Hack protection-->pennywize addon would be nice, is this already in the market?
 

Hi,

Question, I'm thinking of using pennywize for protections against password trades, and brute force attacks.

BUT, now I understood, you have to create a new password for the members who did get out of the DB, and email him/her.

Is there a way when a passwrd het blocked, an email is send automatically to the "real"member, and in this email, the reason, and the new passwrd is included?

Andre

That's not really a good idea if you use pennywize or even our product Stop That Hacker http://www.stopthathacker.com

For the following reason.

Once you stop brute force attacks 99.99% of all your password sharing is from the member giving out his password or from credit card fraud. So why email him a new password so he can give it out again? Make him explain why he gave it out in the first place.

Plus most password sharring ends up in a chargeback anyway.

So kill the account. Kill the rebilling and forget it.

Hugs,
Danielle

i'd suggest letting them reset their password up to twice, and then after that, have them explain it. send them an e-mail with a link they have to click to reset the password and everything. maybe even generate the password for them at that point. :)

Great advice :thumbsup

I don't agree on that. Also Brute password hackers do get the passwords of the legit members. Killing them would be stupid then!

BTW your program, why is that better then pennywize? You have sites using your script?(because the price is so low, and the design of your site is not so good, makes me suspicious. A demo would be great:)

ANdre

what are you thoughts on the effectiveness of http://www.passwdcop.com/

?

Looks like it only protects you from password traders. I don't see anything over 3 failed logins etc...

500 dollar looks a bit pricey to me for that feature....

Andre

i tried pennywize about 4 years ago or so, stopped using them.

i didn't like the way they jerked my 401 traffic to their benefit -
ads pages. their service works well, i just thought paying them *and* giving them hits to their 401 pages excessive....even if it is crap traffic. ;)

they may have stopped taking everyone's 401 traffic by now, for the record i can't say as it's been years since i messed with them.

I think this is a great idea, and I was actually in the middle of getting such an solution made, I think the easiest way is to have the member info in a DB.. so you can keep track of how many times you have issued a new pass ect. I also disagree with Danialle.. killing all blocked accounts would be very stupid.. in our case most of these are legit users who never get blocked again after we give them a new password.

Not even close...99% is from hackers hacking the password file and stealing the passwords.

No programs capable of doing that?

Andre

I once wrote a possible solution for free :)

http://www.kimhollandcash.com/bforce.php

tata ..

Pennywize now lets you direct the failed logins to a different URL.

I use Pennywize, these days I simply wouldn't be without some sort of password trader/brute force protection.

What I've been doing is killing the accounts of people who obviously have compromised passwords and sending them an E-mail asking them to get in touch so I can issue them a new ID/PW. I've found that the people how get in touch never seem to have another problem, leading me to believe their ID/PW was hacked by someone else, not traded by them. The ones who don't get in touch (who have also been consistently the ones with PW/IDs coming form the most subnets) tend to chargeback.

The conclusion is that the worst offenders buy a site, then trade that PW/ID on a board, and when they get caught, they charge back.

Again, another example of VISA and MC not giving a shit about people who are just criminals as long as they are cardholders.

Brutal

justsexxx,

We have sold tons of copies at over $300.00 and never had a complaint. Yes the site design sucks. LOL The program has been around a long time. Stop That Hacker runs 100% on YOUR server! So you don't have to worry about the other guy being down.

The price was reduced so no one with a paysite could ever say they can't afford a password hacking solution.

Not sure about the others but ours stops HEAD brute force attacks at 0 tries! If a head request (The most popular type of brute force hacking) is received to a protected area it is sent to /dev/null and not even responded to.

OneHungLo,

If the hackers are getting your passwords what ever you are using to stop brute force attacks must really suck. :) Or are you forgeting to protect things like formmail.pl on your site?

Hugs,
Danielle

Hi

We use pennywize on all our sites, it's teriffic, and i would hate to live without some kind of protection.

Their new version 3 allows you to redirect all your abused traffic to a URL of your choice - which is pretty kewl. It's only 401 traffic, but still.

Their version 3 one has way improved brute force protection too - Steve showed me how it worked once and it was a real eye opener. Anyway that's my $0.02!

thanks,

Robert

Okay, well I'm not a security expert:) Can I email you, or talk with you on ICQ?

Andre

proxie-pass.com

I think I post this once a week It saved us from a $1000 a day hacked pass problem

justsexxx,

I can do one better. My husband created the script. You can reach him at [email protected]

I told him to expect your email.

Hugs,
Danielle

Okay:) I mail you later today:)

Andre