2

I have a dispute with my father about the following ...

I want to make a website (with MySql database) and use the root/index - page for BOTH the log in entry for normal visitors AND log in for admins.

My father does not agree as he said the following ...

You should NEVER use the same page for both visitors and admins as (I repeat his words) "you want to keep the door for admins secret which is not possible if you use the same page for both".

He prefers to place the admin log-in page in a separate directory which also enables him to protect it from normal user interfacing (using the HTTP server's authentication abilities), so that the user has to authenticate himself first on the HTTP server and then secondly on the log-in panel for the admin-user. He also says that if you give this sub directory some obscure name as u7Vf% instead of admin - having directory listing off - you make this admin-door almost invisible for almost everyone. Which may enhance the safety of the system.

I however say that security through obscurity is not a better way of guaranteeing the integrity of the website. I would prefer one log-in panel and focus all my attention toward securing that.

Jori
  • 125
  • 5

3 Answers3

4

If you protect the log-in page with HTTP authentication or hide it behind a “secret” URL, really all you're doing is add extra passwords. Instead of one admin password, there are effectively three: The “secret” part of the URL, the HTTP authentication password and finally the admin password itself.

While this may sound like a good idea (more is better?), it's nonsensical. Managing three different passwords is a lot of trouble and has little benefit over a single good password. In fact, if a security procedure is very annoying, people tend to take shortcuts. No sane person is willing to write down three very long strings on each log-in, so you'll probably end up making each password relatively weak, save them in the browser or whatever. In the worst case, you'll be less secure than before.

I'd rather choose one strong password per account and leave out the theatre. If you make it strong enough, you can stop worrying about brute-force attacks.

Just to clarify: It can make sense to separate the admin content from the standard user content, but not in the case described above.

Fleche
  • 4,024
  • 1
  • 17
  • 20
  • I totally agree with you, however, the point my father is trying to make is that in case of a malleability in my code, the damage would be minimized, because they couldn't access the admin panel in the first place. Although I think if your normal user interface security is really broke, it shouldn't be so hard to inject something making yourself admin from the normal user interface. What do you think about that? – Jori Jun 27 '14 at 17:30
1

Most web applications use a single login page to handle all logins. Having two login pages implemented differently just doubles your attack surface, and provides two opportunities to get it wrong.

What threat are you protecting against by separating the login pages? There's better ways to protect against threats:

  • Don't have SQLi (always use an ORM or parameterized queries)
  • Rate limit login attempts to protect against brute force
  • Require admins to have strong passwords
David
  • 15,939
  • 3
  • 50
  • 73
0

Suggestion:

www.example.com -> visitors
admin.example.com with basic-auth -> admins

I leave it up to you to figure out why exposing admin-backend-logins to the public is always a bad idea (hint: think about what happens when an exploit is possible).

By the way, there is some nice explanation on this site when and why security through obscurity is a valid path to follow and when it is not.

TildalWave
  • 10,801
  • 11
  • 46
  • 85
  • I agree. While you shouldn't rely solely on obscurity, it can most certainly help provide a first line of defense. A private URL is similar to a password in this sense, it is a piece of information that only the admins have. It can make it harder to brute force, etc. I think both are correct in their own regards.` – David Houde Jun 27 '14 at 11:44
  • I was thinking that if you have to resort to secret admin backdoors for a sense of security, something is wrong with your design. If your database is vulnerable to injection, it isn't that hard to upgrade your account to an admin account. Rendering the backdoor useless. Just my 2 cts. Could you provide that link where you were talking about? I'll wait for more opinions, before accepting an answer, but thanks anyway :) – Jori Jun 27 '14 at 16:27
  • dont know what you mean by backdoor, maybe youmean backend? limiting access to backends isnt obscurity, but an additional layer of security, since backends usually have more rights. when obscurity is valid: http://security.stackexchange.com/a/2431/27702 – that guy from over there Jun 27 '14 at 19:48