Firstly I will update the Security Recommendations for 2023.
A password should be at least 12 characters in length.
It should ideally consist of Upper Case, lower Case, Numbers and best practice suggests including a symbol.
I have always recommended passphrases - two or more unrelated words with numbers in between!
MFA - one that is not phishable eg - ( FIDO2, 1Kosmos and AuthN by IEEE to name a couple) - especially for the customer portal, but also for standard users.
If possible, further restrict access by IP Restrictions.
I don’t agree with your argument @lubos about administrator name not being a security risk. Because Linux has a default username of root, it is at significant risk of brute-forcing by password and has resulted in every Cyber Security Expert saying do not allow external admin access using username and password. Many Linux systems that have SSH exposed to the Internet have been breached precisely because hackers know that the username is root.
Instead, best practice dictates that admin authentication is done using a public/private key. For my own Linux systems, ssh access is only possible via VPN and login using a key with a passphrase. Logging in with admin username/password is explicitly disabled in the sshd_config with the setting PermitRootLogin prohibit-password and my ssh port is not exposed to the Internet.
So the comparison with Linux Root is not correct as admin for Manager is very exposed to the Internet obviously. I would highly recommend that Manager either supports MFA (for all users, or at the bare minimum for administrators), or Manager supports disabling remote root login (like Linux does) requiring a private key with passphrase. At the very least, being able to rename the administrator password is by far the simplest software upgrade to Manager and would at least make it much harder for hackers to get in because they would have to know both the username and password. Currently they just need to brute force the password.
If I was designing security for Manager - I would this have this security setup:
MFA for the Customer Portal and standard users - because users are terrible with passwords. As long as the MFA solution is not phishable.
Password Complexity Requirements to force a min password length of 12 characters, with upper and lower case letters and numbers at a minimum. I am not really keen on adding symbols because they make it much harder to remember the password so people end up re-using passwords.
Disable Root Login - requiring a public/private key for Admin access.
Rename Administrator account.
Use IP Restrictions for admin access at the very least.
@dalacor the screenshot you’ve posted is not accurate. Manager is using bcrypt which is computationally slow to brute force. It’s not possible to brute force 8 character password with upper and lowercase letters in just 2 minutes unless you have tens of thousands of computers. And that’s just 8 character password. The time grows exponentially from there.
Also, the screenshot makes an assumption that attacker can see hashed password. That is a big assumption to make too.
This is why it’s rare these days to have your password brute forced. Hackers do not have access to hashed passwords and even if they do, it will take a lot longer than the screenshot implies. When hackers gain access to your system, it’s usually because they tricked you to reveal your password (perhaps by phishing).
This is where MFA helps and I agree it needs to be added sooner than later.
I will admit that I don’t know how accurate that chart is, but I will agree that most breaches are down to hackers getting the password either via phishing attempt they buy a database of breached passwords uploaded to a server on the darknet somewhere. Criminals know that most people re-use passwords, so they try the same password on various different websites using common usernames such as admin, administrator, root and the user’s email address. So I still recommend being able to change the admin username regardless. I have gone with a requirement of 12 characters because it encourages people to use passphrases.
My preference for admin (and possibly end users depending on how many users have a login) would be to require a private/public key for authentication. It is so much more secure and I would prefer private key authentication over MFA for admin access. MFA can be and is being phished or breached in other ways. For end users, I would agree that MFA is essential for both standard users in the program and the customer portal.
I hope that MFA will be introduced soon as I suspect that Manager is probably losing potential new users who require an accounting program that uses MFA, which is pretty much every platform now. I will admit that if I was looking for a new accounting program this year, I would only be considering platforms that support MFA as there is no good reason to not support MFA.
