Paxum: No, stop this right now.

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Dankasaur
    So Fucking Fossilized
    • Sep 2011
    • 1432

    #1

    Paxum: No, stop this right now.



    There is no security reason to force your users to periodically change their passwords. This is bad user experience and is unneeded unless your database has been compromised and requires your users to change their passwords ONCE.
  • fitzmulti
    I Like Depth Of Field!
    • Jan 2003
    • 14861

    #2
    CCBILL does it every 3 months {or so}...
    It's not "just a Paxum thing"...
    Last edited by fitzmulti; 05-08-2013, 10:45 AM.


    www.SexyGirlsCash.com


    CONTACT // FITZMULTI AT GMAIL.COM //
    {Please include a message so I know you are from GFY! I get too many spam "add requests"!}

    Comment

    • Dankasaur
      So Fucking Fossilized
      • Sep 2011
      • 1432

      #3
      Originally posted by fitzmulti
      CCBILL does it every 3 months {or so}...
      It's nut "just a Paxum thing"...
      I've never had to change my CCBill password...

      Comment

      • RuthB
        Let's Get Paxumized!
        • May 2005
        • 7248

        #4
        Hi Dankasaur,

        Password reset is usually requested about every 6 months or so. Yes, this is a security feature implemented when we updated our login server some time ago to a higher level of encryption.

        Thanks for your feedback!

        Ruth
        Send & Receive Mass Global Payments - Mass P2P/Wire/EFT/SEPA - Adult Industry Friendly - Award Winning Payment Service - Fast, Reliable & Secure!
        Paxum ...... Paxum Bank
        Email: [email protected] ~ Telegram: PaxumRuth

        Comment

        • fitzmulti
          I Like Depth Of Field!
          • Jan 2003
          • 14861

          #5
          Originally posted by Dankasaur
          I've never had to change my CCBill password...
          I should clarify...I mean for those who use it for processing.
          As an affiliate I haven't ever changed mine, either.


          www.SexyGirlsCash.com


          CONTACT // FITZMULTI AT GMAIL.COM //
          {Please include a message so I know you are from GFY! I get too many spam "add requests"!}

          Comment

          • Matyko
            PsyHead
            • Aug 2005
            • 8681

            #6
            Originally posted by Dankasaur


            There is no security reason to force your users to periodically change their passwords. This is bad user experience and is unneeded unless your database has been compromised and requires your users to change their passwords ONCE.
            +1

            I don't give a fuck CCBill does the same. At least they don't need special fucking characters in the pw so I am swapping 2 pws all the time. W paxum its different.

            Annoying, but can live w it..
            -=- Register with our ref link and we help you with the setup! -=-
            AdSpyglass.com - Double your profit from brokers

            Comment

            • Dankasaur
              So Fucking Fossilized
              • Sep 2011
              • 1432

              #7
              Originally posted by RuthB
              Hi Dankasaur,

              Password reset is usually requested about every 6 months or so. Yes, this is a security feature implemented when we updated our login server some time ago to a higher level of encryption.

              Thanks for your feedback!

              Ruth
              It's been proven that your method of "security" behind this is not good...

              [...] He particularly slams the common requirement that users change passwords at specified intervals. A hacker who steals your password is going to use it right away; he won't wait two months. "Insisting that users choose a unique strong password for each [[account]] which they change often and never write down is clearly a large burden."
              http://www.pcmag.com/article2/0,2817,2362692,00.asp

              Comment

              • _Richard_
                Too lazy to set a custom title
                • Oct 2006
                • 30991

                #8
                Originally posted by Dankasaur
                It's been proven that your method of "security" behind this is not good...



                http://www.pcmag.com/article2/0,2817,2362692,00.asp
                next you're gonna be telling us that anti-virus software is modern day snake oil

                Comment

                • NaughtyRob
                  Two fresh affiliate progs
                  • Nov 2004
                  • 29602

                  #9
                  I have no issue with it. Better security is a good thing.
                  [email protected]
                  Skype: 17026955414
                  Vacares Web Hosting - Protect Your Ass with Included Daily Backups

                  Comment

                  • RuthB
                    Let's Get Paxumized!
                    • May 2005
                    • 7248

                    #10
                    Originally posted by Dankasaur
                    It's been proven that your method of "security" behind this is not good...



                    http://www.pcmag.com/article2/0,2817,2362692,00.asp
                    You are entitled to disagree with our methods, however we do not have any plans to remove this security feature at this time.

                    Thanks again for your input.
                    Send & Receive Mass Global Payments - Mass P2P/Wire/EFT/SEPA - Adult Industry Friendly - Award Winning Payment Service - Fast, Reliable & Secure!
                    Paxum ...... Paxum Bank
                    Email: [email protected] ~ Telegram: PaxumRuth

                    Comment

                    • Dankasaur
                      So Fucking Fossilized
                      • Sep 2011
                      • 1432

                      #11
                      Originally posted by _Richard_
                      next you're gonna be telling us that anti-virus software is modern day snake oil
                      Microsoft: Changing Passwords Isn't Worth the Effort
                      As a company who's in control of data 100x more sensitive than Paxum, I'm sure Microsoft spent millions to come to this conclusion and is far from "snake oil".

                      Originally posted by NaughtyRob
                      I have no issue with it. Better security is a good thing.
                      It's not better security. It's false sense of security and is actually LESS secure in the long run.

                      Originally posted by RuthB
                      You are entitled to disagree with our methods, however we do not have any plans to remove this security feature at this time.

                      Thanks again for your input.
                      Obviously one person won't change your mind, but don't inconvenience your users and say it's for "security" when multi-billion dollar companies in the exact field of security have proven it's worthless.
                      Last edited by Dankasaur; 05-08-2013, 11:18 AM.

                      Comment

                      • signupdamnit
                        Confirmed User
                        • Aug 2007
                        • 6697

                        #12
                        Originally posted by Dankasaur
                        It's been proven that your method of "security" behind this is not good...



                        http://www.pcmag.com/article2/0,2817,2362692,00.asp
                        It also encourages people to write down passwords or to choose nearly the same password each time with slight variations. No one can remember 20-50 different passwords which have to be changed every few months. You simply cannot keep all that in your head.

                        Worse yet if the company is incompetent there is the risk that they store past passwords without hashes or encryption so if a hacker gets the database they not only get your current password but all your past stored passwords too. They then can use these at all your other online accounts. More than likely Paxum uses hashes or encryption (if not the owners should go to jail) but even then there is still a risk of compromise depending on the implementation.

                        You don't like my posts? Put me on ignore or fuck right off. I'll say what I want.

                        Comment

                        • Dankasaur
                          So Fucking Fossilized
                          • Sep 2011
                          • 1432

                          #13
                          Originally posted by signupdamnit
                          Worse yet if the company is incompetent there is the risk that they store past passwords without hashes or encryption so if a hacker gets the database they not only get your current password but all your past stored passwords too. They then can use these at all your other online accounts. More than likely Paxum uses hashes or encryption (if not the owners should go to jail) but even then there is still a risk of compromise depending on the implementation.
                          And judging by that screenshot it says "cannot use any previous used passwords" so unless they store that data for referencing every time they require a password change, you're essentially just giving the hacker more stuff to use against you if they do get the database... Thus making the password change requirement WORSE.

                          Comment

                          • Dankasaur
                            So Fucking Fossilized
                            • Sep 2011
                            • 1432

                            #14
                            Originally posted by Matyko
                            +1

                            I don't give a fuck CCBill does the same. At least they don't need special fucking characters in the pw so I am swapping 2 pws all the time. W paxum its different.

                            Annoying, but can live w it..
                            So I forgot that they require the special characters in the password and as I use Chrome sync and password remembering I don't even know my original password... So I used the forgotten password feature, and guess what? My "new" password was sent to me in plaintext via email where anyone can hijack it...

                            So, as a security measure, they require us to change our passwords every 6ish months, and at the same time send our PLAINTEXT passwords to use via email...

                            Real secure...

                            ಠ_ಠ

                            Comment

                            • Sid70
                              Downshifter
                              • Dec 2002
                              • 16413

                              #15
                              Русня, идите нахуй!

                              Comment

                              • anexsia
                                Confirmed User
                                • May 2010
                                • 5735

                                #16
                                Originally posted by fitzmulti
                                I should clarify...I mean for those who use it for processing.
                                As an affiliate I haven't ever changed mine, either.
                                That's weird, I'm an affiliate and I have to change my CCBill password about once a month.

                                A good program for keeping track of your passwords (across Windows and Linux) is KeepassX and you can lock your database via a master password, a key tied to a file, and you can encrypt the database if you want. Then you don't have to try and remember those 25+ character passwords .
                                Last edited by anexsia; 05-08-2013, 11:50 AM.

                                Comment

                                • helterskelter808
                                  So Fucking Banned
                                  • Sep 2010
                                  • 3405

                                  #17
                                  Originally posted by Dankasaur
                                  And judging by that screenshot it says "cannot use any previous used passwords" so unless they store that data for referencing every time they require a password change, you're essentially just giving the hacker more stuff to use against you if they do get the database... Thus making the password change requirement WORSE.
                                  I'm not a fanboy of Paxum (regardless of the passwords, I think you're out your mind if you hand over all the private and personal info they demand) but I'd be surprised if they don't store your passwords hashed, and compare the hashes only. Anything else would be insanely reckless.

                                  Originally posted by Dankasaur
                                  So I forgot that they require the special characters in the password and as I use Chrome sync and password remembering I don't even know my original password... So I used the forgotten password feature, and guess what? My "new" password was sent to me in plaintext via email where anyone can hijack it...
                                  Paxum send new passwords via email in plain text? Perhaps they do store them in plain text then.

                                  Comment

                                  • Supz
                                    Arthur Flegenheimer
                                    • Jul 2006
                                    • 11057

                                    #18
                                    Originally posted by _Richard_
                                    next you're gonna be telling us that anti-virus software is modern day snake oil

                                    Comment

                                    • PR_Phil
                                      Confirmed User
                                      • Apr 2003
                                      • 1960

                                      #19
                                      https://www.pcisecuritystandards.org...pci_dss_v2.pdf

                                      I have nothing to say about Paxum here, but that is a link to PCI DDS requirements for Data Security.

                                      rule 8.5.9 - Change user passwords at least every 90 days.

                                      rule 8.5.10 - Require a minimum password length of at least seven characters.

                                      rule 8.5.11 - Use passwords containing both numeric and alphabetic characters.

                                      rule 8.5.12 - Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used.

                                      rule 8.5.13 - 3 Limit repeated access attempts by locking out the user ID after not more than six attempts.

                                      if you go to that link and scroll to page 49, you can view a complete list of the rules regarding user passwords, I would expect a company that controls peoples money to follow PCI regulations.

                                      Comment

                                      • Lichen
                                        Tube Master
                                        • May 2004
                                        • 1640

                                        #20
                                        Agreed.

                                        This bullshit is annoying as hell.

                                        Comment

                                        • Dankasaur
                                          So Fucking Fossilized
                                          • Sep 2011
                                          • 1432

                                          #21
                                          Originally posted by PR_Phil
                                          https://www.pcisecuritystandards.org...pci_dss_v2.pdf

                                          I have nothing to say about Paxum here, but that is a link to PCI DDS requirements for Data Security.

                                          rule 8.5.9 - Change user passwords at least every 90 days.

                                          rule 8.5.10 - Require a minimum password length of at least seven characters.

                                          rule 8.5.11 - Use passwords containing both numeric and alphabetic characters.

                                          rule 8.5.12 - Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used.

                                          rule 8.5.13 - 3 Limit repeated access attempts by locking out the user ID after not more than six attempts.

                                          if you go to that link and scroll to page 49, you can view a complete list of the rules regarding user passwords, I would expect a company that controls peoples money to follow PCI regulations.
                                          Wow, that's not secure at all... "Hey not only are we gonna require you to change your password every 3 months, but we're also gonna store your last 4 passwords to make sure you don't use them either." Great way to give access to all your shit.

                                          Fact of the matter is, no password storage or hashing or anything security related matters when your users use easily guessed passwords... This is just an inconvenience for the users and will just make them rotate between a select few passwords, making the whole security aspect of it worthless..

                                          Comment

                                          • Dankasaur
                                            So Fucking Fossilized
                                            • Sep 2011
                                            • 1432

                                            #22
                                            Originally posted by helterskelter808
                                            Paxum send new passwords via email in plain text? Perhaps they do store them in plain text then.
                                            I'm sure, and hope, they store them hashed, as you can send a new password without storing it in plaintext, but that still doesn't stop the fact that someone can access my email data and get that password no problem... The best thing to do would be send a link that is only usable once and then take them to the site to set a new password. Not send a password.

                                            Comment

                                            • BSleazy
                                              Confirmed User
                                              • Aug 2002
                                              • 6721

                                              #23
                                              I have to regularly change my ccbill password as an affiliate.
                                              icq 156131086

                                              Comment

                                              • imabro
                                                Confirmed User
                                                • Aug 2007
                                                • 871

                                                #24
                                                Paxum load wires rejecting due to their bank not meeting OFAC regulations. Their own intermediary bank is being rejected.. Paxum support not responding for over 24 hours now.

                                                Comment

                                                • nikki99
                                                  Supermodel
                                                  • Nov 2004
                                                  • 23087

                                                  #25
                                                  paxum rocks I use it in any country of the world and it works
                                                  SMC Revenue - Best Tgirl websites of the world now VR
                                                  Non exclusive BIG Tranny/shemale Package for sale, full 2257 - hit me up skype: nikkimontero

                                                  Comment

                                                  • LeRoy
                                                    Porn Pusher
                                                    • Jul 2007
                                                    • 13364

                                                    #26
                                                    I wouldn't worry too much about that...
                                                    JAPANESE CAMS AND CONTENT SITES
                                                    Teams - leroy.rowland2
                                                    Telegram - @lroddd

                                                    Comment

                                                    • k0nr4d
                                                      Confirmed User
                                                      • Aug 2006
                                                      • 9231

                                                      #27
                                                      I haven't hit this feature on paxum yet, but I did have it on my old online banking (raiffeisen) and hated it enough that I switched banks because of it. Not only did they force a password change ONCE A MONTH that did not match my last 6 passwords, it had to be at least 10 chars long with at least 2 special characters, at least 2 upper case letters and at least one number - pretty much forcing you to write it down. They wouldn't let you choose your own pin for your bank card either - and if you forgot it you had to order a new card (for a fee of course).

                                                      The domain registrar for PL does this shit too, also with some complicated as fuck password scheme. Every time I login there I have to use the forgot password form - effectively negating any security this adds since it's sending me my password in plain text to my email...
                                                      Mechanical Bunny Media
                                                      Mechbunny Tube Script | Mechbunny Webcam Aggregator Script | Custom Web Development

                                                      Comment

                                                      • MainstreamGuy
                                                        So Fucking Banned
                                                        • Oct 2011
                                                        • 477

                                                        #28
                                                        The guy wasted more time in writing this message, than he could spend changing his password in PAXUM for a whole year.

                                                        I really don't understand some people.

                                                        Comment

                                                        • fitzmulti
                                                          I Like Depth Of Field!
                                                          • Jan 2003
                                                          • 14861

                                                          #29
                                                          Originally posted by nikki99
                                                          paxum rocks I use it in any country of the world and it works


                                                          www.SexyGirlsCash.com


                                                          CONTACT // FITZMULTI AT GMAIL.COM //
                                                          {Please include a message so I know you are from GFY! I get too many spam "add requests"!}

                                                          Comment

                                                          • Zeiss
                                                            Confirmed User
                                                            • May 2012
                                                            • 5189

                                                            #30
                                                            Sometimes, when someone is actually helping you, you don't even see it...


                                                            Adult Webmasters Guides

                                                            Comment

                                                            • Rebel D
                                                              Registered User
                                                              • Jan 2004
                                                              • 3916

                                                              #31
                                                              Originally posted by MainstreamGuy
                                                              The guy wasted more time in writing this message, than he could spend changing his password in PAXUM for a whole year.

                                                              I really don't understand some people.
                                                              1000% agree .

                                                              Grab the whaaamulance.

                                                              Grow up, Change it and move on.

                                                              Comment

                                                              • MaDalton
                                                                I am Amazing Content!
                                                                • Feb 2004
                                                                • 39861

                                                                #32
                                                                Originally posted by MainstreamGuy
                                                                The guy wasted more time in writing this message, than he could spend changing his password in PAXUM for a whole year.

                                                                I really don't understand some people.
                                                                what this man said..
                                                                AmazingContent.com - providing only the best content and service since 2003
                                                                Monetize your content on Veegaz.com - one of Germanies largest VOD sites
                                                                Got German traffic? We convert it into money for you!
                                                                Email: oltecconsult [at] gmail [dot] com

                                                                Comment

                                                                • OldJeff
                                                                  Big Fucking hahahaha
                                                                  • Feb 2003
                                                                  • 2491

                                                                  #33
                                                                  Holy shit, you mean there are security rules involved with the electronic transfer of money !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
                                                                  "As pornographers we must act responsibly! ;))"- Nickatilynx

                                                                  I might be Old and Tired, but at least I don't support a whiney cunt

                                                                  Comment

                                                                  • TampaToker
                                                                    Confirmed User
                                                                    • May 2006
                                                                    • 5828

                                                                    #34
                                                                    Originally posted by MainstreamGuy
                                                                    The guy wasted more time in writing this message, than he could spend changing his password in PAXUM for a whole year.

                                                                    I really don't understand some people.
                                                                    lol was thinking that myself.......
                                                                    Icq 247-742-205

                                                                    Comment

                                                                    • Penny24Seven
                                                                      So Fucking What
                                                                      • Jun 2007
                                                                      • 6287

                                                                      #35
                                                                      if this is the worst of your problems you have had a pretty good day then
                                                                      Our site is coming soon. It will be one of the best ever! I know so. Brian and Penny

                                                                      Comment

                                                                      • Penny24Seven
                                                                        So Fucking What
                                                                        • Jun 2007
                                                                        • 6287

                                                                        #36
                                                                        PAXUM stop making me have to login to send money, i want to be logged in 24/7 no matter what computer I use and what is the deal with TP, i mean do we really have to wipe our asses. Just another way for the man to make money by selling TP to wipe our asses. I mean we just throw it away after so what is the point??
                                                                        Our site is coming soon. It will be one of the best ever! I know so. Brian and Penny

                                                                        Comment

                                                                        • CaptainHowdy
                                                                          Too lazy to set a custom title
                                                                          • Dec 2004
                                                                          • 94743

                                                                          #37

                                                                          Comment

                                                                          • bluebook18
                                                                            Confirmed User
                                                                            • Mar 2012
                                                                            • 4082

                                                                            #38
                                                                            I don't mind changing password every 6 months

                                                                            Comment

                                                                            • Lykos
                                                                              Too lazy to set a custom title
                                                                              • Apr 2003
                                                                              • 31032

                                                                              #39
                                                                              Am fine with that, makes me feel safe

                                                                              Comment

                                                                              • Dankasaur
                                                                                So Fucking Fossilized
                                                                                • Sep 2011
                                                                                • 1432

                                                                                #40
                                                                                Originally posted by Brian837
                                                                                PAXUM stop making me have to login to send money, i want to be logged in 24/7 no matter what computer I use and what is the deal with TP, i mean do we really have to wipe our asses. Just another way for the man to make money by selling TP to wipe our asses. I mean we just throw it away after so what is the point??
                                                                                Sure, if false sense of security is your thing, good luck.

                                                                                Comment

                                                                                • PornDiscounts-V
                                                                                  Confirmed User
                                                                                  • Oct 2003
                                                                                  • 5744

                                                                                  #41
                                                                                  Boners and poo
                                                                                  Blog Posts - Contextual Links - Hardlinks on 600+ Blog Network
                                                                                  * Handwritten * 180 C Class IPs * Permanent! * Many Niches! * Bulk Discounts! GFYPosts /at/ J2Media.net

                                                                                  Comment

                                                                                  • Aidoru
                                                                                    Confirmed User
                                                                                    • Jul 2012
                                                                                    • 655

                                                                                    #42
                                                                                    Use KeePass
                                                                                    Life will be so much better
                                                                                    Gravurecash - 50% Lifetime RevShare on all signups and rebills, 5% Webmaster Referral

                                                                                    Comment

                                                                                    Working...