[Vtigercrm-developers] Security?
Alan Lord
alanslists at gmail.com
Tue Jul 1 08:12:15 GMT 2014
On 01/07/14 08:43, Zebra Hosting wrote:
> Since the CRM is used to store a lot of personal data, I was wondering
> how secure vTiger is and if there are any extra options we could discuss.
>
> Let me start with a few points:
> 1. At the login I don’t see something simple as brute force protection.
+1
> 2. The standard admin user cannot be changed, it needs another account
> and then needs to be deleted. Using standard admin usernames is bad
> practice.
In 5.4.0 as long as you had another admin user configured and you logged
in with the new admin users credentials you could remove the default
"admin" user. Does this not work in 6?
> 3. Having the vTiger name and even the version number at the login
> screen makes it very easy for hackers .
I don't think this makes much difference frankly.
> 4. It would be nice to have a black/whitelist to restrict access by IP.
> (yes I know htaccess could be used but I talking about average users)
This should be done at the network level not at the application layer.
> 5. Use the http://www.projecthoneypot.org/ project to ban access at the
> gate for spammers. (Works so very well in Joomla, I don’t need to use
> captcha’s anymore )
vtiger doesn't really have a public "form" as such so I don't see the
need for this? Maybe for the Customer Portal yes?
> 6. Big warning in the installer to use https:// to encrypt the
> loginscreen pw.
This would only really be required if the CRM is visible from the
Internet without going through a VPN surely?
> 7. Minimum password length/complexity
+1
Al
More information about the vtigercrm-developers
mailing list