Do Not Use admin as a Drupal Username
By Michael Ross
This article was published by DrupalEasy as a Quicktip, 2009-08-03.
Perhaps the most critical component of a Drupal site's security is the user login. For a login attack to be successful, the attacker must guess both the username and its password — usually an impossible feat. But if the username can be easily guessed, that reduces the potency of this key security barrier. Far too many Drupal sites have "admin" as a username. Even worse, this is typically not a username assigned to a user who only has permissions for relatively innocuous capabilities, such as commenting on articles. Instead, that username is oftentimes chosen by the site developer for use by the site administrator working within the organization that owns the site. Worst of all is when "admin" is chosen as the name for the site's superuser (user/1).
An advisable security practice is to never use "admin" or any other easily guessable username, particularly for the superuser and any other users that have powerful administrative permissions. You can — and in most cases should — create a role named "admin", and then create a user account for the site administrator, apart from the superuser, and assign that new account to the admin role. This allows for multiple administrator accounts, each with a unique name.
Attackers use all sorts of clues to try to guess valid username/password combinations. Don't make it easy for them!
Copyright © 2009 Michael J. Ross. All rights reserved.