Do Not Use "admin" as a Username

Perhaps the most critical component of a Drupal site's security is the user login. For a login attack to be successful, the attacker must guess both the username and its password -- usually an impossible feat. But if the username can be easily guessed, that reduces the potency of this key security barrier. Far too many Drupal sites have "admin" as a username. Even worse, this is typically not a username assigned to a user who only has permissions for relatively innocuous capabilities, such as commenting on articles. Instead, that username is oftentimes chosen by the site developer for use by the site administrator working within the organization that owns the site. Worst of all is when "admin" is chosen as the name for the site's superuser (user/1).

An advisable security practice is to never use "admin" or any other easily guessable username, particularly for the superuser and any other users that have powerful administrative permissions. You can -- and in most cases should -- create a role named "admin", and then create a user account for the site administrator, apart from the superuser, and assign that new account to the admin role. This allows for multiple administrator accounts, each with a unique name.

Attackers use all sorts of clues to try to guess valid username/password combinations. Don't make it easy for them!

Thanks to Michael J. Ross for today's DrupalEasy Quicktip!


Thanks for pointing this out. I constantly advise some of my clients to use some available Pass generators in order to set up decent and secure credentials. Unfortunately many have read how secure is Drupal....

Submitted by securie (not verified) on Sun, 12/22/2019 - 23:48

Sign up to receive email notifications of whenever we publish a new blog post or quicktip!