User Registration in Joomla - improve your user security dramatically with limited effort
Default user registration settings in Joomla
By default, the user registration feature is disabled in Joomla (at least since Joomla version 3.4!). So after standard installation, there is no direct danger for your website. However a lot of sites want to enable the user registration as they would like to be able to communicate with their users and create a community for whatever possible reason. But when you take a look at the default registration settings of Joomla, be prepared to get quite some shock if you look at if from a security perspective.
Problem 1: E-mail with password included in plain text
We see that after registration the system sends an e-mail to the newly registered user with the password in plain text inside the mail (cfr indication 1 on the image). Although it's not easy for script kiddies to intercept emails, hacking professionals don't have a real hard time to do some e-mail eavesdropping or interception, hence getting your username and password. Useless to say this is more than enough to impersonate you by using your credentials. In a lot of the cases, this shouldn't be a real showstopper, but as the number of e-commerce sites is growing every day (including information about your credit card inside your personal details), it's easy to understand that this can lead to the loss of quite sensitive information from your customers.
Problem 2: Password requirements are not strict enough
Next (cfr indication 2 on the image), the default settings for passwords are very slack to say the least: a password with a length of 4 (not even considering other possible restrictions) will be cracked by most modern computers in less than 1 ... millisecond! This kind of passwords can quite easily be cracked even using a brute force attack, as the number of combinations is quite limited.
Conclusion: the default Joomla settings need to be adapted if you want to enable user registration, otherwise you make your site vulnerable to all kinds of user hacking because the security is not strong enough at all
Adapted registration settings in Joomla
In order to fix the problems as describe above with the Joomla default settings on user registration, here's one configuration which looks for a compromise between security and usability.
Solution 1: Allow user registration
First of all, we enable the possibility to register (cfr indication 1 on the image below).
Solution 2: Disable the "Send Password" option
Next, we disable the "Send Password" option to the user after registering (cfr indication 2 on the image below). I know it's less user friendly for a lot of users, but if you adapt your welcome mail after registration, you can include a link where they can reset their password if they've forgotten what password they used. This way, they can reset their passwords themselves without having to wait for administrator intervention if they forget their password. Furthermore, there is no other human being that the user self involved when handling passwords.
Solution 3: Limit the maximum number of resets in a specific time interval
Cfr indication 3 on the image above: when the user has given a correct mail address, (s)he will receive a mail with the correct links and instructions when resetting a password, and (s)he is even allowed to make a couple of mistakes before the attempts are stopped. In most of the cases, when a user needs more than 3 attempts within an hour to reset his/her password, it's a cracker trying to use brute force to guess the user's password. So I suggest to set this counter to 3, or if you expect problems because your users are not experienced enough than 5 times seems to be a maximum to me to keep it safe.
Solution 4: Set balanced password complexity
Set the password length and complexity and find a compromise between security and usability. Please remember that in all cases you need to put your password requirements in the registration process so users know what their password has to be at least. If you don't give them a clue about what you require, they will get frustrated and will abandon their registration.
Next possible problem: if you set your restrictions too tight (a real complex password), it will be a real challenge for most of your users to find a password that is accepted by the system. So a lot of them will abandon their registration before completion because they cannot construct a password which they can remember and which complies to your password rules.
If you look at the password strength sites, they require at least a password length of 12 to 14 to make your password at least somewhat secure. So to make the compromise with usability, I use 12 for the minimal password length by default. Furthermore, by requiring at least 1 digit, 1 symbol and 1 uppercase character, the minimal password complexity is OK for most of the possible applications while keeping the passwords "simple" enough for most users to remember them (well, I don't have illusions and I know a lot of users will write down their passwords on paper, but because we're speaking here about the cyberspace environment that should not be an extra risk to get your password intercepted by hackers).
Conclusions on Joomla user registration settings
As we've explained above, you can dramatically increase your security level when allowing users to register on your Joomla site with very limited effort. If you want to allow your visitors to register and login to your website, put those 5 minutes of effort in your settings configuration. Even if you don't have a site where sensitive user data is kept, it gives your users a more comfortable and confident feeling. Your reputation will profit largely from this small effort.