this post was submitted on 10 Jul 2023
5 points (100.0% liked)

Blind Main

13 readers
1 users here now

The main community at rblind.com, for discussion of all things blindness.

You can find the rules for this community, and all other communities we run, here: https://ourblind.com/comunity-guidelines/ Lemmy specifics: By participating on the rblind.com Lemmy server, you are able to participate on other communities not run, controlled, or hosted by us. When doing so, you are expected to abide by all of the rules of those communities, in edition to also following the rules linked above. Should the rules of another community conflict with our rules, so long as you are participating from the rblind.com website, our rules take priority. Should we receive complaints from other instances or communities that you are repeatedly, knowingly, and maliciously breaking there rules, we may take moderator action against you, even if your posts comply with all of the rblind.com rules linked above.

founded 1 year ago
MODERATORS
admin@rblind.com
MostlyBlindGamer@rblind.com
fastfinge@rblind.com
5
My very basic account security advice for Lemmy Admins (rblind.com)
submitted 1 year ago by NoConfigence2192@rblind.com to c/main@rblind.com
1 comments fedilink hide all child comments
 

A little off topic for most of us here on RBlind but still worth posting for our instances Admins/Mods if no one else.

My very basic account security advice for Lemmy Admins

Have separate accounts for the things you do on an instance:

  1. Only use Admin accounts for things requiring no less than an Admin to do.
  2. Only use Mod accounts for things requiring no less than a Mod to to.
  3. Use standard user accounts for everything else.

Be sure to log off of an account and close all apps and browser tabs and windows open when you used that account before trying to log in with a different account.

While there are a lot more things that can and should be done, using separate accounts is a good minimal place to start. It should help mitigate against UI exploits targeting admins account for compromise like we have seen with a few other instances recently.

Things can and probably will still go wrong but diligently using accounts of least privilege can helping reduce the risk of Admins getting caught up in some of the more simple traps.

top 1 comments
sorted by: hot top controversial new old
[–] fastfinge@rblind.com 2 points 1 year ago

The issue with this is that Lemmy doesn't allow accounts with duplicate emails. So If I want three accounts, I need three email addresses. As Lemmy doesn't currently support push notifications, email is the only way to get notified about anything. Checking three different addresses is impractical.

I agree that this is best practice, but until Lemmy allows admins to remove the uniqueness requirement for email addresses, or sets up a decent push notifications API, it's not going to happen over most instances.

Fortunately, we were in no danger around the recent issues. Not only did we not use the feature in question, we have cross-site scripting policies set up correctly so scripts from other domains won't run.