Results 1 to 4 of 4
  1. #1
    Join Date
    Aug 2007
    Posts
    9
    Plugin Contributions
    0

    Default encrypt admin password

    Hi,

    I'm sure you know this already, but the admin password is passed in plain text to the server unless you're using SSL.

    I'm wondering if there is any add-on I can get, or something I can do to encrypt the admin password before it is sent to the server (currently sent in plain text) - short of buying an SSL certificate. I do have an SSL certificate for another store on the same server, but I'm not sure if it will let me use that certificate for this new domain. I wouldn't care if I got pop-up warnings, as long as it was secure.

    My thought was, for people who just want to be able to run the admin area semi-securely without SSL, perhaps you could use a challenge-response system to authenticate the admin area instead of passing a plaintext password? I suppose another option would be to use AuthDigest authentication on the whole admin directory. Would that secure everything that needs to be secured as far as being able to change store settings and data, etc?

    -Joe

  2. #2
    Join Date
    Jan 2004
    Posts
    66,364
    Blog Entries
    7
    Plugin Contributions
    274

    Default Re: encrypt admin password

    You can't encrypt it browser-side before sending. You'll need SSL to do that.

    If you wanted to custom-code a challenge-response system, you're welcome to do so. The /admin/login.php file is where you'd do it.

    Some folks double protect the folder via .htaccess. However, this again is not encrypted unless the area is secured via SSL.

    At $18 I'm not sure why SSL would be much of a problem ... esp since most hosts offer shared SSL for no cost. Shared SSL doesn't make the URL pretty, but as you said, it's functionality you're after.
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

  3. #3
    Join Date
    Aug 2007
    Posts
    9
    Plugin Contributions
    0

    Default Re: encrypt admin password

    Perhaps a shared SSL certificate would be the way to go. Although, for me it would be easier to set up htaccess.

    .htaccess would be encrypted if it was using digest authentication with a browser that supports it (which the newest Firefox and IE both do). It wouldn't encrypt the information being sent back and forth, but at least the authentication would be encrypted (not the admin login, but that login would just be a red herring then). I'm just wondering if adding that to the admin directory would be enough to secure the store management side. It seems to me that it might... but is there anything malicious that could be done using HTTP to access files that are anywhere other than inside the admin directory?

  4. #4
    Join Date
    Jun 2003
    Posts
    33,715
    Plugin Contributions
    0

    Default Re: encrypt admin password

    You are going to be running an ecommerce site and the Admin is not your only worry - you need SSL, either shared or dedicated for the CATALOG. You customers will be inputting their private information in during the checkout and it should be protected.
    Please do not PM for support issues: a private solution doesn't benefit the community.

    Be careful with unsolicited advice via email or PM - Make sure the person you are talking to is a reliable source.

 

 

Similar Threads

  1. Replies: 87
    Last Post: 5 Jun 2015, 02:07 AM
  2. Replies: 1
    Last Post: 1 Feb 2015, 03:12 PM
  3. v150 admin password expired, won't reset, will not send new password to email
    By baltimorestreetmods in forum General Questions
    Replies: 2
    Last Post: 6 Sep 2012, 07:16 PM
  4. Paypal settings , do I encrypt?
    By vixenz in forum Built-in Shipping and Payment Modules
    Replies: 3
    Last Post: 15 Aug 2006, 10:08 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg
Zen-Cart, Internet Selling Services, Klamath Falls, OR