Usernames & Passwords

UNIQUE Usernames

Are you using the username ADMIN when logging into your Joomla! control panel?

If YES CHANGE IT to something totally unconnected with you and your interests.

Are you using your name?

If YES then DON'T.

Use something UNIQUE and which is totally unconnected with you and your interests.

Are you using your email address?

If YES, then is it one that includes your name and which is publicly available on the web?

Oops, create a new email account using a word that is totally unconnected with you and your interests.

By now you have probably got the message!

 

UNIQUE COMPLEX Passwords

If you want to protect your Joomla! CMS from a brute force attack then you MUST use a UNIQUE COMPLEX password for every application and website you use, including:

  1. Joomla! CMS Control Panel login,
  2. Hosting Control Panel login,
  3. FTP login (when separate credentials are supported by your hosting company),
  4. email account, and
  5. every other application you can think of.

By COMPLEX we mean:

  1. 16 + characters.
  2. no repetition, usernames, dictionary words, letter or number sequences,
  3. not using relative or pet names, likes, dislikes, romantic links (current or past), or biographical information (e.g., ID numbers, ancestors' names or dates) - or anything you publish in your social media profile!
  4. numbers and special characters as well as letters (Exampl: . - _ ! " £ $ % ).
  5. upper-case and lower-case letters,
  6. random, and
  7. unmemorable.

 

Some Password Tips

NEVER let your web browser or FTP client remember your usernames or passwords when you are logging in.

DO NOT store passwords in an unencrypted file, for example, a TXT file.

USE a Random Password Generator to create genuinely unique random passwords - see below.

USE a Password Manager application to securely store passwords on your computer or mobile storage device (example: pen drive) in encrypted form - see below.

DO NOT share your username and password for any of these resources with anyone.

IF a website offers two-factor authentication, use it.

Read more: Two Factor Authentication.

The best passwords are those which are randomly generated.

Password Manager applications usually include a password generator.

Alternatively, use an online random password generator, for example:

Password Generator by whatismyip.org.

A Password Manager is a like a safe deposit box.

It is a place where you can store your growing set of unique complex passwords in one place.

Stored passwords are of course encrypted, and accessible to you alone using one (hopefully very strong!) password.

Perhaps the best known open source Password Manager is called: KeePass Password Safe.

Read more: KeePass Password Safe.

Warning

The weakest link in your security chain is YOU.

Use a weak password and your Password Manager could be hacked just like any other application.

Write down your password and clearly label what it is for and you might as well leave the thing unlocked.

Some login credentials are so precious you might like to keep them in your head.

Example: your bank account.

Essential reading, but not just before bedtime:

Read more: How I'd hack your weak passwords .

Read more: How big is your haystack?

 

An Experiment

We used the superb utility provided at the following website to test some passwords for how long it might take a hacker to crack:

https://howsecureismypassword.net/

Password =  PASSWORD

The above website states that the password PASSWORD could be cracked ...

Instantly! 

Password = BAABAABLACKSHEEP

A better password?

It would apparently take 35000 years to crack.

But the website adds the following proviso:

"Your password looks like it could be a dictionary word or a name. If it's a name with personal significance it might be easy to guess. If it's a dictionary word it could be cracked very quickly."

And recommends using randomized passwords.

Password = 4Du3{e#XzqLKbY(p

We followed the advice and used a password generator to come up with the above password.

How long would it take to crack this password?

41 trillion years!ut it's not very easy to remember, is it?

Password = 4Du3BANANAbY(p

We tried sticking a BANANA in the middle of our randomly generated password to make it easier to remember.

Result:

Not as strong as (3) above, but it would still apparently take rather a long time to crack:.

204 million years!

Renowned security technologist, Bruce Schneier, says that "pretty much anything that can be remembered can be cracked." Source: Bruce Schneier.

He does however put forward some ideas for creating hard to guess passwords that may also be easy for users to remember.

This involves combining

  • a personally memorable sentence with
  • some personally memorable tricks

which when used modify the sentence to create a lengthy password.

For example:

"This little piggy went to market"

might become

"tlpWENT2m".

He goes on to state that you should avoid using words that are listed in dictionaries.

Or ones previously published on the web or in your social media profile.

So don't use the above example!

Instead, if using the above approach, create a sentence that is personal to you and you alone.

But better still, use a Random Password Generator + a Password Manager.

Brute force attacks have reached epidemic level across the internet.

Such attacks involve bots visiting your website and trying to log in as administrator.

A Brute Force Attack will not occur if the hacker has already obtained your login credentials.

Brute Force occurs when they don't have them but work on the basis that your credentials are weak.

Running complex algorithms on powerful computers the hackers will run through millions of permutations of what your password could be.

Some useful reading:

Wikipedia Definition.

Case Study: Brute Force attack against Wordpress sites in 2014.

Should you change your password often?

This is often recommended.

However, some experts say there is no need to keep changing your passwords providing you:

  • create complex unique passwords, and
  • store them in a secure place i.e. using a Password Manager.

Of course if you suspect a password has been compromised then you should change it immediately.