I suggest you ...

Change admin username

It should be possible for the admin user to change his user login name. The name "admin" is not very secure, because it's easiert to hack via brute force. The hackers know, the name is "admin". If the user would be able to change his login name, it would increase the security of Plesk Panel.

309 votes
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)

    We’ll send you updates on this idea

    TIIUNDER shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    We have serious doubts this function can really increase server security:
    1) Plesk has built-in protection against brute-force on login – it will lock the login form. So no one can try multiple attempts
    2) Arbitrary login name adds very little guess-complexity to a proper password. If you have concerns for your login brute-forced – add another 5-7 characters into your password and feel safe.

    As changed login name is still very likely to be some sort of vocabulary word or derived from your other account name – this function would only give a false sense of better security. Your security strength is in complex password, not in a complex login name. If you have one good password, you don’t need to treat login as your “second password” – one good password is enough.

    As for concerns that default password requirement is set in “weak”, that fail2ban module is not enabled by default or may consume extra resources, etc – they are much irrelevant here. If someone is not willing investing some time into setting better password, into changing password policy or into installing/enabling server protection – changed admin name will again be only a false sense of security. If a password is “1234567”, then login doesn’t really matter.

    35 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...
      • AdminSergey L (Director of Program Management, Plesk International GmbH) commented  ·   ·  Flag as inappropriate

        Andrea, you have to watch your language here.

        It cannot be really critical whether hacker has as login as a starting point or not - anyway they know your server IP. If your password is secure, you are safe. Add dp12kln88d as a prefix to your password and you will have those extra "497....eee..." combinations. No difference. You can add much more into your password actually.

        Security is obtained via password, not via login.

        For those concerned for brutefocring - just enable fail2ban in Plesk and an intruder will be blocked after first few attempts.

      • HawaiianHope.org commented  ·   ·  Flag as inappropriate

        Andrea, i agree.. a more secure username is "not important." ???

        Or if i wanted to piss off a web admin if i am having an argument with them.. then i go to their control panel and just toss random junk at their "admin" account so that it locks them out on purpose. that is the point right ? cant brute force it so it locks you out ? and what if that is my intent ? to lock out the real admin ? i would be happy to do that all day, keep someone locked out of their own system. all i need to know is their admin account login is named "admin"

      • ProSeriesNewb commented  ·   ·  Flag as inappropriate

        Increasing server security is not the only reason to allow an alternate administrative username. How about auditing. If you have multiple people using a system you have multiple usernames to keep track of them.We are assuming there is always one administrator?

      • Andrew Cranson commented  ·   ·  Flag as inappropriate

        Which service are you talking about? Plesk itself locks you out for a while by default after a small number of incorrect logins as admin or root (both work by default btw). Other services managed by Plesk prohibit using admin as a username, e.g FTP. You could use admin@domain as an email login if you setup admin@ as a mailbox but it wouldn't be logical any other way.

        I'm unsure if the Plesk API locks you out after a few incorrect attempts but the API is disabled by default and needs enabling by command line so when enabling it you have a great opportunity to check the admin password is strong, and the API is restricted to certain IP's. Where you have to leave it open simply enable fail2ban.

        I still don't see any significant advantage to having this feature and think it's time best spent on other improvements.

      • Böf commented  ·   ·  Flag as inappropriate

        Just have a look at the logs that show how the lower life forms are tying to enter your server: Username "admin" (or root depending on the service) is their way to go. I wonder why "admin" is even allowed by Plesk? Now "all there is to it" is finding a password for "admin". Not allowing "admin" will reduce the chance of entering the server with brute force by a zillion times.

        I would agree that "real" system admins would tackle this themselves. But Plesk could help educate people when needed, right? Why is the default password strength set to "weak"? Let me guess: "admin" + "1234567"? (I sure hope those despicable life forms don't read this comment :-) )

        Fail2Ban is not installed by default (and even if installed later it is not activated by default). And in a way this feature is an indispensable but costly/active substitute for a password-like username.

        Not using "Admin" is a great free/passive safety improvement and a giant leap backwards for those pesky brute-force life forms.

        O, and on the help page of this new feature ;-) you might as well add that it is best not to use your real name, your domainname, or "root" either. Even better: Treat it as a second password.

      • Andrew Cranson commented  ·   ·  Flag as inappropriate

        The risk can be mostly mitigated by using Fail2ban. I'm not sure how important this really is - and think it would add to confusion both for customers and support.

      • Anonymous commented  ·   ·  Flag as inappropriate

        seems we cannot yet change the log in which is for all users on plesk a standard log in . This is very regrettable as we believe programming this is easy and would increase security

      • Frank commented  ·   ·  Flag as inappropriate

        Any update on this important feature? Nine months have passed...

      • ProSeriesNewb commented  ·   ·  Flag as inappropriate

        Not only should this be an option, new admins should be prompted to use an alternate admin username. This will help in security.

      • Marc commented  ·   ·  Flag as inappropriate

        Yes, this is an important security feature. I once messed up my server trying to change the admin username.

      • Stéphan S commented  ·   ·  Flag as inappropriate

        Again,

        very good idea!

        Is the id of admin also 0 ?
        Or is there no id used to login (webgui / API)?

        Anything to make it harder on them is a great win on our side.

      2 Next →

      Feedback and Knowledge Base