Admin Security Policy

From Hexwiki
Jump to navigation Jump to search

This document is an attempt to formalize security policy for administrators and moderators of my forums.

Admin/Mod Account Security

These policies apply to members with global moderator and administrative access. They do not apply to mentors or welcoming committee members.

  • Your password should get at least 36 bits in an entropy test.
  • Any 'secret question' account recovery options should be unusable. A good way to do this is to just make a huge string of gibberish and make that your answer.
  • You should have my phone number and I should have yours. The same goes for Skype or other major IMs (though I'm only really using Skype at the moment). I know this is already true for the vast majority of you but there are a few I am missing.


  • If you do not actually use the notification features on your e-mail, you can instead set it to something useless and have an admin reactivate your account.
  • If you do, your e-mail account itself should be appropriately secure. It should:
  1. Have a suitably tough password. At least 36 bits in the test above, preferably at least 60 if this password holds the keys to your entire on-line life.
  2. If this seems difficult, consider passphrases. These are much easier to use.
  3. Not have that password shared with anything else, anywhere else.
  4. Likewise have impossible-to-guess 'recovery questions' where applicable.

I highly recommend using a password manager. Macs have one built in (the keychain), while for Windows I use Password Safe. With this, you only need to remember a few passwords - the ones you need most regularly, and your keychain/manager password.