Joomla community powered logo

Site Slogan


← 2FA Overview | Why Two Factor Authentication →


What is Two Factor Authentication

In order to put your security on a higher level, the addition of a security layer with a completely different processto authenticate can deliver a tremendous effect. A general idea is that

  1. You know something
  2. You have something

You know something

The default setup procedure for a new Joomla site (or even more in general - every default login process for whatever kind of site) takes care of this part: you have to define a username to login with and you have to provide a password which belongs to the username. If you know both, you will be able to log in after a standard Joomla installation setup.

Default Login Screen Administrator

There is a long list of easy to guess usernames in general and in our case specifically for Joomla to log in as a Super User, including (but not at all limited to)

  • admin
  • administrator
  • JoomlaAdmin
  • TheBoss
  • SuperUser

The same trick goes on for passwords, where the list beneath is compiled from a couple of online sources who published an overview of the worst passwords (or easiest to guess passwords) as found out by hackers.

  • password
  • 123456
  • LetMeIn
  • secret
  • qwerty
  • admin

So please look for some inspiration, do yourself a favor and take a username and password that you don't find in the lists of common usernames and passwords.

To make sure you will not be victim of a brute force attack or dictionary hack a couple of minutes after you start working with your neatly installed site, you have to come up with a password which is long (e.g. 30 or more characters) and complex, preferably including upper and lower case, digits and special characters without being a word which can be found in a dictionary. If your password is not that long AND complex, current computer systems are capable of cracking your password in a couple of seconds or minutes: a fast processor and a good password guess program are able to generate thousands of password guesses per second. By adding extra characters (no digits or lower/uppercase characters), it will take far longer for these programs to crack a password.

Nobody can invent AND remember a couple of different passwords which comply to these requirements, so an electronic password safe is a real must have for the current website administrators. When you look around on the web, you certainly will find a couple of good candidates.

I personally prefer to use KeePass (of course, it's up to you to pick yours), mainly because it's open source so the security algorithm can be audited by everyone who knows anything about encryption. This way backdoors can and will be found sooner than later. An additional advantage on KeePass is the availability on Windows, Android and Linux (there it has to be downgraded to V1) so you can use your password file on whatever device you work. I'm not paranoid, but in an era where NSA and PRISM (no, I didn't find the explanation of this one on the site of NSA itself so I had to link to Wikipedia instead :)) seem to remain impunished, I get more and more indications that Open Source and the community around it is just the only right choice to make sure we can keep our data in our own hands.

This way, you can use complex enough passwords to resist the first line of dictionary brute force attacks.

You have something

This is the second part of what your standard security setup should be: you need to have something in your hands or you must be able to get it in your hands right now in order to be able to log in to your site.

Right now, there are a couple of solutions for this. Joomla has included 2 off the shelf methods in its default installation

  • Two factor authentication - Yubikey
  • Two factor authentication - Google Authenticator

2 Factor Authentication - Default Joomla Plugins


When activiting these possibilities, the login screen for everybody is changed and gets an extra field with the possibility to fill your extra security token - no matter the exact methodology of your second factor.

 2FA   Login screen frontend

 2FA   Login screen administrator

{tag}link rel="author" href="" /{/tag}

NOTE! This site uses cookies.

If you do not change browser settings, you agree to it. Learn more

I understand


To make this site work properly, we sometimes place small data files called cookies on your device. Most big websites do this too.

What are cookies?

A cookie is a small text file that a website saves on your computer or mobile device when you visit the site. It enables the website to remember your actions and preferences (such as login, language, font size and other display preferences) over a period of time, so you don’t have to keep re-entering them whenever you come back to the site or browse from one page to another.

How do we use cookies?

A number of our pages use cookies to remember:

Also, some videos embedded in our pages use a cookie to anonymously gather statistics on how you got there and what videos you visited.

Enabling these cookies is not strictly necessary for the website to work but it will provide you with a better browsing experience. You can delete or block these cookies, but if you do that some features of this site may not work as intended.

The cookie-related information is not used to identify you personally and the pattern data is fully under our control. These cookies are not used for any purpose other than those described here.

How to control cookies

You can control and/or delete cookies as you wish – for details, see You can delete all cookies that are already on your computer and you can set most browsers to prevent them from being placed. If you do this, however, you may have to manually adjust some preferences every time you visit a site and some services and functionalities may not work.

You can find the full EU privacy guideline by clicking on this link