Difference between revisions of "Admin Security Policy"

This document is an attempt to formalize security policy for administrators and moderators of my forums.

Admin/Mod Account Security

These policies apply to members with global moderator and administrative access. They do not apply to mentors or welcoming committee members.

• Your password should get at least 36 bits in an entropy test.
• Any 'secret question' account recovery options should be unusable.
• You should have my phone number and I should have yours. The same goes for Skype or other major IMs (though I'm only really using Skype at the moment). I know this is already true for the vast majority of you but there are a few I am missing.
• If you do not actually use the notification features on your e-mail, you can instead set it to something useless and have an admin reactivate your account.

• If you do, your e-mail account itself should be appropriately secure. It should:

1. Have a suitably tough password. At least 36 bits in the test above, preferably at least 60 if this password holds the keys to your entire on-line life.
2. If this seems difficult, consider passphrases. These are much easier to use.
3. Not have that password shared with anything else, anywhere else.
4. Likewise have impossible-to-guess 'recovery questions' where applicable.

I highly recommend using a password manager. Macs have one built in (the keychain), while for Windows I use Password Safe. With this, you only need to remember a few passwords - the ones you need most regularly, and your keychain/manager password.