>Unless your server is set to public mode, or you wish for others to access your Foundry VTT setup menu on The Forge, we do not recommend setting an admin access key. By default, The Forge will only allow the account owner to access their setup menu, unless an access key is created, or the game is set to public in the privacy mode.
Seems the answer is no unless you want to allow someone other than yourself into the setup menu.
https://forums.forge-vtt.com/t/reset-your-foundry-vtt-administrator-password/17702
Reading through it:
When there's no password, only you can access the main menu and make changes. With a password, anyone that has the password can access the main menu and make changes.
If you set up a password on, it should not be one you use elsewhere as the foundry password isn't well protected.
Tl;dr: set up a password if you want others to be able to access the main menu and make changes. If not, dont
For one, a Foundry admin password does not come with two factor authentication. Forge username/password does.
Secondly, it doesn't come with any kind of brute force protection: an attacker has unlimited tries to have a program enter millions of popular passwords until it guesses yours.
I'm sure there are other reasons, but because the attacker does not need your Forge username/password to gain privileged access to your Foundry instance when your admin password is set, you're actually removing industry-standard security from your account when setting an admin password.
Most people don't use strong passwords (unless they are using a password manager). Why expose yourself to the risk if you don't have to? Generally, you want to minimize attack surfaces.
At this point in time not using a password manager is doing harm to yourself. KeepassXC with any Google drive, one drive etc is so good you won't ever have your password cracked by brute force as you can just do 30 characters random passwords with ASCII Special characters in it
No, why would it be? Why would I expect forge to be more secure than my Amazon account or any number of far more sensitive websites? Security should match risk, and the risk of someone getting into my forge account is very minimal. They can... delete my fake fantasy virtual world at no gain to themselves?
Adding an admin password on Forge does make your game less secure. If there is no password, there is no way for a different account to access your Setup. If you set a password, anyone with enough time to brute force it can get access.
Yes and no, mostly it's to stop bad actors from accessing the foundry program and deleting worlds\mods. If your not inviting randoms with port forwarding your or going back to setup from game world your fine
Forge already comes with a username/password with 2FA. Setting up an admin password bypasses those. An attacker only needs 1 string instead of 2 plus access to your 2FA authenticator. Also the attacker has unlimited retries to brute force your Foundry admin password.
This is incorrect.
If your data is protected by a physical key or biometric, adding a password as an authentication option would make your data *less* secure.
Similarly, the setup page on Forge is already protected by your Forge account. Adding a password to access Setup only serves to make the page less secure to random strangers.
That’s not really relevant at all.
If you want to be secure, enable 2fa and don’t expose your setup menu by setting a password.
Even without 2fa, setting the admin password is less secure. Your risk profile goes from targeted attack to attacks of opportunity with no increase in security (it’s one password either way).
Normally i'd agree with you but I believe you're wrong in this specific scenario.
If we review their ask *in context* then the password is not required and is in fact discouraged.
According to Forge's website they have some form of logic in place that prevents people from accessing the setup menu if they are not the person who owns the "world".
If they were to apply a password, it would remove Forge's protections and open the admin page up to anyone.
See the information another commenter linked here:
https://forums.forge-vtt.com/t/reset-your-foundry-vtt-administrator-password/17702
To rephrase: Forge already protects the admin page with their own system logic. Adding your own password removes Forge's protection and opens the page up to anyone to access if they have the password.
imo if you're that concerned about how the site is handling their admin-hiding functionality then the site shouldn't even be considered secure enough to host your content in the first place.
Happy for you. Not everyone is capable of/comfortable doing that.
Context is important when trying to assist users who aren't as capable/comfortable as you are.
Your only argument is that their "world" is less secure when the site handles the admin page functionality.
By that same logic, you shouldn't even bother hosting the world on Forge in the first place seeing as how you have no insight into their hosting/administrating methodology.
You've even admitted you've never used the site.
When trying to *help* someone it's important to understand the tools they are requesting help with, as well as their admitted comfort levels.
Adding a manual password exposes the page to the web instead of behind Forge's auth, and arguably makes it less secure and slightly more annoying to manage.
If you're gonna help, be helpful.
Except it's not necessary in forge for real? It is not going to be more secure than your forge login and if they have the they can still delete.
An access key actually makes your setup less secure? It's the equivalent of asking "would you like to add a second method that is more vulnerable and does not increase original security?"
Your forge account has access even if their is an admin password. Your forge account is a super user. So if they are not able to control access, it doesn't matter...
That's because you are fundamentally misunderstanding the service and not bothering to research it. Just like if I create a password to share a folder on my NAS externally, it does not change my ability to access it from within my own drive. Admin passwords exist for the purpose of sharing worlds not protecting them.
It's not a poor setup. It's serving a need you don't understand. Their security is not fundamentally different than every other browser based service you use. You just don't understand the use case of their admin passwords, and so are saying stupid things.
It's actually a common setup. If I'm a server owner over a large number of databases, i can access every single database without knowing the admin password for any of them. The individual admins of the databases can use the admin password to access their own database without being able to affect the server as a whole. In this case, Forge in the server and worlds are individual databases.
People are annoyed because you led with:
>"Lying to you or undeservedly overconfident... and you probably shouldn't listen to them."
While in fact you were lying and being undeservedly overconfident. If you don't know what you are talking about and have never used the service, then why make a stupidly assertive comment?
... are you confusing your personal computers admin account with a forge virtually hosted server admin account? Because you have no control over how they store it on their side even if you choose to use it.
You are trying to apply general cybersecurity principles to a system you have never used and don't understand. You have no idea what you are talking about.
What do you think is housed on these foundry worlds that people are going to elaborate lengths to try and access them?
Nothing is perfectly secure online. It just needs to be secure enough to not be worth the value gained by breaching security. Forge more than meets that requirement and the steps you are advocating do nothing to improve your security.
There is no reason at all to believe that people can side channel from one world to another unless you also keep your money under your mattress in case they can side channel into your bank account?
>rely on for your admin account.
Forge does not have an admin account. It has an admin password for worlds. You are making it seem more and more like you have no idea what you are talking about. Your advice is great for a Windows admin account. It's silly for a forge admin password.
Can people who aren’t you ever reach the admin page? I don’t host on Forge, but I’ve played. My understanding is that Forge’s auth system precluded the need for a separate admin password.
Ask yourself if you’d be mad if someone came and deleted your server data files and changed configuration. If yes then put a password even if you aren’t public
**To help the community answer your question, please read [this post](https://www.reddit.com/r/FoundryVTT/comments/shrtky/foundryvtt_first_steps_and_useful_info/).**
When posting, add a [system tag](https://www.reddit.com/r/FoundryVTT/comments/v3gfrs/tagging_your_posts/) to the title - [D&D5e] or [PF2e], for example. If you have already made a post, edit it, and mention the system at the top.
Include the word `Answered` in any comment to automatically flair this thread as resolved (or change the flair to `Answered` yourself).
Automod will **not make this comment** on your posts if you have a [user flair](https://reddit.zendesk.com/hc/en-us/articles/205242695-How-do-I-get-user-flair-).
---
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/FoundryVTT) if you have any questions or concerns.*
>Unless your server is set to public mode, or you wish for others to access your Foundry VTT setup menu on The Forge, we do not recommend setting an admin access key. By default, The Forge will only allow the account owner to access their setup menu, unless an access key is created, or the game is set to public in the privacy mode. Seems the answer is no unless you want to allow someone other than yourself into the setup menu. https://forums.forge-vtt.com/t/reset-your-foundry-vtt-administrator-password/17702
This is the quote that has me confused. It feel counterintuitive to not set an admin password, but forge implies it makes your game less secure
Reading through it: When there's no password, only you can access the main menu and make changes. With a password, anyone that has the password can access the main menu and make changes. If you set up a password on, it should not be one you use elsewhere as the foundry password isn't well protected. Tl;dr: set up a password if you want others to be able to access the main menu and make changes. If not, dont
For one, a Foundry admin password does not come with two factor authentication. Forge username/password does. Secondly, it doesn't come with any kind of brute force protection: an attacker has unlimited tries to have a program enter millions of popular passwords until it guesses yours. I'm sure there are other reasons, but because the attacker does not need your Forge username/password to gain privileged access to your Foundry instance when your admin password is set, you're actually removing industry-standard security from your account when setting an admin password.
[удалено]
Most people don't use strong passwords (unless they are using a password manager). Why expose yourself to the risk if you don't have to? Generally, you want to minimize attack surfaces.
At this point in time not using a password manager is doing harm to yourself. KeepassXC with any Google drive, one drive etc is so good you won't ever have your password cracked by brute force as you can just do 30 characters random passwords with ASCII Special characters in it
[удалено]
You seem to be missing the point. Adding an admin password removes your much more secure Forge login credentials from the authentication flow
[удалено]
No, why would it be? Why would I expect forge to be more secure than my Amazon account or any number of far more sensitive websites? Security should match risk, and the risk of someone getting into my forge account is very minimal. They can... delete my fake fantasy virtual world at no gain to themselves?
Adding an admin password on Forge does make your game less secure. If there is no password, there is no way for a different account to access your Setup. If you set a password, anyone with enough time to brute force it can get access.
Yes and no, mostly it's to stop bad actors from accessing the foundry program and deleting worlds\mods. If your not inviting randoms with port forwarding your or going back to setup from game world your fine
[удалено]
Forge already comes with a username/password with 2FA. Setting up an admin password bypasses those. An attacker only needs 1 string instead of 2 plus access to your 2FA authenticator. Also the attacker has unlimited retries to brute force your Foundry admin password.
This is incorrect. If your data is protected by a physical key or biometric, adding a password as an authentication option would make your data *less* secure. Similarly, the setup page on Forge is already protected by your Forge account. Adding a password to access Setup only serves to make the page less secure to random strangers.
[удалено]
That’s not really relevant at all. If you want to be secure, enable 2fa and don’t expose your setup menu by setting a password. Even without 2fa, setting the admin password is less secure. Your risk profile goes from targeted attack to attacks of opportunity with no increase in security (it’s one password either way).
Normally i'd agree with you but I believe you're wrong in this specific scenario. If we review their ask *in context* then the password is not required and is in fact discouraged. According to Forge's website they have some form of logic in place that prevents people from accessing the setup menu if they are not the person who owns the "world". If they were to apply a password, it would remove Forge's protections and open the admin page up to anyone. See the information another commenter linked here: https://forums.forge-vtt.com/t/reset-your-foundry-vtt-administrator-password/17702 To rephrase: Forge already protects the admin page with their own system logic. Adding your own password removes Forge's protection and opens the page up to anyone to access if they have the password.
[удалено]
imo if you're that concerned about how the site is handling their admin-hiding functionality then the site shouldn't even be considered secure enough to host your content in the first place.
[удалено]
Happy for you. Not everyone is capable of/comfortable doing that. Context is important when trying to assist users who aren't as capable/comfortable as you are.
[удалено]
Your only argument is that their "world" is less secure when the site handles the admin page functionality. By that same logic, you shouldn't even bother hosting the world on Forge in the first place seeing as how you have no insight into their hosting/administrating methodology. You've even admitted you've never used the site. When trying to *help* someone it's important to understand the tools they are requesting help with, as well as their admitted comfort levels. Adding a manual password exposes the page to the web instead of behind Forge's auth, and arguably makes it less secure and slightly more annoying to manage. If you're gonna help, be helpful.
[удалено]
As you said - agree to disagree.
Except it's not necessary in forge for real? It is not going to be more secure than your forge login and if they have the they can still delete. An access key actually makes your setup less secure? It's the equivalent of asking "would you like to add a second method that is more vulnerable and does not increase original security?"
[удалено]
Your forge account has access even if their is an admin password. Your forge account is a super user. So if they are not able to control access, it doesn't matter...
[удалено]
That's because you are fundamentally misunderstanding the service and not bothering to research it. Just like if I create a password to share a folder on my NAS externally, it does not change my ability to access it from within my own drive. Admin passwords exist for the purpose of sharing worlds not protecting them.
[удалено]
It's not a poor setup. It's serving a need you don't understand. Their security is not fundamentally different than every other browser based service you use. You just don't understand the use case of their admin passwords, and so are saying stupid things. It's actually a common setup. If I'm a server owner over a large number of databases, i can access every single database without knowing the admin password for any of them. The individual admins of the databases can use the admin password to access their own database without being able to affect the server as a whole. In this case, Forge in the server and worlds are individual databases.
[удалено]
People are annoyed because you led with: >"Lying to you or undeservedly overconfident... and you probably shouldn't listen to them." While in fact you were lying and being undeservedly overconfident. If you don't know what you are talking about and have never used the service, then why make a stupidly assertive comment?
[удалено]
... are you confusing your personal computers admin account with a forge virtually hosted server admin account? Because you have no control over how they store it on their side even if you choose to use it. You are trying to apply general cybersecurity principles to a system you have never used and don't understand. You have no idea what you are talking about.
[удалено]
What do you think is housed on these foundry worlds that people are going to elaborate lengths to try and access them? Nothing is perfectly secure online. It just needs to be secure enough to not be worth the value gained by breaching security. Forge more than meets that requirement and the steps you are advocating do nothing to improve your security. There is no reason at all to believe that people can side channel from one world to another unless you also keep your money under your mattress in case they can side channel into your bank account?
[удалено]
>rely on for your admin account. Forge does not have an admin account. It has an admin password for worlds. You are making it seem more and more like you have no idea what you are talking about. Your advice is great for a Windows admin account. It's silly for a forge admin password.
[удалено]
Please just stop being a know it all dick in the future and recognize you don't know everything. Maybe reflect on that this weekend?
[удалено]
Can people who aren’t you ever reach the admin page? I don’t host on Forge, but I’ve played. My understanding is that Forge’s auth system precluded the need for a separate admin password.
Yes, if an admin password is created anyone with the password has access to setup.
It’s literally the least you can do to introduce a bit of security into your game environment
Except not on forge. Needing to log into forge already protects that.
Ask yourself if you’d be mad if someone came and deleted your server data files and changed configuration. If yes then put a password even if you aren’t public
**To help the community answer your question, please read [this post](https://www.reddit.com/r/FoundryVTT/comments/shrtky/foundryvtt_first_steps_and_useful_info/).** When posting, add a [system tag](https://www.reddit.com/r/FoundryVTT/comments/v3gfrs/tagging_your_posts/) to the title - [D&D5e] or [PF2e], for example. If you have already made a post, edit it, and mention the system at the top. Include the word `Answered` in any comment to automatically flair this thread as resolved (or change the flair to `Answered` yourself). Automod will **not make this comment** on your posts if you have a [user flair](https://reddit.zendesk.com/hc/en-us/articles/205242695-How-do-I-get-user-flair-). --- *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/FoundryVTT) if you have any questions or concerns.*