Joomla Beat is a weekly podcast that has now been on air for over a year. Last week I joined host Peter Bui, of Sydney-based PB WebDev, to share some thoughts regarding passwords. You'll find the episode below along with a summary of the major points.
Use Strong Administrator Credentials
Administrator is protected by both a username and a password. This means hackers need to determine two pieces of data to get access. If you have a weak username such as admin, they're half-way there. During the installation of previous versions of Joomla, the main user account was automatically assigned the username of admin. So if you're using this, change it to something more secure today.
It should go without saying that you need to use a strong password too. But many people can't be bothered. The number one cause of website hacks involve weak passwords, so I can't emphasise enough the importance of taking this seriously. Here is a list of the worst passwords for 2013. If you're using one of these, well you know what to do this weekend.
Choosing a Secure Password
- Most people use 8 characters - so go for 9
- Include upper and lower case characters
- Include numbers and one or two symbols such as !@#$%^&*()~{}
Peter recommended NOT to use a popular approach of taking a common word such as password and replace the vowels with symbols e.g. do NOT use p@ss0rd
The software we discussed is called 1Password. It stores passwords across multiple devices and includes a password generator.
Unique Password for Each Item
Administrator has a password, so does your database, so does your FTP account. You might have multiple websites. So although it is a pain, it's important to use a unique password for every item. If you use the same password for everything and it is discovered, your whole Internet life can come to ruin.
Of course it's not such a pain if you use password storage software such as 1Password.
Unique Joomla Logins
Joomla has a complex user system that can be intimidating. However its most basic function - adding users in Administrator - is easy. There is no need to share logins. Each user should have their own login which makes it easy to remove their website access when they leave. Better still, take the time to learn how the Joomla ACL works and assign appropriate permissions to each team member accordingly. If you do have complex needs, consider an inexpensive extension called ACL Manager which helps visualise the current settings.
How do you deal with passwords? Got any horror stories? Please comment below.