How To Create a Strong Password for Joomla!
Like many other Joomla template developers, I often have to think up new passwords for accounts. While services such as Lastpass allow you to generate a random password and save it linked to a user name, many people still use the good old human memory for their passwords. In most cases, this will create the weakest link in a security chain. A quick test should reveal a lot about your own password habits.
Have you ever (had) a password that was based on, or included:
- Your own first and / or last name
- Your date of birth or marriage
- The name of your pet or spouse
- The name of any of your family members
- Any significant date or place in your life
- The word ‘password’ or a synonym of that word
- A common (keyboard) sequence or pattern such as 123456 or ‘qwerty’
- A word found in a dictionary of any language
- Less than 6 characters in total
Chances are huge you have, and hackers know this. In order to create the strongest possible passwords, you should consider some of the ways in which your account can be accessed without your permission:
Here the attacker launches an attack using one or more computers (a ‘botnet’) that try as many password combinations as fast as possible. For example: the brute forcer could make the script start with the password ‘001’, then try ‘ab’, then ‘d28d’, then ‘2j4dh3D’ or any other sequence of characters. Protecting your website from this type of ‘dumb’ attack requires you to make the chance of the computer guessing your password as small as possible. This can be done by increasing the length of the password, using mixed case and special characters. Rapid increases in computing power, high-end graphics processors and the development of specialized software have unfortunately made brute forcing a relatively simple task for computers compared to a couple of years ago.
The Electronic Authentication Guideline states that: “A user-selected eight-character password with numbers, mixed case, and symbols […] would take an average of 16 minutes to crack.”. This is why researchers from the Georgia Tech Research Institute state that: “[…] your confidential information is probably not safe unless you use a 12-digit randomized password”.
Unfortunately, neither Joomla 1.5 nor Joomla 1.6 seem to feature any protection against brute forcing (such as requiring a CAPTCHA after a certain amount failed login attempts).
Use as many characters as possible (12 or more is advised) and include mixed case, numbers and special characters in your password
Rainbow tables / Dictionary attacks
Assuming you probably aren’t going to use a 12-digit+ randomized password for every single Joomla Administrator login (despite the advice above), I’ll proceed with further explanations on common pitfalls in choosing a password that you can actually remember.
Because hackers know most people will use passwords based on the list described above (dates of any kind, words in the dictionary, names, etc.), they will usually try a so called ‘rainbow table attack’, prior to launching a full-on brute force attack. Rainbow tables are enormous lists (some up to several terabytes in size) containing common words and passwords. These rainbow tables often include entire dictionaries in several languages, hence the related term ‘dictionary attack’. The attacker will loop through the strings listed in the rainbow table in an attempt to match the strings with the password you’ve entered. Considering the vast amount of passwords listed in such a rainbow table, adding a simple ‘1’ (password1) or ‘!’ (password!) probably won’t keep you safe.
Don’t include any logical or common sequence of characters or numbers in your password
With this type of attack the attacker will attempt to capitalize on the knowledge that many people use personal data in their passwords. They will extract information from your Facebook profile, look for sticky notes on your desk (which hopefully don’t contain any passwords) or may even try to call your co-workers pretending to be you and asking to give out your password.
Don’t include any personal information in your passwords or tell your passwords to anyone
- Using Leet speak won’t keep you safe because rainbow tables will include strings like ‘p4ssw0rd’
- Many users have passwords that are 8 characters long, try using 9 (or 13) to lower the chance of attackers guessing it
- Don’t use related passwords like ‘passwordFacebook’ and ‘passwordGmail’ because a hacker might make the link and crack your other accounts
The Warcraft II account of one of my friends was recently hacked. His password? The number 1; nothing more, nothing less. He has had this password for over 8 years, and despite the fact that it broke pretty much every rule I’ve outlined above, his account hadn’t been cracked before, most likely simply because nobody had ever tried to. Perhaps this teaches us one of the best lessons of all:
Don’t make people want to hack your account in the first place