Joomla community powered logo

Site Slogan

Details

User Registration in Joomla - improve your user security dramatically with limited effort

Default user registration settings in Joomla

By default, the user registration feature is disabled in Joomla (at least since Joomla version 3.4!). So after standard installation, there is no direct danger for your website. However a lot of sites want to enable the user registration as they would like to be able to communicate with their users and create a community for whatever possible reason. But when you take a look at the default registration settings of Joomla, be prepared to get quite some shock if you look at if from a security perspective.

 

UserRegistrationSettingsDefault

 

Problem 1: E-mail with password included in plain text

We see that after registration the system sends an e-mail to the newly registered user with the password in plain text inside the mail (cfr indication 1 on the image). Although it's not easy for script kiddies to intercept emails, hacking professionals don't have a real hard time to do some e-mail eavesdropping or interception, hence getting your username and password. Useless to say this is more than enough to impersonate you by using your credentials. In a lot of the cases, this shouldn't be a real showstopper, but as the number of e-commerce sites is growing every day (including information about your credit card inside your personal details), it's easy to understand that this can lead to the loss of quite sensitive information from your customers.

Problem 2: Password requirements are not strict enough

Next (cfr indication 2 on the image), the default settings for passwords are very slack to say the least: a password with a length of 4 (not even considering other possible restrictions) will be cracked by most modern computers in less than 1 ... millisecond! This kind of passwords can quite easily be cracked even using a brute force attack, as the number of combinations is quite limited.

Conclusion: the default Joomla settings need to be adapted if you want to enable user registration, otherwise you make your site vulnerable to all kinds of user hacking because the security is not strong enough at all

Adapted registration settings in Joomla

In order to fix the problems as describe above with the Joomla default settings on user registration, here's one configuration which looks for a compromise between security and usability.

Solution 1: Allow user registration

First of all, we enable the possibility to register (cfr indication 1 on the image below).

Solution 2: Disable the "Send Password" option

Next, we disable the "Send Password" option to the user after registering (cfr indication 2 on the image below). I know it's less user friendly for a lot of users, but if you adapt your welcome mail after registration, you can include a link where they can reset their password if they've forgotten what password they used. This way, they can reset their passwords themselves without having to wait for administrator intervention if they forget their password. Furthermore, there is no other human being that the user self involved when handling passwords.

 

UserRegistrationSettingsAdapted

 

Solution 3: Limit the maximum number of resets in a specific time interval

Cfr indication 3 on the image above: when the user has given a correct mail address, (s)he will receive a mail with the correct links and instructions when resetting a password, and (s)he is even allowed to make a couple of mistakes before the attempts are stopped. In most of the cases, when a user needs more than 3 attempts within an hour to reset his/her password, it's a cracker trying to use brute force to guess the user's password. So I suggest to set this counter to 3, or if you expect problems because your users are not experienced enough than 5 times seems to be a maximum to me to keep it safe.

Solution 4: Set balanced password complexity

Set the password length and complexity and find a compromise between security and usability. Please remember that in all cases you need to put your password requirements in the registration process so users know what their password has to be at least. If you don't give them a clue about what you require, they will get frustrated and will abandon their registration.
Next possible problem: if you set your restrictions too tight (a real complex password), it will be a real challenge for most of your users to find a password that is accepted by the system. So a lot of them will abandon their registration before completion because they cannot construct a password which they can remember and which complies to your password rules.

If you look at the password strength sites, they require at least a password length of 12 to 14 to make your password at least somewhat secure. So to make the compromise with usability, I use 12 for the minimal password length by default. Furthermore, by requiring at least 1 digit, 1 symbol and 1 uppercase character, the minimal password complexity is OK for most of the possible applications while keeping the passwords "simple" enough for most users to remember them (well, I don't have illusions and I know a lot of users will write down their passwords on paper, but because we're speaking here about the cyberspace environment that should not be an extra risk to get your password intercepted by hackers).

Conclusions on Joomla user registration settings

As we've explained above, you can dramatically increase your security level when allowing users to register on your Joomla site with very limited effort. If you want to allow your visitors to register and login to your website, put those 5 minutes of effort in your settings configuration. Even if you don't have a site where sensitive user data is kept, it gives your users a more comfortable and confident feeling. Your reputation will profit largely from this small effort.

© Edoozeh 2023

Edoozeh is not affiliated with or endorsed by the Joomla Project or Open Source Matters. The Joomla logo is used under a limited license granted by Open Source Matters the trademark holder in the United States and other countries.

↑ Top

NOTE! This site uses cookies.

If you do not change browser settings, you agree to it. Learn more

I understand

Cookies

To make this site work properly, we sometimes place small data files called cookies on your device. Most big websites do this too.

What are cookies?

A cookie is a small text file that a website saves on your computer or mobile device when you visit the site. It enables the website to remember your actions and preferences (such as login, language, font size and other display preferences) over a period of time, so you don’t have to keep re-entering them whenever you come back to the site or browse from one page to another.

How do we use cookies?

A number of our pages use cookies to remember:

Also, some videos embedded in our pages use a cookie to anonymously gather statistics on how you got there and what videos you visited.

Enabling these cookies is not strictly necessary for the website to work but it will provide you with a better browsing experience. You can delete or block these cookies, but if you do that some features of this site may not work as intended.

The cookie-related information is not used to identify you personally and the pattern data is fully under our control. These cookies are not used for any purpose other than those described here.

How to control cookies

You can control and/or delete cookies as you wish – for details, see aboutcookies.org. You can delete all cookies that are already on your computer and you can set most browsers to prevent them from being placed. If you do this, however, you may have to manually adjust some preferences every time you visit a site and some services and functionalities may not work.

You can find the full EU privacy guideline by clicking on this link