Jump to content

Invision Community Blog


Our take on managing successful online communities

Rikki
 

How to lock down and keep your community secure

Making security considerations a key part of your community setup and maintenance can save you from many future headaches.

You've worked hard to get your community moving. Don't make yourself an easy target and undo that work.

Here’s our current advice to our customers.

 

1. Enable HTTPS
HTTPS is fast becoming the standard way to serve websites. In 2016, more than 50% of web requests were served under HTTPS for the first time. Chrome and Firefox now explicitly warn users on login forms that aren’t sending data over HTTPS, and it’s not hard to imagine that in the near future all insecure pages will receive the warning.

HTTPS simply means that website data is served over a secure connection and can’t be read or tampered with by a ‘middle man’ hacker. You can identify a site using HTTPS because the address in your browser will show ‘https://’ (instead of http://), and normally a lock icon or the word ‘secure’.

Invision Community supports HTTPS by default simply by changing your base URL configuration to include HTTPS. Of course your web host will need to support it as well and our Invision Community Cloud services support it by default. Contact support if you have any questions.

Recommendation: Set up HTTPS for your entire community to prevent ‘man in the middle’ attacks.


2. Set up Two Factor Authentication
Invision Community supports Two Factor Authentication (2FA for short), and we highly recommend making use of this feature for your users, but especially for your administrator staff.

2FA is a system that requires both a user’s password and a special code (displayed by a phone app) that changes every few seconds. The idea is simple: if a user’s password is somehow compromised, a hacker still wouldn’t be able to log in to the account because they would not have the current code number.

You may already be familiar with 2FA from other services you use. Apple’s iCloud, Facebook and Google all offer it, as do thousands of banks and other security-conscious businesses.

Invision Community supports 2FA via the Google Authenticator app (available for iOS and Android) or the Authy service, which is able to send codes to users via text message or phone call. You can also fall back to security questions instead of codes.

You can configure which members groups can use 2FA, as well as requiring certain groups to use it. 

Recommendation: Require any staff with access to the Admin Control Panel or moderation functions to use 2FA, to ensure that no damage can be done should their account passwords be discovered. Allow members to use 2FA at their discretion.

 

3. Configure password requirements
The password strength feature displays a strength meter to users as they type a new password, showing them approximately how secure it is, as well as some tips for choosing a good password.

While you can leave this feature as a simple recommendation for users, it’s also possible to require them to choose a password that reaches to a certain strength on the meter. 

Recommendation: Require users to choose at least a ‘Strong’ password.

 

4. Use Admin restrictions
It’s very common that many different staff members need access to the Admin Control Panel depending on the role. You may have design staff, billing staff, community managers, and so on, all with particular tasks they would like to achieve.

Invision Community can help improve the security of your Admin Control Panel by allowing you to restrict the functions available to each administrator, granting them access to only the tools needed to do their job. 

Recommendation: Audit your community’s administrator accounts and applying restrictions where it makes sense to do so.

 

5. Stay up to date
It’s important to ensure you’re always running the latest release of Invision Community. With each release, we add new security features, audit code and fix any issues reported through responsible disclosure. Falling behind can therefore make your community a tempting target for potential hackers.

Your Invision Community Admin Control Panel will let you know when a new release is available, and you can also check out our Release page to track releases.

For our Enterprise customers, we’ll automatically apply updates for you shortly after release as part of your plan. For our self-hosted and Cloud customers, you can easily apply new updates via the Admin Control Panel with a couple of clicks.

Our Invision Community Cloud contains all best practices for security. However, if you are self-hosted, be sure to work with your web host to ensure your server is setup properly. Ensuring that server software, firewalls, and access controls are in place is very important as an insecure server can be your worst enemy.

Recommendation: Aim to install latest updates as soon as feasible.

 

6. IP address restrictions
For organizations where staff are centrally-based in one location, or are required to use a VPN, you can improve your community security by restricting access to the Admin Control Panel to the IP addresses your staff will be using. This is a server-level feature, so contact your IT team to have this facility set up your installation. Enterprise customers who wish to utilize IP restrictions should contact our Managed Support team, while Cloud customers can submit a support ticket to have this set up.

Recommendation: Where staff all access the community from a small number of IP addresses, restrict Admin Control Panel access to those IPs. 


Summary
Don’t leave security as an afterthought. Invision Community includes a range of tools to help you ensure your data and members protected, as well as industry-standard protections ‘under the hood’. Make use of these features, and they’ll help ensure the wellbeing of your site.

As always, if you have any questions or need advice, our support team are on hand to assist you.


Comments

Recommended Comments

@bfarber That's the issue it doesn't, the strength meter shows the second example as 'very weak' and still recommend to users that their passwords should be the first format;

Quote

Choosing a Password

A good password consists of:

  • 8 or more characters
  • Mixture of letters and numbers
  • Mixture of upper and lowercase
  • Special characters
  • Non-dictionary words

Exactly the type of easily crackable passwords people should be avoiding.

 

Share this comment


Link to comment
Share on other sites
On 11/29/2017 at 7:45 PM, asigno said:

@bfarber That's the issue it doesn't, the strength meter shows the second example as 'very weak' and still recommend to users that their passwords should be the first format;

Exactly the type of easily crackable passwords people should be avoiding.

 

That's not what I'm seeing. I'm seeing "very strong" for "correct horse batter staple".

Share this comment


Link to comment
Share on other sites

Something interesting happens here. I'm running v4.2.6 and if I manually enter "correct horse battery stable" I get very weak. But if I copy and paste the same phrase I get very strong.

Capture.JPG

Share this comment


Link to comment
Share on other sites
On 30.11.2017 at 1:45 AM, asigno said:

Exactly the type of easily crackable passwords people should be avoiding.

How sow? long non-standard words which mix all types of characters. How is that easily crackable and what on earth should be the alternative? 

5 minutes ago, asigno said:

Something interesting happens here. I'm running v4.2.6 and if I manually enter "correct horse battery stable" I get very weak. But if I copy and paste the same phrase I get very strong.

There might be something wrong with the JavaScript on your site. 
If I type that in it STARTS with showing weak, but it gets updated and eventually it becomes very strong when enough characters were entered. 

Share this comment


Link to comment
Share on other sites
8 minutes ago, opentype said:

How sow? long non-standard words which mix all types of characters. How is that easily crackable and what on earth should be the alternative? 

There might be something wrong with the JavaScript on your site. 
If I type that in it STARTS with showing weak, but it gets updated and eventually it becomes very strong when enough characters were entered. 

Complexity does not equal high entropy, the https://xkcd.com/936/ comic is a good example

https://blogs.technet.microsoft.com/msftcam/2015/05/19/password-complexity-versus-password-entropy/ 

1.  Mathematically, the LENGTH of the password is exponentially more important than the complexity of the character-set used.  
2.  ANY complexity rule, to include defining a required number of numbers, letters, specials, etc., actually increases a password's ability to be cracked.

 

 

Share this comment


Link to comment
Share on other sites
9 minutes ago, asigno said:

Complexity does not equal high entropy

True, but that is no answer. You made the claim that following the listed rules would make such a password “easy to crack”. How so? It doesn’t tell you to take a base word, replace O with zero, add a figure at the end or anything that comic makes fun of. So you haven’t answered the question. Here is a password 1Password just generated for me: “4]7c7saP8WGNcT6Was”. It follows IPS’ recommendations. How do you crack that? 

Quote

Mathematically, the LENGTH of the password is exponentially more important than the complexity of the character-set used.  

And that is exactly why it says “8 or more characters” among other things. It’s a list of things not “one or the other”. No one said go for complexity only and ignore the length. 

9 minutes ago, asigno said:

ANY complexity rule, to include defining a required number of numbers, letters, specials, etc., actually increases a password's ability to be cracked.

Yet another argument that fails, because there are no such requirements by default. It’s a list of things the user could do. 
And the rules are still valid by the way. “password” as password is terrible of course. Add a number (“passw8ord”) makes it slightly more secure, not less secure. Add a symbol (“pa§ssw8ord”) makes it more secure and so on and so forth. That’s all the list of recommendations says and it is correct. 

Share this comment


Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  Ask A Question ×