Thread: X-Cart 4.5.5 released
View Single Post
  #43  
Old 02-14-2013, 07:39 AM
 
vladimir.gritsenko vladimir.gritsenko is offline
 

X-Cart team
   
Join Date: Aug 2005
Posts: 202
 
Default Re: X-Cart 4.5.5 released
Quote:
Originally Posted by carpeperdiem
Vladimir,

There is a basic flaw in your argument:

- the admin password shouldn't even MATTER to an xcart admin. It may as well be "password" - why? Because any store that actually wants to have a secure admin is also going to use at least 2 other modes of admin security:

1. https password
2. IP restriction

Once you have #1 and #2 in place, the admin password is kinda irrelevant.

Let me reply you here. I am Vladimir also

You mentioned HTTPS but it's not about protecting weak passwords, it's about protecting any password than may be sniffed if send in pain text via HTTP. So it's recommended to use it in any case.

As for IP restriction, it's a good idea (and it's already implemented at many levels in X-Cart; search for "user access control", "protected mode" at help.x-cart.com) but it won't work in some cases (e.g. frequently changing IP address for a very same user/connection) so there is a high probability that a merchant will disable this feature and will give a hacker a good chance of accessing his store admin back-end if a weak password is used.

Overall, when speaking about security, especailly in ecommerce where there is a real chance of being fined by VISA or even sued, nothing is superfluous. And since X-Cart is an ecommerce platform with thousands of clients, we lawfully supposed it's a good idea to be a little bit paranoid.

By the way, for now X-Cart is one of the most secured carts on market.



Quote:
Originally Posted by carpeperdiem
Was there a sudden demand from xcart customers for this change?
Was there a need for this because weak passwords were compromising xcart stores?

Absolutely.



Quote:
Originally Posted by carpeperdiem
My daughter does this kind of stuff when she doesn't want to clean her room. She'll do every possible thing except clean her freaking room.

We need x-cart engineering to squash bugs. We do not need new features. Please?

I understand your frustration and there may be a separate thread for this in Rants and Raves but when it comes to security we treat it very seriously. And it's not about doing things we like to do, it's about doing things we must do with the highest priority.
__________________
Sincerely yours,
Vladimir Gritsenko
VP Marketing @ X-Cart