Shared/Stolen Passwords

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • rebekahdee
    Registered User
    • Dec 2004
    • 36

    #1

    Shared/Stolen Passwords

    Hi,

    I am looking for some advice regarding password theft.

    I currently use a great bit of software which locks out user when a user/pass combination exceed a given IP count. My problem is not regarding the software but rather the speed at which my passwords are being compromised. I go through stages where I may get 2 or 3 emails from members with valid membership who have been locked out, often new member incidently.

    Does anyone else have experience of this problem? I am guessing that this is some kind of leak at either the billing company or the host. The fact that it is new members makes me think that perhaps someone is picking up the signup confirmation emails that are sent when a new member joins as this contains the login data required.

    Any tips or feedback would be apprecaited as this is driving me nuts!

    Thanks,

    Rob.
    http://www.rebekahdee.com
  • raymor
    Confirmed User
    • Oct 2002
    • 3745

    #2
    Originally posted by rebekahdee
    Hi,

    Does anyone else have experience of this problem? I am guessing that this is some kind of leak at either the billing company or the host. The fact that it is new members makes me think that perhaps someone is picking up the signup confirmation emails that are sent when a new member joins as this contains the login data required.

    Any tips or feedback would be apprecaited as this is driving me nuts!

    Thanks,

    Rob.
    Quite likely you're seeing your password file or database getting ripped.
    The attacker uses some PHP script, most often, somewhere onyour server
    to get at the password file and can keep getting new ones whenever he
    wants to. This is a real pian in the butt, of course. There are a few steps
    to take in order to take care of this problem. There's the basic security
    stuff like getting rid of old, unused scripts that an attacker may use, and
    more specifically we can apply strong encrpytion to your password list so
    that even if a cracker does get the list it's of no use to him, because it's
    encrypted such that he can't retrieve the passwords. This page will
    provide some more helpful information:
    http://www.bettercgi.com/strongbox/p...adyhacked.html

    Also feel free to shoot us an email as [email protected] or call us
    at 979-530-1300 .
    For historical display only. This information is not current:
    support@bettercgi.com ICQ 7208627
    Strongbox - The next generation in site security
    Throttlebox - The next generation in bandwidth control
    Clonebox - Backup and disaster recovery on steroids

    Comment

    • SkeetSkeet
      Confirmed User
      • Oct 2005
      • 5404

      #3
      yup we recommend strongbox 100% great guys over there!

      ICQ 283633188

      Comment

      • rebekahdee
        Registered User
        • Dec 2004
        • 36

        #4
        Hi guys and thanks for the replies.

        I keep an eye on my server and I know what any suspicious files would look like so initially I would doubt that is where the problem lies. If there was a leak in the host or payment compnay surely no amount of software will protect your site?

        Are the passwords not already encrypted when they are stored in the password file meaning that even if the file was compromised it would be of no use as it simply reveals usernames?

        Does can strongbox be used to simply encrypt the password file?

        Thanks in advance,

        Rob.
        http://www.rebekahdee.com

        Comment

        • raymor
          Confirmed User
          • Oct 2002
          • 3745

          #5
          Originally posted by rebekahdee
          If there was a leak in the host or payment compnay surely no amount of software will protect your site?
          Quite often a leak at the payment processor is the first thing webmasters
          think of, but that's never what we find. It's almost always an issue on the
          the webmasters side, often exacerbated by a poorly configured server.
          If there was a leak in the payment processor there wouldn't be much you
          could do, however you'd also likely see 500 other webmasters posting about
          the problem today.

          Are the passwords not already encrypted when they are stored in the password file meaning that even if the file was compromised it would be of no use as it simply reveals usernames?
          Unlike corporate sites like banks who employ security professionals, most adult
          sites still use a very weak type of encryption called DES. DES was created in 1974,
          then weakened by the NSA and standardized in 1976. The NSA felt that the weakened
          version was good enough in the days of 4Mhz processors. It was broken 1994, so
          that encryption you're using has been out of date for a couple decades. Today, with
          processors that run over a thousand times as fast as they did in 1976, a readily
          available program can crack some of your passwords in just a few seconds if you
          use DES. That's not just theoretical - I've done it more than once. So while the
          passwords are technically encrypted, that encryption is nearly worthless for a big
          password list.

          Instead, today's standard for passwords is a salted MD5 hash. When used
          in a certain other context, MD5 has a theoretical weakness, but for passwords
          salted MD5 should be secure for years to come. SHA1 can also be used, but it
          doesn't have the compatibility advantages of MD5 and the SHA2 family is
          just around the corner, so we're using MD5 now and will transition to SHA-256
          or SHA-512 when the time comes in a few years.

          Does can strongbox be used to simply encrypt the password file?

          Thanks in advance,

          Rob.
          We CAN just do the encryption and that will probably take care of your
          immediate problem. It'd only cost you $30 too. That's kind of like locking
          the back door and leaving the front door open, though, as you will be
          attacked through some other hole. That might happen next week or it
          might be next year but it will of course happen eventually. Normally, when
          we upgrade the encryption for people we also upgrade the actual user names
          and passwords themselves. When you let users choose their own user
          names and passwords, an alarming number of them choose "password"
          as their password. I don't care how good your encryption is if the password
          is "password" the bad guys are going to guess that pretty quick. So we
          set up a good system which assigns good passwords that won't be guessed,
          yet can be remembered and typed more easily than random characters can be.
          That then means that your password list is secure - only the person who
          bought the password knows the password.

          So here we are and we're happy because only the person who signed up
          for the account knows the password. Until he posts it all over the place.
          Possibly, he posts all 25 accounts which he got with those stolen card numbers.
          That's when the state of the art protection of Strongbox comes into play.
          The whole system, all three parts, provide you a complete security system.
          For historical display only. This information is not current:
          support@bettercgi.com ICQ 7208627
          Strongbox - The next generation in site security
          Throttlebox - The next generation in bandwidth control
          Clonebox - Backup and disaster recovery on steroids

          Comment

          • d-null
            . . .
            • Apr 2007
            • 13724

            #6
            great informative post from Strongbox and their prices are well worth it

            __________________

            Looking for a custom TUBE SCRIPT that supports massive traffic, load balancing, billing support, and h264 encoding? Hit up Konrad!
            Looking for designs for your websites or custom tubesite design? Hit up Zuzana Designs
            Check out the #1 WordPress SEO Plugin: CyberSEO Suite

            Comment

            Working...