How easy is it really to crack the user name / password combo on a site if the max number of password characters allowed is 8?

With the speed of personal computers these days it would be pretty easy to crack a username / password combo especially if a dictionary word has been used for the password.

This I believe would be unlikely though, if someone has gained unauthorized access to your webspace and changed the HTML it is much more likely they obtained the password through other means. What could these be?

Social engineering or
Packet sniffing.

To deal with the packet sniffing first, you should ensure that you connect to your server using an encrypted client if you are going to be using your main password. For FTP I would recommend setting up a seperate FTP account just for transferring files. I would never use telnet any more, a good SSH client like Putty is by far the better choice.

Social engineering is a difficult one, it could even go as far as someone borrowing your personal computer while you goto the kitchen to put a pot of coffee on. Or someone managing to install a keylogger on your machine using a trojan, you may want to get those spybot busters out and do a scan.

Obviously the first thing I would do is to change all passwords, but you may want to also contact the hosting provider and see how far their log files, particularly FTP and Shell access go.

It could also be the provider. They can get in no problem. If you use some obscure provider they could be doing this to their other clients. Actualy I would not be suprised if someone set up a hosing service just so they could sneak in links. They could have real cheap hosting at cost or even lose money and it be worth it if they have a bunch of affiliate sites.

"I just happened to open an obscure page buried several levels down, and as the mouse moved over a single character, I noticed a live link....an OFFSITE link that someone OTHER THAN ME had put there."

Very bizarre. You sure it wasn't just a mistake somehow (accidental click and drag of URL srom browser of site you saw once to your web editor...? I dunno, something like that?). Seems to me if someone broke in that they'd be doing something more substantial that one teensy stupid little link. An obscure link of one character on a page several levels down would have almost no value to anyone. You'd think anyone smart enough to break in someplace ould have a more intelligent game plan than that.

Are you on a public hosting environment?

If the security is not properly set, it is VERY easy to screw around with your site using different combos of filesystem and ADSI objects.

You'd be surprise how many BIG hosting company allows this loop hole and not try to fix it.

You sure it wasn't just a mistake somehow ... Seems to me if someone broke in that they'd be doing something more substantial that one teensy stupid little link.

My thoughts as well.

Anyway, not that I want to alarm you but another possibility would be that your home/work computer got compromised and they got your password that way.

did the page that have the obscure link have PR(PageRank)?

Sid