Quote:
|
Originally Posted by mrgica
I don't see any solution on this problem, I just have to wait a couple of days or weeks until its over.
And deal with my angry members....
But how can I protect the password file better? To avoid this in the future?
|
Here's a step by step list of what to do:
1. Make sure your server hasn't been hacked. If it has been, fix the problem.
2. Make sure your password file isn't accessible. Check for (known?) security issues with any scripts you are using, and implement any common sense security measures you haven't implemented yet (e.g. placing your password file in a directory that isn't web-accessible, etc.)
3. Start checking signups and existing username/password combos against common wordlists. Respectively, change them and stop allowing them.
4. If the problem doesn't stop... (this will hurt) get all your members to change their passwords.
5. Try and make unhappy hacked members happy again by giving them a free week of access or whatever.