With the impending release of Joomla 3.3, the Joomla Core development team has taken the decision of increasing its minimum PHP requirements to version 5.3.10 due to security reasons – as the team explains, it was due to “a significant change made in the PHP 5.3.x series leading up to PHP version 5.3.10 that substantially enhances the level of cryptography that can be used for securing passwords.” Given the number of revelations concerning the “Big Brother”-like global electronic surveillance systems run by various national intelligence services, this is definitely a step in the right direction. But much remains to be done, and now is the time to get ready for the (post-Snowden) brave new World Wide Web.
The past 2 years have been horrid, in terms of security news. Various user information databases have been hacked and cracked, some of which belong to giant names including LinkedIn, Yahoo! and the latest one, Adobe. Dropbox, one of the most popular cloud storage services, has been cracked numerous times. And of course, the granddaddy of all security news, the Big Bad NSA. While it is unlikely that most of us really have sensitive data in need of being secured from the government (nobody here’s using Joomla to serve up a bomb-making forum, right?), there are still valid reasons to ensure our websites are secure (EU regulations being just a part of it). So here are some things to consider when upgrading to Joomla 3.3 – not very difficult to do, but it may require you to spend some money on security.
SSL Here, TLS There, HSTS Everywhere
More and more, websites are beginning to use encrypted connections not only during user authentication, but for every individual user session. With open wireless hotspots becoming very popular, not only the major email players such as Google, Yahoo!, and Hotmail are doing this, but most social media and cloud storage providers have started as well. Firefox has an extension called HTTPS Everywhere, which attempts to enforce the use of encrypted connections wherever sites support them. If your Joomla website stores user details (including passwords and financial information), then you need to consider enabling HTTP Strict Transport Security, which means getting an SSL certificate (or even an Extended Validation certificate). We at Digital Peak take security very serious and have enabled HTTPS for every logged in user or purchase.
Gentlemen, Prepare Your Passwords
Stronger cryptography or not, storing passwords directly is a recipe for disaster. Your Joomla website, if it requires user authentication, needs to be storing and comparing password hashes, optionally (and preferably) individually and randomly salted. You can also help your users choose strong passwords by enforcing certain password requirements (minimum length, require alphanumeric + special characters, password expiry etc.) which can be automated by the use of Joomla password extensions.
Two Factor Authentication
Many financial institutions and other companies who provide high-value services have dispensed with the simple username/password combination, requiring in addition a one-time code/token as well. This token is usually generated on-the-fly by a hardware device (or software equivalent installed on a mobile device); alternatively, it may be sent via SMS. In either case, it required both something you know (password) and something you have (your mobile phone or hardware device) to log in; hence the name 2-factor. Joomla 3.3 natively supports the use of the software-only Google Authenticator as well as Yubico’s YubiKey (this feature was added in version 3.2), and several extensions add the ability to earlier versions of Joomla. You may also consider using services such as Duo Security to do the same thing.
We have enabled two factor authentication on our site as well, means you can enable your preferred method in your account settings. On our login page you can see the secret key to input. No need to wait to make your account even more secure at joomla.digital-peak.com!