Change admin username
It should be possible for the admin user to change his user login name. The name "admin" is not very secure, because it's easiert to hack via brute force. The hackers know, the name is "admin". If the user would be able to change his login name, it would increase the security of Plesk Panel.
We have serious doubts this function can really increase server security:
1) Plesk has built-in protection against brute-force on login – it will lock the login form. So no one can try multiple attempts
2) Arbitrary login name adds very little guess-complexity to a proper password. If you have concerns for your login brute-forced – add another 5-7 characters into your password and feel safe.
As changed login name is still very likely to be some sort of vocabulary word or derived from your other account name – this function would only give a false sense of better security. Your security strength is in complex password, not in a complex login name. If you have one good password, you don’t need to treat login as your “second password” – one good password is enough.
As for concerns that default password requirement is set in “weak”, that fail2ban module is not enabled by default or may consume extra resources, etc – they are much irrelevant here. If someone is not willing investing some time into setting better password, into changing password policy or into installing/enabling server protection – changed admin name will again be only a false sense of security. If a password is “1234567”, then login doesn’t really matter.
Perhaps Plesk can make it that you can login by e-mailadres instead of a username. After all, the e-mailadress is already required.
Please @Pleskteam consider this feature as a top-priority request, it is obvious that in 2020 we should totally be able to customize the 'admin' username in order to make it more difficult for any badly-intentioned person to access to the admin panel.
Adrian Finschow commented
Well the Problem is, even if Plesk has a brute-force protection when someone really want to get in the Account he will do everything till he is in the account :/
Fabio Perri commented
I disagree with the considerations of "Sergey L" and let me explain better:
1) Anyone know that Plesk's Administrator default username is "admin";
2) Use a complex and long (or even longer) password like this one for example LK "45VXwe1WC, uH2 $ I =] @ 0 & _y'0O3 \ Iz it is good practice;
3) So considering points 1 and 2 above change and disable the default Plesk Administrator user name "admin" that everyone knows with a username like this (or even loger and complex) for example jZ.5JUH)ftR8P7Jc;c~b<0%Rb/q9/2aa in this specific case it would greatly improve and increase security.
Having more security is always better than having less.
Thanks in advance for the support.
Tania Sánchez commented
I'm dissappointed of the fact that this feature is not yet implemented.
I just upgraded from web admin edition to web pro edition and re-assigned some of the domains (now subscriptions) to a client who used to have access via admin account. Now I need to keep the "admin" username for this client while changing the admin account name and password so it's not longer accesible by them.
I hope to see this feature in the near future.
Pl introduce it.. Good for security of account.
Leonardo Gandini commented
I know Mikhail, but that doesn't solve the problem. The admin user will always be a valid user in the system.
Leonardo, these days you can add additional administrator accounts so you don't have to use admin login any longer. I am in process of switching to Google based authentication and it works reasonably well in such setup.
Adam Hern commented
I think Sergey L has a point to be made.
But I also don't see the harm in having this feature as an option and if the server admin feels the need to change the default 'admin' to another username, that is their choice to make.
I see this feature as a nice to have (if wanted) but not priority.
Michael Rossberg commented
It's a must have !!! too
Leonardo Gandini commented
have serious doubts this function can really increase server security..... and yet this is one of the most voted and requested feature! Can't you just do it and move on? Is it really that difficult? Also is not just a matter of security, we want to login with OUR name.
Fabio Perri commented
+1 for me !
It's a very, very important function for security and it's needed for PCI compliance please imlement it.
It's a must have !!!
It's a very important function, please imlement it.
Team Plesk, please... For PCI compliance a unique/user-definable username is a requirement. This is a very reasonable request from users.
The usual suspect admin user names (admin/sa/root etc) are a common attack vector (especially for distributed attacks) and every half competent admin ought to restrict, disable or delete them. Even better, they present a wonderful opportunity to flag malicious people and direct them to some separate functionality that acts like a black hole to let them spin their wheels without endangering the server in any way.
i wanna change my login name from some random sh*t to a real name
MAKE ADMIN USERNAME CHANGEABLE!!! commented
@Sergey L, в вашей компании всё в порядке с клиентоориентированностью? Вам КЛИЕНТ говорит, хочу иметь возможность сменить юзернейм по умолчанию, а вы ему - "We have serious doubts.."? Серьёзно? Нет уж, если введение этой фичи потребует чересчур больших ресурсов, то так и скажите, чего булки мять-то? А если не требует - так почему бы не запланировать в релиз. 328 голосов вам мало? Ну тогда я перестаю думать, что Плеск панель подходящий выбор для хостеров и вебмастеров.
Но это не имеет никакого значения, ведь Plesk International GmbH не волнует мнение даже 328-ми КЛИЕНТОВ, не то что какого-то одного юзера. :)
P.S. Интересно, что бы сделали в подобном случае в CPanel?
Dear Plesk staff,
Here's one angle to look at it from. When we secure our servers - I hope - we all disabled root login and password login, and instead give root privilege to specific users which are further secured with private/public keypairs.
When you spin up a server on the internet, almost immediately you will see bruteforce attempts on root in your fail2ban logs/alerts. As soon as you disable 'root' login, these go away. Some of us will take an extra step by changing the SSH port.
Most of the above steps are 'security by obscurity' in a sense, but they work to thwart a high number of automated attacks running through the internet.
We should enforce passphrases/longer passwords on Plesk by default before worrying about obscuring the admin login username, however the change will most definitely help. It will not be possible for bruteforcers to find the new username unless someone discovers an exploit which allows enumeration of usernames.
totally agree that people should have a strong password, but i also think just the peace of mind you can give to your customers who dont necessarily know all of the risks as Sergey L has stated are arbitrary to having an "admin" user name. i think the "peace of mind" philosophy goes further than a simple technicality.
Two-Factor, strong password, and making sure every application you are installing on your server has its own security on top of it. leave no risks and you shouldnt have a problem. But again, not everyone follows these practices and would feel better if they were able to customize their own admin names. or at least be able to disable the admin after they have added an additional administrator.
That's actually very good point about distinguishing blind brute force attack from a targeted one. Much appreciated!