Admin Security Policy
This document is an attempt to formalize security policy for administrators and moderators of my forums.
Admin/Mod Account Security
These policies apply to members with global moderator and administrative access. They do not apply to mentors or welcoming committee members.
- Your password should get at least 36 bits in an entropy test.
- Any 'secret question' account recovery options should be unusable.
- You should have my phone number and I should have yours. The same goes for Skype or other major IMs (though I'm only really using Skype at the moment). I know this is already true for the vast majority of you but there are a few I am missing.
- If you do not actually use the notification features on your e-mail, you can instead set it to something useless and have an admin reactivate your account.
- If you do, your e-mail account itself should be appropriately secure. It should:
- Have a suitably tough password. At least 36 bits in the test above, preferably at least 60 if this password holds the keys to your entire on-line life.
- If this seems difficult, consider passphrases. These are much easier to use.
- Not have that password shared with anything else, anywhere else.
- Likewise have impossible-to-guess 'recovery questions' where applicable.
I highly recommend using a password manager. Macs have one built in (the keychain), while for Windows I use Password Safe. With this, you only need to remember a few passwords - the ones you need most regularly, and your keychain/manager password.