A Very Long Password in Joomla Does Not Mean Better Security

A new client of ours called us very early in the morning and told us that his website was hacked and he wanted our help to clean it. He told us over the phone that he had no idea how he got hacked despite the fact that he had a very long and complex password for his super user login. He then sent us the password… It was literally 60 characters long with every almost every single allowed character in it. It was the first time we saw something like this. The longest we’ve seen so far was around 32 characters, but 60 characters? So we told the client (he was still talking to us over the phone) that having a very long and very complex password will not make his website unhackable – in fact, it has nothing to do with website protection. The best that such a password can do is protect the website against dictionary attacks, which is a malicious method to login to a website using dictionary words (note: dictionary attacks are never used by serious attackers because they are inefficient).

As expected, he asked us: “Then how did they get in into my Joomla website?” So we pointed him to our famous “10 Reasons Why Your Joomla Website Got Hacked” article, while at the same time explaining to him that they got in most likely by exploiting a vulnerable extension on his website (his website was using the most recent Joomla version, but many of its extensions were outdated).

So, is having a very long Joomla super user password a bad thing?

It’s not a bad thing, but it’s not a good thing either. We have been supporting Joomla for a decade now, and this is how much we’ve seen a Joomla website got hacked because of a simple password: 1 – yes, one time, just one, and it turned out that the person who hacked that particular website was a previous disgruntled company employee.

An attack on a Joomla website is done nearly all the times by exploiting a server vulnerability, or an application vulnerability, or a combination of both. It’s almost never done by using tools that just “guess” what the password is.

If your Joomla website got hacked and you cleaned it up, then using a very long password for your super user will not protect it and will not make it harder for malicious users to compromise your website. If you need real protection on your Joomla website, then follow our Joomla security tips. If you need super advanced (enterprise level) protection for your Joomla website, then please contact us. Our fees are right, our security expertise in Joomla is undisputed, and we always welcome new clients (and new friends)!

No comments yet.

Leave a comment