GoFuckYourself.com - Adult Webmaster Forum - View Single Post

hakkrdan · 02-07-2006, 10:39 PM

Hi -

For the sake of simplicity, let's assume Apache as the Webserver, storing passwords in the default .htpasswd file. Let's assume we're using default configuration options, which makes downloading any .ht* files not possible (per Apache - however, other languages such as PHP and ASP can certainly read the files).

What are the chances that passwords in this format are decrypted and potentially used? This completely depends on the timeframe being used. If we're talking tens of years, the chances of this happening are very great. If we're talking about the average lifespan of a member of a site, with the same password - let's say 1 year tops - the chances are very slim. The chances are even more slim that this process repeats in that relatively short amount of time.

One important thing to take note of is how long of a period is left in the membership life. What I've seen is that if passwords are about to expire anyway, they are traded. I think I'd do the same thing if I knew the password was about to expire, and I had a login for site X, and someone wanted to trade me for site Y. Once one gets traded once, it will get traded many, many times. What webmasters see as some sort of surge, isn't much of a surge - it's just more people using the single login.

Take this number into consideration and judge based on that. It might be time to start billing people based on logins. It's what I'll start doing, and there's not much that the trader can do about it.

Remember that it's rare for these passwords to be "cracked" in the traditional sense - rather, they're brute forced. One thing that the billers need to understand is that they cannot continue to allow weak passwords. This makes brute forcing passwords a literal piece of cake. The trade-off for them is that users will like the system. They don't understand that weak passwords can be brute-forced with relative ease. This, naturally, kills sales. but you have to ask yourself, what's more important to you - bandwidth charges because your billing system was inadequate, or exposing your users to a little bit more security by throwing the occasional number and/or odd character into their password?

With the advances in software security and (unfortunately) obscurity, it's increasibly difficult for passwords to be downright cracked. Even using a default install of any modern webserver does a pretty good job at protecting this information. However, think of how cheap hardware is getting now, so a lot of CPU doesn't cost much. It's all a game - it always was, and it always will be.

Just my $0.02

Thanks!
-dant

02-07-2006, 10:39 PM
hakkrdan Confirmed User Join Date: Nov 2004 Location: Phoenix, AZ Posts: 223	Hi - For the sake of simplicity, let's assume Apache as the Webserver, storing passwords in the default .htpasswd file. Let's assume we're using default configuration options, which makes downloading any .ht* files not possible (per Apache - however, other languages such as PHP and ASP can certainly read the files). What are the chances that passwords in this format are decrypted and potentially used? This completely depends on the timeframe being used. If we're talking tens of years, the chances of this happening are very great. If we're talking about the average lifespan of a member of a site, with the same password - let's say 1 year tops - the chances are very slim. The chances are even more slim that this process repeats in that relatively short amount of time. One important thing to take note of is how long of a period is left in the membership life. What I've seen is that if passwords are about to expire anyway, they are traded. I think I'd do the same thing if I knew the password was about to expire, and I had a login for site X, and someone wanted to trade me for site Y. Once one gets traded once, it will get traded many, many times. What webmasters see as some sort of surge, isn't much of a surge - it's just more people using the single login. Take this number into consideration and judge based on that. It might be time to start billing people based on logins. It's what I'll start doing, and there's not much that the trader can do about it. Remember that it's rare for these passwords to be "cracked" in the traditional sense - rather, they're brute forced. One thing that the billers need to understand is that they cannot continue to allow weak passwords. This makes brute forcing passwords a literal piece of cake. The trade-off for them is that users will like the system. They don't understand that weak passwords can be brute-forced with relative ease. This, naturally, kills sales. but you have to ask yourself, what's more important to you - bandwidth charges because your billing system was inadequate, or exposing your users to a little bit more security by throwing the occasional number and/or odd character into their password? With the advances in software security and (unfortunately) obscurity, it's increasibly difficult for passwords to be downright cracked. Even using a default install of any modern webserver does a pretty good job at protecting this information. However, think of how cheap hardware is getting now, so a lot of CPU doesn't cost much. It's all a game - it always was, and it always will be. Just my $0.02 Thanks! -dant