Website security and user accounts
Website security is often an afterthought for the site owners.
Once a username and password have been selected, some may consider the security checkbox filled, but in reality, once the site is live on the internet, the website’s security journey has only begun. In this series, we will explore security from many facets, to look at what can go wrong, and what you can do about it.
Let’s talk passwords
A password is like the key to your house. You wouldn’t want a key with an easy-to-pick lock, and yet, quite often people do not give their passwords the respect they deserve. Passwords can be hard or easy to guess (by humans), and hard or easy to crack (by machines). Some systems administrators enforce arcane and esoteric password rules, such as “it must be 8 characters, use a letter, a number, an uppercase letter and a special character.” The reason for these is to increase the ‘entropy’ of a password: which is how many possible permutations there are.
The problem with such simplistic rules, is that they can often result in easy to guess samples like P@ssw0rd, or L3tM3in!. Equally, rules which enforce regular changes can result in people writing their passwords down on paper, which obviously brings with it its own security challenges.
When you consider that an overly simple administrator password could grant a bad actor unfettered access to your web presence, which could include financial or customer data, it is amazing the lax attitude with which passwords are often treated.
We can discuss the semantics of passwords versus the use of pass phrases, but in truth, the best password is the one you cannot remember.
This is where password manager tools come in. There are many: LastPass, Passpack, 1Password, to name a few. A password manager will:
- Allow you to store passwords.
- Suggest strong passwords, tailored to your requirements.
- Some will even auto fill your login forms, in the same way a web browser does.
A password is like the key to your house.
Multi-factor authentication can be a very effective addition to your security arsenal. Although technical sounding, it operates upon the principle that using more than one key to open a door is more secure.
In a multi-factor authentication scenario, you have two things: your password (the thing you know), and a gadget (the thing you have). The gadget might be a bank card reader, or an app on your phone such as Google Authenticator, or even a separate web application. Often the second authenticator uses Timed One Time Passcodes (TOTP) - a number which only lasts for, say 30 seconds, before it is renewed.
In this way, even if a bad actor manages to steal your password, they remain unable to access your accounts without your second authentication method.
Web applications built with Drupal will allow the creation of user accounts. Users might be editors, content creators, reviewers, customers, managers; the list goes on, and will be specific to each individual web application. Drupal has the concept of ‘roles’, which is a collection of permissions which can be applied to a user account. Thus, a given user can have one or more roles, granting them permissions within the application.
Permissions are how you get access to do things on the web application. A permission might allow a user to view content, or create a bookmark list, or it might allow access to administer the very functions of the system itself. Permissions are something which warrant care and attention, as a misallocation can leave gaping holes in your security. Particularly sensitive permissions are marked as such, however it is worth periodically reviewing all granted permissions to ensure that user account roles are granted only just enough to fulfil their use cases. The fewer permissions granted, the lower the potential for attack vectors.
Quite often, once a site is out in the wild, a site admin or user manager will create user accounts for new staff. These new users will often ask "can I create content" or “why can’t I view unpublished content”, or other such questions related to the normal operation of a site. Site administrators may be tempted, when faced with a dizzying array of permissions and roles, to grant the ‘administrator’ role, with its associated superset of privileges, because it is easy. In this way, the number of godlike administrator accounts grows, meaning that an increasing number of users, who may not be trained in the use of their new powers, can do far more than their jobs require.
Minimising the Risk
The best way to minimise your risk footprint from user accounts and permissions is to:
- Keep the number of administrator users to an absolute minimum.
- Use roles wisely, to separate out disparate groups of permissions.
- Grant roles carefully, according to business reasons.
- Think very carefully before granting elevated permissions which can come with security implications.
Following on from logins and accounts is something else with which all users unknowingly interact: the code base, and with it, the need to stay up to date with the latest security patches.
Next episode: security updates.
Read the other blogs in our Security Series:
Are you concerned about the security of your Drupal site?
Talk to us about conducting an in-depth website security audit.
Anthony Lindsay Director of Managed Services
With decades of experience, Anthony leads the Annertech Managed Services Team, delivering top quality design, development, and, ultimately peace-of-mind services to all of Annertech's wonderful clients.