Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Admin Password protection


barakas

Recommended Posts

The admin login for OScommerce doesn't appear to have any sort of protection against password cracking, as in you can attempt to login with incorrect information as many times as you want.

 

Is there a contribution that adds a square delay to incorrect log in attempts, as in 2 second delay on 1 false attempt, 4 second delay on 2nd false attempt, 16 second delay on 3rd false attempt etc

 

Considering its relatively easy to tell if a site uses OScommerce or not, it would seem like the admin system is extremely open to abuse,

 

unless of course there is some sort of password blocking that i didn't see

Link to comment
Share on other sites

First step is to rename the admin directory ( then post asking why you can't login to your admin pages ) and then use a long password that includes capitals, special characters and numbers.

Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Link to comment
Share on other sites

First step is to rename the admin directory ( then post asking why you can't login to your admin pages ) and then use a long password that includes capitals, special characters and numbers.

 

Is there no protection available against password cracking?

 

Even if i change the directory of my admin, isn't there a way potential hackers could just look through the file directory and find whatever directory is now being used for admin?

 

It would seem to be a fairly large security flaw if there wasn't a solution against unlimited password entry.

 

Whats to stop potential hackers imply surfing the web for OScommerce based stores, cracking the admin password and causing all sorts of mayhem?

 

Surely it isn't too hard to code a exponential delay for false entries, and would do a whole bunch to increase the security of OScommerce stores?

Link to comment
Share on other sites

Even if i change the directory of my admin, isn't there a way potential hackers could just look through the file directory and find whatever directory is now being used for admin?

No they can't just "browse" through your files. They have to guess what the admin folder is named.

 

If you just use 52 upper/lower case letters and 10 digits for a name, and make the name 8 characters long that gives 62^8 possible combinations. (218340105584896 in simple terms )

 

Surely it isn't too hard to code a exponential delay for false entries, and would do a whole bunch to increase the security of OScommerce stores?

The browser times out after 30 seconds.

:blush:

 

Then making your admin password 8 characters long, out of 95 characters is 95^8 combonations (6634204312890625 in simple terms).

 

And what are you going to do after X number of bad guesses?

:unsure:

 

Ban the IP address?

:unsure:

 

So what, they just get another one and try again.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

And if you're on a UNIX server, protect the renamed admin folder with a .htaccess file as well.

 

That adds another layer.

 

The simplest thing to do if you're worried would be to add a line of code that emails you when a improper username/password is entered.

 

SO THEN:

 

1. If they do guess the admin folder name AND

 

2. They crack the .htaccess password

 

You start getting emails about bad password attempts.

 

Realistically, that probably won't ever happen.

 

You have a better chance of getting struck by lightning.

:blush:

 

Do you stay indoors constantly to avoid that?

:unsure:

 

Probably not...

:lol:

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...