers, so that number can be reduced considerably, but if you have a security routine that requires passwords to be updated every 6 months, you will extend your security breach time by up to an infinite time.

Donotencryptwithmd5only

Usingthe MD5 Decrypt app from Hash Killer site it is possible to break simple hashs, with only numbers or letters, such as 123456 , carlos12 . Therefore it is encouraged to use at least one salt in the password before encrypting it.

I will not be rewriting the theory of relativity, so here is a question and answer about security hashs. .

Avoid the name Admin

Using the address meusite.com/admin or admin.meusite.com is very obvious, give preference to alternative names like mspanel (abbreviation for MeuSitePanel) or something like that, a name easy to remember and there are no inbound links, but also that it is not so obvious. Also, if possible, restrict IP access.

SSL

If possible, invest in Digital Certificates, but for a built-in system you can generate your own security keys yourself . So here's what's worth more for the type of system.

    
15.08.2015 / 14:19