Admin Security Policy
Jump to navigation
Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
This document is an attempt to formalize security policy for administrators and moderators of my forums.
Admin/Mod Account Security
These policies apply to members with global moderator and administrative access. They do not apply to mentors or welcoming committee members.
- Your password should get at least 36 bits in an entropy test.
- Any 'secret question' account recovery options should be unusable.
- You should have my phone number and I should have yours. The same goes for Skype or other major IMs (though I'm only really using Skype at the moment). I know this is already true for the vast majority of you but there are a few I am missing.
- If you do not actually use the notification features on your e-mail, you can instead set it to something useless and have an admin reactivate your account.
- If you do, your e-mail account itself should be appropriately secure. It should:
- Have a suitably tough password. At least 36 bits in the test above, preferably at least 60 if this password holds the keys to your entire on-line life.
- If this seems difficult, consider passphrases. These are much easier to use.
- Not have that password shared with anything else, anywhere else.
- Likewise have impossible-to-guess 'recovery questions' where applicable.
I highly recommend using a password manager. Macs have one built in (the keychain), while for Windows I use Password Safe. With this, you only need to remember a few passwords - the ones you need most regularly, and your keychain/manager password.