← 2FA Overview | Why Two Factor Authentication →
What is Two Factor Authentication
In order to put your security on a higher level, the addition of a security layer with a completely different processto authenticate can deliver a tremendous effect. A general idea is that
You know something
The default setup procedure for a new Joomla site (or even more in general - every default login process for whatever kind of site) takes care of this part: you have to define a username to login with and you have to provide a password which belongs to the username. If you know both, you will be able to log in after a standard Joomla installation setup.
There is a long list of easy to guess usernames in general and in our case specifically for Joomla to log in as a Super User, including (but not at all limited to)
- admin
- administrator
- JoomlaAdmin
- TheBoss
- SuperUser
The same trick goes on for passwords, where the list beneath is compiled from a couple of online sources who published an overview of the worst passwords (or easiest to guess passwords) as found out by hackers.
- password
- 123456
- LetMeIn
- secret
- qwerty
- admin
So please look for some inspiration, do yourself a favor and take a username and password that you don't find in the lists of common usernames and passwords.
To make sure you will not be victim of a brute force attack or dictionary hack a couple of minutes after you start working with your neatly installed site, you have to come up with a password which is long (e.g. 30 or more characters) and complex, preferably including upper and lower case, digits and special characters without being a word which can be found in a dictionary. If your password is not that long AND complex, current computer systems are capable of cracking your password in a couple of seconds or minutes: a fast processor and a good password guess program are able to generate thousands of password guesses per second. By adding extra characters (no digits or lower/uppercase characters), it will take far longer for these programs to crack a password.
Nobody can invent AND remember a couple of different passwords which comply to these requirements, so an electronic password safe is a real must have for the current website administrators. When you look around on the web, you certainly will find a couple of good candidates.
I personally prefer to use KeePass (of course, it's up to you to pick yours), mainly because it's open source so the security algorithm can be audited by everyone who knows anything about encryption. This way backdoors can and will be found sooner than later. An additional advantage on KeePass is the availability on Windows, Android and Linux (there it has to be downgraded to V1) so you can use your password file on whatever device you work. I'm not paranoid, but in an era where NSA and PRISM (no, I didn't find the explanation of this one on the site of NSA itself so I had to link to Wikipedia instead :)) seem to remain impunished, I get more and more indications that Open Source and the community around it is just the only right choice to make sure we can keep our data in our own hands.
This way, you can use complex enough passwords to resist the first line of dictionary brute force attacks.
You have something
This is the second part of what your standard security setup should be: you need to have something in your hands or you must be able to get it in your hands right now in order to be able to log in to your site.
Right now, there are a couple of solutions for this. Joomla has included 2 off the shelf methods in its default installation
- Two factor authentication - Yubikey
- Two factor authentication - Google Authenticator
When activiting these possibilities, the login screen for everybody is changed and gets an extra field with the possibility to fill your extra security token - no matter the exact methodology of your second factor.
{tag}link rel="author" href="https://plus.google.com/104677951855785054991" /{/tag}