In Joomla we are using usernames and passwords. It is crucial that you create a strong username and strong password to protect your Joomla website when creating a user account in your site.

Any Joomla web site that employs usernames and passwords must be administered with dedicated attention to ensuring that good security practices are followed by all users. If you as site administrator or your users are careless about how they choose usernames and passwords or store credentials, then a "hacker" or a "botnet"" may find it relatively easy to break your site's security.

You should develop methods and provide information to the (potential) user of your site for the selection of usernames and passwords so registration results in strong and unguessable username/password combinations which are difficult to break.

Would you believe it that the most used password in the world (and on Facebook) is actually (YES!) 'password' followed by '123456', '12345678' , 'abc123' and 'qwerty' (source: Splashdata)

Hilarious is it? Uhhhh...How many of you are actually still using the Super Admin name 'admin' or 'admin123' ? Ouch...You know that most bots are searching for a Joomla site where the super admin starts with something of 'admin' and bombs than the administrator access with hundreds of thousands of passwords when it finds one? Result in 99% of the cases: hacked!

So it is essential that you create a good username.

How you create a good user name?

  • Use at least 6 alphanumeric digits combined with Caps and Symbols
  • Use only .(dot), -(dash) or _(underscore) when using symbols
  • Create one you can remember but which is very difficult to guess

Let me give you an example:
Choose usernames and passwords that use uppercase letters, numerals, and lowercase letters and symbols in non-obvious arrangements.

My name for instance is Leonard. Obvious that is bad to use since hackers will use name and/or name combinations to discover the username.

So I choose the name Leon which is easy to remember but still easy to discover since it is plain and only 5 digits. So we modify that and it will still be easy to remember: 'l_3.0n' which is a good reproduction and easy to remember username. (e = 3 and o=0, add 2 symbols and we are done!)

Now the more important one is the password! What is a good password?

Rule 1 – Password Length: Stick with passwords that are at least 15 characters in length. The more characters the better since difficult to crack. (20 digits are the max in cPanel for instance btw).

Rule 2 – Password Complexity: Use a combination of

  • Upper case letters
  • Lower case letters
  • Numbers
  • Symbols

A very good password generator will help you create a good password. However it is difficult to remember probably so another way of generating a password which you will easy remember is to use a familiar sentence and translate that into your very own, easy to remember password. Here is the example of my text phrase:

"I am married and have two daughters of fourteen and twenty one years old" .

Now I keep only the first digit of each word and I have a possible password: "Iamahtdofatoyo".

This though needs a little modification to make is super strong and I will be still able to remember my password so we get when we look at the digits: 'iaM+h2do4t&t1yo'.

Now THAT is super strong and even I can remember that!

Now we have strong user names and strong passwords it is the moment to spend some time on the issue of how to practice good password security in daily life:

  • Never store usernames and passwords on paper or in an unencrypted computer file such as a very popular FTP-client named Filezilla! Filezilla stores passwords in plain text. Use an Open Source program such as Keypass to store your usernames & passwords all encrypted and it also creates unbreakable passwords (unless you have a Cray Supercomputer!)
  • Never disclose usernames and passwords to any other persons. If you need (remote) site support create specific usernames and passwords for the support team helping you! (this allows to retrieve and review through logs what they have been doing on your site for instance)
  • Do not use passwords that have been used in the past
  • Do not use the same password for any other sites or programs (email for instance, your social security access, tax offices online, banking accounts, etc). If one is cracked they might have access to them all!
  • Never provide credentials when requested through email. Trusted companies such as Fedex, Paypal, DHL, Banks will never ask you for your credentials per email
  • Keep the number of Super Admins and other folks that can access the system files in your backend to a minimum and do not share your password
  • When you have given access to (unknown) 3rd parties with their own specific created passwords delete them after they have finished their work and check in cPanel if they have not enabled anonymous ftp-login
  • Virus scan your USB when inserting in your computer or use a program such as USBvaccine from Panda which is free to download : Highly recommended since phishing bots are often hidden in the USB your kids bring home from school or from your library etc etc!

Recognize this? Do something about it now!.