Difference between revisions of "Admin Security Policy"

From Hexwiki
Jump to navigation Jump to search
(Created page with "This document is an attempt to formalize security policy for administrators and moderators of my forums. == Admin/Mod Account Security == These policies apply to members wit...")
 
 
Line 6: Line 6:
  
 
* Your password should get at least 36 bits in an [http://rumkin.com/tools/password/passchk.php entropy test].
 
* Your password should get at least 36 bits in an [http://rumkin.com/tools/password/passchk.php entropy test].
* Any 'secret question' account recovery options should be unusable.
+
* Any 'secret question' account recovery options should be unusable. A good way to do this is to just make a huge string of gibberish and make that your answer.
 
* You should have my phone number and I should have yours. The same goes for Skype or other major IMs (though I'm only really using Skype at the moment). I know this is already true for the vast majority of you but there are a few I am missing.
 
* You should have my phone number and I should have yours. The same goes for Skype or other major IMs (though I'm only really using Skype at the moment). I know this is already true for the vast majority of you but there are a few I am missing.
 +
 +
 
* If you do not actually use the notification features on your e-mail, you can instead set it to something useless and have an admin reactivate your account.
 
* If you do not actually use the notification features on your e-mail, you can instead set it to something useless and have an admin reactivate your account.
 
 
* If you do, your e-mail account itself should be appropriately secure. It should:
 
* If you do, your e-mail account itself should be appropriately secure. It should:
  

Latest revision as of 19:52, 26 September 2015

This document is an attempt to formalize security policy for administrators and moderators of my forums.

Admin/Mod Account Security

These policies apply to members with global moderator and administrative access. They do not apply to mentors or welcoming committee members.

  • Your password should get at least 36 bits in an entropy test.
  • Any 'secret question' account recovery options should be unusable. A good way to do this is to just make a huge string of gibberish and make that your answer.
  • You should have my phone number and I should have yours. The same goes for Skype or other major IMs (though I'm only really using Skype at the moment). I know this is already true for the vast majority of you but there are a few I am missing.


  • If you do not actually use the notification features on your e-mail, you can instead set it to something useless and have an admin reactivate your account.
  • If you do, your e-mail account itself should be appropriately secure. It should:
  1. Have a suitably tough password. At least 36 bits in the test above, preferably at least 60 if this password holds the keys to your entire on-line life.
  2. If this seems difficult, consider passphrases. These are much easier to use.
  3. Not have that password shared with anything else, anywhere else.
  4. Likewise have impossible-to-guess 'recovery questions' where applicable.

I highly recommend using a password manager. Macs have one built in (the keychain), while for Windows I use Password Safe. With this, you only need to remember a few passwords - the ones you need most regularly, and your keychain/manager password.