barakas Posted February 7, 2009 Share Posted February 7, 2009 The admin login for OScommerce doesn't appear to have any sort of protection against password cracking, as in you can attempt to login with incorrect information as many times as you want. Is there a contribution that adds a square delay to incorrect log in attempts, as in 2 second delay on 1 false attempt, 4 second delay on 2nd false attempt, 16 second delay on 3rd false attempt etc Considering its relatively easy to tell if a site uses OScommerce or not, it would seem like the admin system is extremely open to abuse, unless of course there is some sort of password blocking that i didn't see Link to comment Share on other sites More sharing options...
♥geoffreywalton Posted February 7, 2009 Share Posted February 7, 2009 First step is to rename the admin directory ( then post asking why you can't login to your admin pages ) and then use a long password that includes capitals, special characters and numbers. Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile Virus Threat Scanner My Contributions Basic install answers. Click here for Contributions / Add Ons. UK your site. Site Move. Basic design info. For links mentioned in old answers that are no longer here follow this link Useful Threads. If this post was useful, click the Like This button over there ======>>>>>. Link to comment Share on other sites More sharing options...
barakas Posted February 7, 2009 Author Share Posted February 7, 2009 First step is to rename the admin directory ( then post asking why you can't login to your admin pages ) and then use a long password that includes capitals, special characters and numbers. Is there no protection available against password cracking? Even if i change the directory of my admin, isn't there a way potential hackers could just look through the file directory and find whatever directory is now being used for admin? It would seem to be a fairly large security flaw if there wasn't a solution against unlimited password entry. Whats to stop potential hackers imply surfing the web for OScommerce based stores, cracking the admin password and causing all sorts of mayhem? Surely it isn't too hard to code a exponential delay for false entries, and would do a whole bunch to increase the security of OScommerce stores? Link to comment Share on other sites More sharing options...
FIMBLE Posted February 7, 2009 Share Posted February 7, 2009 I look forward to your contribution Jim :-) Sometimes you're the dog and sometimes the lamp post [/url] My Contributions Link to comment Share on other sites More sharing options...
germ Posted February 7, 2009 Share Posted February 7, 2009 Even if i change the directory of my admin, isn't there a way potential hackers could just look through the file directory and find whatever directory is now being used for admin? No they can't just "browse" through your files. They have to guess what the admin folder is named. If you just use 52 upper/lower case letters and 10 digits for a name, and make the name 8 characters long that gives 62^8 possible combinations. (218340105584896 in simple terms ) Surely it isn't too hard to code a exponential delay for false entries, and would do a whole bunch to increase the security of OScommerce stores? The browser times out after 30 seconds. :blush: Then making your admin password 8 characters long, out of 95 characters is 95^8 combonations (6634204312890625 in simple terms). And what are you going to do after X number of bad guesses? :unsure: Ban the IP address? :unsure: So what, they just get another one and try again. If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
germ Posted February 7, 2009 Share Posted February 7, 2009 And if you're on a UNIX server, protect the renamed admin folder with a .htaccess file as well. That adds another layer. The simplest thing to do if you're worried would be to add a line of code that emails you when a improper username/password is entered. SO THEN: 1. If they do guess the admin folder name AND 2. They crack the .htaccess password You start getting emails about bad password attempts. Realistically, that probably won't ever happen. You have a better chance of getting struck by lightning. :blush: Do you stay indoors constantly to avoid that? :unsure: Probably not... :lol: If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.