Originally Posted by raymor

loco12, I think we got an email from you and Ali is responding right now.
In summary, any script anywhere on the server could be exploited by a
hacker to retrieve your password list. PHP scripts tend to be particularly
vulnerable. In brief, what you'll need to do is a standard security check
getting rid of any old, unused scripts or scripts that shouldn't be there at
all, then check for security updates on any scripts that you contniue to use.
The idea is to get rid of any means the cracker may have of getting the
password file. This is seperate from any protection you might use such as
Strongbox, Password Sentry, Frog, etc. These systems will alert you to the
problem, but they can't patch up other scripts elsewhere on the server that
may allow an attacker to get the file.

Secondly, we'll look at the encrpytion on the password file so that even if a
cracker DOES get it, it does them no good. justsexxx brought this topic up:



Yes, it's incredibly easy to decrypt the old DES encryption that most people use.
It takes only a few seconds to start getting working passwords. That's why we
strongly recommend modern strong encryption and provide you the tools to do
that. This is of course where the people suggesting Phantom Frog have it totally
backwards - in it's recommended configuration using strong encryption, a
Strongbox password file is several million times harder to crack than a
standard Phantom Frog installation. What would take a cracker 14 seconds
with Phantom Frog's normal install would take 181 years with ours.





Wilson, you like to spout your mouth off based on some personal feelings you
have against someone involved with Strongbox, but despite our offer of a
$10,000 reward if you could ever brute force a Strongbox site you don't
come up with the goods. Why is it that you talk so much trash but can't back
it up even when we offer you $10,000 to do so? Perhaps because you have
no idea what you're talking about and just like to make yourself look stupid?