Once upon a time, passwords could be relatively simple. You could swap an "e" for a "3", or add a number on the end of a word or name, and it was all pretty easy. I remember a place I worked in the 90's where password changes were forced every 3 months, and one lady had "summer1", "autumn1" and so on, so she could remember it easily!
But nowadays, password attacking scripts specifically target common habits like this. And if you're using the same password for your website as you use for internet banking... well... obviously this can end very badly!
Using strong and unique passwords can be one of the key differences between being hacked, and not.
Fact: Predictable words, sequential numbers, and personal information create weak passwords.
In 2017, SplashData identified the top 25 most common passwords. If you're using one of these anywhere online, the chances of that password being cracked is extremely high.
BetterBuys, showing how long it takes to crack a password:Take a look at this infographic from
Ideally, a strong password is at least 12 characters long, and a mix of numbers, uppercase, lowercase, and symbols.
And it should only be used ONCE.
Why? Because there are databases around that collect compromised email address/password combinations, and use them to try to hack into other websites.
This is where a password manager comes in. A password manager allows you to generate random, strong passwords, and store them in a secure database which is protected by a password. This means you only need to remember ONE password (and yes it should be a very strong one!).
Some well-known password managers include:
Consider your needs before choosing a password manager. For instance, if you need to access your passwords on a desktop browser and a phone, choose a password manager that works with all the software and hardware you use.
I've always used KeePass, but that's mostly because it was one of the first, and it's open-source, and simple, and free. The downside is that it is probably less user-friendly than many of the newer options.
Two-factor authentication adds a second level to a login, which provides a stronger defence for that account. It combines something you know (your password) with something you have (your phone). In simple terms, you login using a password, and then verify that via a code sent to your phone or app. If it's enabled and somebody gets hold of your password, they still need that 2nd factor to get in.
2FA can be enabled on many different accounts, including Gmail, social media accounts like Facebook & Twitter, eBay - AND your Joomla website.
By default, we don't automatically enable 2FA unless a client requests it, as it adds a layer of complexity to the login process which may be confusing for clients who are unfamiliar with it. However, if you are interested in adding it to your site, please log a support ticket to have it set up.
An Australian security researched has created a free online tool where you can check your email address. Click here to access it. If your email address comes up in this tool, it means your email address/password combination has been compromised and you should change your password(s) for that site immediately.
This is obviously much easier to do, if you have used a different password every time in the first place! If you've used the same email address/password on multiple sites, then you should consider changing all of those passwords.
If you have any queries regarding passwords, password changes, password managers or 2FA, please contact us.