How do you setup a powerful password scheme?
From Joomla! Documentation
(Difference between revisions)
(needed updating) |
|||
| Line 1: | Line 1: | ||
'''Overview''' | '''Overview''' | ||
| − | : | + | : Password security is not something you can practice simply with respect to Joomla or any other software. If you use the same "secure" password everywhere you need a password, you are not secure. Passwords should be strong: preferably random strings of 8-10 or more characters including upper and lowercase letters, numbers, and non-alphanumeric characters. Ideally, a password should not be used for multiple accounts. You need to make unique passwords and consider how they relate carefully across multiple accounts and platforms. You also need to be able to remember your passwords but not by sacrificing security by repeating the same passwords all the time. |
| − | '' | + | But let's not focus too much on the password, which is usually only half of a pair of login credentials becaue a username or ID will also be required. It's more effective for security to use a different username on every site than it is to use a different password. Knowing you always use the same username can be used against you effectively by someone who wants to break into your accounts. Even if they know a password, it will be useless unless they know what account it goes to and what the corresponding username is. |
| − | + | Here is one way to try to balance security with your ability to remember different passwords. | |
| − | + | It is not imperative that you use a different password on *every* site that requires you to have one if you won't be harmed by someone else accessing the account. Instead, think of your online accounts in terms of levels of importance. Each level must be completely unrelated to the others in terms of which IDs/usernames and passwords are used, but within the same level, you can compromise security somewhat on less sensitive accounts by repeating passwords or by basing them on a pattern. For example, make a password from the first 3 characters of the site's primary domain followed by a memorable keyword, or something similar. | |
| − | + | Many people may not need more than three levels of passwords and webmasters not more than five: | |
| − | * '''Level | + | * '''Level 5 (Public)''' - is the password you use on sites that require a user account that won't carry any sensitive information. It's wise to use a bogus or throwaway email address for these accounts to avoid spam and phishing directed at your primary email address. |
| − | * '''Level 1 (Banking | + | * '''Level 4 (Webmaster)''' - is reserved for one database user that should only have access to one database for one installation of Joomla. This is not a user and password combination you will need to remember unless you plan to use a remote access SQL client. You can write it down and keep it in a safe place. |
| + | |||
| + | * '''Level 3 (Webmaster)''' - is for one FTP user. Many low-end Linux hosts make the FTP user credentials the same as the login credentials for the server control interface and remote command line access via SSH. If possible, make these all separate usernames and passwords. If you configure Joomla to use FTP, give it an FTP user that only has access to the folder Joomla is installed in. Turn off SSH access if you don't use it. These too are passwords you can write down and save or just forget and reset them when you need them. | ||
| + | |||
| + | * '''Level 2 (Personal Data Access)''' - is for any accounts that contain personal data with the exception of financial (e.g. banking) sites (see level 1). Sites that carry medical records, insurance and other service accounts, or and any financial records not directly related to banking may contain information that can be used to steal your identity or do other mischief. Your login credentials for these accounts should be strong and unique to the extent that you value the information in them and do not want it stolen. | ||
| + | |||
| + | * '''Level 1 (Banking and Primary Email)''' - is the most important, high-value level. It needs to be the most secure, and it is wise to NOT use the same credentials for multiple banking accounts. Your primary email address/es are also critical because they can be used to impersonate you or create new passwords for accounts they are attached to. Do not keep passwords and login credentials in emails someone else might find if they accessed your account. Do not share an email account with anyone else. | ||
| + | |||
| + | Finally, think about your practices on your personal devices: you browsers and mail clients, among other things, probably store a lot of passwords and other sensitive information. Be very careful to use good passwords and physical security options, especially on laptops and mobile devices. | ||
[[Category:FAQ]] | [[Category:FAQ]] | ||
Revision as of 13:54, 12 January 2011
Overview
- Password security is not something you can practice simply with respect to Joomla or any other software. If you use the same "secure" password everywhere you need a password, you are not secure. Passwords should be strong: preferably random strings of 8-10 or more characters including upper and lowercase letters, numbers, and non-alphanumeric characters. Ideally, a password should not be used for multiple accounts. You need to make unique passwords and consider how they relate carefully across multiple accounts and platforms. You also need to be able to remember your passwords but not by sacrificing security by repeating the same passwords all the time.
But let's not focus too much on the password, which is usually only half of a pair of login credentials becaue a username or ID will also be required. It's more effective for security to use a different username on every site than it is to use a different password. Knowing you always use the same username can be used against you effectively by someone who wants to break into your accounts. Even if they know a password, it will be useless unless they know what account it goes to and what the corresponding username is.
Here is one way to try to balance security with your ability to remember different passwords.
It is not imperative that you use a different password on *every* site that requires you to have one if you won't be harmed by someone else accessing the account. Instead, think of your online accounts in terms of levels of importance. Each level must be completely unrelated to the others in terms of which IDs/usernames and passwords are used, but within the same level, you can compromise security somewhat on less sensitive accounts by repeating passwords or by basing them on a pattern. For example, make a password from the first 3 characters of the site's primary domain followed by a memorable keyword, or something similar.
Many people may not need more than three levels of passwords and webmasters not more than five:
- Level 5 (Public) - is the password you use on sites that require a user account that won't carry any sensitive information. It's wise to use a bogus or throwaway email address for these accounts to avoid spam and phishing directed at your primary email address.
- Level 4 (Webmaster) - is reserved for one database user that should only have access to one database for one installation of Joomla. This is not a user and password combination you will need to remember unless you plan to use a remote access SQL client. You can write it down and keep it in a safe place.
- Level 3 (Webmaster) - is for one FTP user. Many low-end Linux hosts make the FTP user credentials the same as the login credentials for the server control interface and remote command line access via SSH. If possible, make these all separate usernames and passwords. If you configure Joomla to use FTP, give it an FTP user that only has access to the folder Joomla is installed in. Turn off SSH access if you don't use it. These too are passwords you can write down and save or just forget and reset them when you need them.
- Level 2 (Personal Data Access) - is for any accounts that contain personal data with the exception of financial (e.g. banking) sites (see level 1). Sites that carry medical records, insurance and other service accounts, or and any financial records not directly related to banking may contain information that can be used to steal your identity or do other mischief. Your login credentials for these accounts should be strong and unique to the extent that you value the information in them and do not want it stolen.
- Level 1 (Banking and Primary Email) - is the most important, high-value level. It needs to be the most secure, and it is wise to NOT use the same credentials for multiple banking accounts. Your primary email address/es are also critical because they can be used to impersonate you or create new passwords for accounts they are attached to. Do not keep passwords and login credentials in emails someone else might find if they accessed your account. Do not share an email account with anyone else.
Finally, think about your practices on your personal devices: you browsers and mail clients, among other things, probably store a lot of passwords and other sensitive information. Be very careful to use good passwords and physical security options, especially on laptops and mobile devices.
