The Importance of Using a Strong Username & Strong Password

[leolam]

In Joomla we are using usernames and passwords. It is crucial that you create a strong username and strong password to protect your Joomla website when creating a user account in your site.

Any Joomla web site that employs usernames and passwords must be administered with dedicated attention to ensuring that good security practices are followed by all users. If you as site administrator or your users are careless about how they choose usernames and passwords or store credentials, then a "hacker" or a "botnet"" may find it relatively easy to break your site's security.

You should develop methods and provide information to the (potential) user of your site for the selection of usernames and passwords so registration results in strong and unguessable username/password combinations which are difficult to break.

Would you believe it that the most used password in the world (and on Facebook) is actually (YES!) 'password' followed by '123456', '12345678' , 'abc123' and 'qwerty' (source: Splashdata)

Hilarious is it? Uhhhh...How many of you are actually still using the Super Admin name 'admin' or 'admin123' ? Ouch...You know that most bots are searching for a Joomla site where the super admin starts with something of 'admin' and bombs than the administrator access with hundreds of thousands of passwords when it finds one? Result in 99% of the cases: hacked!

So it is essential that you create a good username.

How you create a good user name?

• Use at least 6 alphanumeric digits combined with Caps and Symbols
• Use only .(dot), -(dash) or _(underscore) when using symbols
• Create one you can remember but which is very difficult to guess

Let me give you an example:
Choose usernames and passwords that use uppercase letters, numerals, and lowercase letters and symbols in non-obvious arrangements.

My name for instance is Leonard. Obvious that is bad to use since hackers will use name and/or name combinations to discover the username.

So I choose the name Leon which is easy to remember but still easy to discover since it is plain and only 5 digits. So we modify that and it will still be easy to remember: 'l_3.0n' which is a good reproduction and easy to remember username. (e = 3 and o=0, add 2 symbols and we are done!)

Now the more important one is the password! What is a good password?

Rule 1 – Password Length: Stick with passwords that are at least 15 characters in length. The more characters the better since difficult to crack. (20 digits are the max in cPanel for instance btw).

Rule 2 – Password Complexity: Use a combination of

• Upper case letters
• Lower case letters
• Numbers
• Symbols

A very good password generator will help you create a good password. However it is difficult to remember probably so another way of generating a password which you will easy remember is to use a familiar sentence and translate that into your very own, easy to remember password. Here is the example of my text phrase:

"I am married and have two daughters of fourteen and twenty one years old" .

Now I keep only the first digit of each word and I have a possible password: "Iamahtdofatoyo".

This though needs a little modification to make is super strong and I will be still able to remember my password so we get when we look at the digits: 'iaM+h2do4t&t1yo'.

Now THAT is super strong and even I can remember that!

Now we have strong user names and strong passwords it is the moment to spend some time on the issue of how to practice good password security in daily life:

• Never store usernames and passwords on paper or in an unencrypted computer file such as a very popular FTP-client named Filezilla! Filezilla stores passwords in plain text. Use an Open Source program such as Keepass to store your usernames & passwords all encrypted and it also creates unbreakable passwords (unless you have a Cray Supercomputer!)
• Never disclose usernames and passwords to any other persons. If you need (remote) site support create specific usernames and passwords for the support team helping you! (this allows to retrieve and review through logs what they have been doing on your site for instance)
• Do not use passwords that have been used in the past
• Do not use the same password for any other sites or programs (email for instance, your social security access, tax offices online, banking accounts, etc). If one is cracked they might have access to them all!
• Never provide credentials when requested through email. Trusted companies such as Fedex, Paypal, DHL, Banks will never ask you for your credentials per email
• Keep the number of Super Admins and other folks that can access the system files in your backend to a minimum and do not share your password
• When you have given access to (unknown) 3rd parties with their own specific created passwords delete them after they have finished their work and check in cPanel if they have not enabled anonymous ftp-login
• Virus scan your USB when inserting in your computer or use a program such as USBvaccine from Panda which is free to download : Highly recommended since phishing bots are often hidden in the USB your kids bring home from school or from your library etc etc!

Recognize this? Do something about it now!.

Leo

[Ankit Mathur]

One can also use a password generator which can generate a combination of letters, digits, symbols and other characters. Surely it will be difficult to crack and guess. Yes, the person won't be able to remember the password, but he/she can save it somewhere else in vault more trustworthy.
Most people us browsers to store such encrypted passwords so, it works for them too.

[ahmad]

Thank you for sharing your thoughts I like the approach you explained for picking up a good/strong username but when it comes to passwords I kinda like to follow XKCD's approach

[leolam]

One can also use a password generator

The link to a goodpassword generator is in my post!

Leo

[Ankit Mathur]

One can also use a password generator

The link to a very goodpassword generator is in my post!

Leo

Indeed it is a good password generator. And if one doesn't want to migrate to any website for generating passwords, then he/she can use addons in browser itself. Like in chrome, lots of addons are available for browser itself. One can search for passwords generator there in chrome store.

Nothing special, just becomes easier to generate and use passwords quickly, a time-saving thing sort of.

[PhilD]

Personally and as Leo also mentioned, I use the free KeePass http://keepass.info/ for both storage of sensitive data such as login credentials and for generating new passwords. It is also portable running from a usb stick if desired. KeePass is also recommended by the Security_Checklist/You_have_been_hacked_or_defaced (formerly checklist 7) http://docs.joomla.org/Security_Checkli ... l_Security
KeePass uses AES / Rijndael 256 bit key to encrypt the database itself, and KeePass is resistant to most key loggers. For those interested, more info on the security offered can be found here: http://keepass.info/help/base/security.html

Keeping passwords in any Browser or any FTP program is a very bad idea.
Most keep the passwords in plain text or under some easily broken encryption. All major malware knows how to get these passwords (as well as you windows login credentials) and break any encryption applied to them by the program.

I don't know if the browser add ons offer to also store the passwords, but if they do then I think they are a bad idea if the offer is taken advantage of. People are credential lazy and if a browser or add on offers to store the password, that is a bad idea.

I have also never liked online password generator sites. Maybe it is just me but I am always suspicious that they may be secretly recording the information to add to attack lists. It is/has been known that there are sites that look very legitimate to do just that and are run by the people you want to keep out.

I cant find the supporting documentation right now but using a phrase for a password can be just as effective as using a generated password or crafting a password.

iaM+h2do4t&t1yo = 92 bit strong (Leos crafted one meets most business requirements)

correct horse battery staple = 107 bits (but does not meet most common business password requirements of: letters with at least one upper, at least one number and at least 1 symbol)

Z+xSg%*PbfE$!f64 = 99 bit strong (random generated one - very hard to remember, meets most business requirements)

I am Happy! 04-14/2013 = 114 bit strong ( phrase; easy to remember, meets most business requirements).

Joomla will accept any of the above including the last one as a password. The last one is easy to remember, easy to create, meets most business requirements, and is easy to remember when you last changed it. Could it be improved upon? Of course, but as is it is easy to remember and just as difficult for a computer to crack as the other harder to remember ones. I have dozens of passwords for both work and private and it can be a chore to remember all of them especially since most of the computers are locked down at work with no usb access.

Leo is correct in the most common passwords. I have a list of them I kept that was pulled from a hack script from a site I worked on recently.

[leolam]

I would never, ever advise of using a browser based FTP-client. This is one of the most confirmed vulnerabilities especially where one has her/his PC security not up-to-date or insufficient protected.

Many hacks come through vulnerable browsers and than using that same browser to load data to your Joomla site? Guess how many sites we restore per month hacked through utilizing Fireftp or similar browser add-on's?

(Note I am not stating that these extensions itself are vulnerable: I state that a combination of these extensions and insufficient protected PC's with outdated (browser) software for instance are at risk.)

Leo

[Ankit Mathur]

Quite true Leo. One should use wits of storing or not storing super confidential passwords in the browser itself.