admin Is Not a Secure Drupal Username


This article was published in the print magazine Drupal Watchdog, Volume 2 Issue 2, 2012-08, on page 8, by Tag1 Publishing. The magazine was distributed at DrupalCon Munich, 2012-08-20.

If an attacker obtains a valid username or password utilized within your Drupal-based website, then he is that much closer to breaking in and potentially wreaking havoc. Thus, it is bad security practice to ever use an obvious username — and the most obvious one of all is "admin". Even worse, it is most commonly chosen for administrator accounts, and even for the superuser (user/1). "admin" is fine as the name of a role, but not as the name of a user.

Creating a user
Figure 1. Creating a user

Copyright © 2012 Michael J. Ross. All rights reserved.