There are many practices that can raise the security level of a system. I'll be listing some more common and important ones.
Password Strength
A highly recommended practice is to recommend / oblige the user (especially those with access to the administration system) to choose a password with a fairly strong force, containing lowercase letters, uppercase letters, numbers and perhaps even symbols, for example
3sSa.e.Minh4$3nH4
. This makes it very difficult to break it.
Make Passwords Expire
The practice of expiring the password is very common nowadays, especially in corporate environments. This keeps the environment constantly updated, and it may even be possible to update hashs from security from time to time. For example, by searching the 3sSa.e.Minh4$3nH4
password on the How Secure is my Password site, it shows that for a typical computer breaking this password can take 39 billion years but let's say the hacker has a number of zombie computers, so that number can be reduced considerably, but if you have a security routine that requires passwords to be updated every 6 months, you will extend your security breach time by up to an infinite time.
Donotencryptwithmd5only
Usingthe MD5 Decrypt app from Hash Killer site it is possible to break simple hashs, with only numbers or letters, such as 123456
, carlos12
. Therefore it is encouraged to use at least one salt in the password before encrypting it.
I will not be rewriting the theory of relativity, so here is a question and answer about security hashs. .
Avoid the name Admin
Using the address meusite.com/admin
or admin.meusite.com
is very obvious, give preference to alternative names like mspanel
(abbreviation for MeuSitePanel) or something like that, a name easy to remember and there are no inbound links, but also that it is not so obvious. Also, if possible, restrict IP access.
SSL
If possible, invest in Digital Certificates, but for a built-in system you can generate your own security keys yourself . So here's what's worth more for the type of system.