Hmm... I need to find out myself. I don't know what is the answer to that question. I'll do some poking around and get back to you if I find an anything. You should email the people at Verisign as they probably could help you..
Is there no protection available against password cracking?.
Even if I change the directory of my admin, isn't there a way potential hackers could just look through the file directory and find whatever directory is now being used for admin?.
It would seem to be a fairly large security flaw if there wasn't a solution against unlimited password entry..
Whats to stop potential hackers imply surfing the web for OScommerce based stores, cracking the admin password and causing all sorts of mayhem?.
Surely it isn't too hard to code a exponential delay for false entries, and would do a whole bunch to increase the security of OScommerce stores?.
This post has been edited by.
: 07 February 2009, 14:40..
No they can't just "browse" through your files. They have to guess what the admin folder is named..
If you just use 52 upper/lower case letters and 10 digits for a name, and make the name 8 characters long that gives 62^8 possible combinations. (.
218340105584896 in simple terms.
The browser times out after 30 seconds..
Then making your admin password 8 characters long, out of 95 characters is 95^8 combonations (.
6634204312890625 in simple terms.
And what are you going to do after X number of bad guesses?.
Ban the IP address?.
So what, they just get another one and try again...
And if you're on a UNIX server, protect the renamed admin folder with a .htaccess file as well..
That adds another layer..
The simplest thing to do if you're worried would be to add a line of code that emails you when a improper username/password is entered..
1. If they do guess the admin folder name AND.
2. They crack the .htaccess password.
You start getting emails about bad password attempts..
Realistically, that probably won't ever happen..
You have a better chance of getting struck by lightning..
Do you stay indoors constantly to avoid that?.
The admin login for OScommerce doesn't appear to have any sort of protection against password cracking, as in you can attempt to login with incorrect information as many times as you want..
Is there a contribution that adds a square delay to incorrect log in attempts, as in 2 second delay on 1 false attempt, 4 second delay on 2nd false attempt, 16 second delay on 3rd false attempt etc.
Considering it's relatively easy to tell if a Verisign site uses OScommerce or not, it would seem like the admin system is extremely open to abuse,.
Unless of course there is some sort of password blocking that I didn't see..
First step is to rename the admin directory ( then post asking why you can't login to your admin pages ) and then use a long password that includes capitals, special characters and numbers...