Anyone who uses pennywize...
 

have you noticed anything odd over the last week? I'm getting tons of un/pw combos disabled, including ones that belong to friends who I *know* haven't been trading...and can't see anything unusual on the servers as far as traffic or referrers are concerned...

That is because PW traders know EXACTLY how to beat pennywize. It DOES NOT protect your members area.

proxypass is the way to go.. works like a charme and has safed us sooo much bw

proxypass is much better than pennywize, strongbox owns them both..

Even PP won't stop pw traders, anything under your set limit will get in, they rotate pw's to stay under those limits and they can still hammer brute force attack.

u can set the limit in PP to what ever u feel comfrotable with.

pennywize is a joke..dropped them for strongbox..but they have issues too

Yes having the same issue, but we have other custom securities in place.

What issues does Strongbox have?

thanks, glad to hear it's not just me.

(and thanks for the other posts, but i know the various pros and cons of the different systems - my sites are not the usual ones that have "professional" hackers, i only have to worry about amateurs who trade passwords among themselves.)

I have been using password sentry for several years, no problems with it.

dont get me started on password sentry. that thing never worked well for any of our sites.. u should really switch to proxy or strong u will prob see a huge drop in bw usages,

The only problem with Strongbox is running it on large load balanced server setups.

I love how one person says they've been using "X" forever, and then another person says "x" sucks, you should use "Y".

You'd think there would be some kind of agreement on the best password protection?

Anyone else have any real-world experience with a pw protection system that works?

We have run most of them and are still running several different systems still now for various reasons on different sites but Strongbox is the best available at the moment by miles.

same q for you here.. would like to know about the issues you got

Mike hit me up on icq (64614011) I might be able to help you ;-)

Apart from issues with load balanced servers I am not aware of any problems at all.

yes, years ago used pennywize. always had probs.

last couple years on proxypass, no probs.

and antihotlinking.com for movie protection.

and i will say this also.

if you are on ccbill upgrade to their new security.

tedious to do, but bulletproof so far.

I often wondered about this ... never been able to get this info from Ray. The only customer we have using it does'nt do enough traffic to hit our radar.

Pennywize is not your problem. If your friends passwords are getting used then this has nothing to do with password protection scripts at all. This has to do with someone obtaining either your password file or database info where user and password are stored. To say it plainly, you've been hacked and now they have all of your passwords.

i have been using iprotect for years now with not one bit of trouble ever

Pennywize doesn't not stop brute force attacks, it doesn't even slow them down. Proxypass is better but it still won't stop attacks. Even strongbox has minor issues with attacks.. If you use htauth, you will get leaks, period, it has NOTHING to do with being hacked or someone getting your pw file, it has EVERYTHING to do with brute force attacks.

BTW.. Proxypass offers form protection now from what I understand, or secret word protection, something like that. That would make it as strong as strongbox..

The strongest solution right now is strongbox, hands down. From what I understand someone has strongbox running on a load balancer.

He stated that his friends own personal accounts were hacked. That means this isn't a cracker bruteforcing, it is a hacker who stole the password file.

Hehe, yeah, personal accounts can be brute force attacked, without much of problem.. Even more so when you guess a username on pennywize, and it tells you if it's active or not even if the pw is wrong. So then they just need to hammer the username for the pw combo..

Not hard when they have a million word dictionary files.

Actually it is very hard and you possibly have never tried it.

#1 If the word isn't in the dictionary it can't be bruteforced since it isn't ever tried (it is not in the list).
#2 With a 3mb connection the best you will be able to do is about 80,000 an hour. If you DID try it that many times an hour, your list of 2000 proxies would begin to be blocked in about 20 minutes or so. At this speed it would take 12.5 hours to try 1,000,000 passwords... and that is per user...

Cracking websites is like stealing cars. If you can spend another 10 minutes to find one without a tracking system, steering wheel locking system or alarm, it is worth it to avoid 4 years in prison. If you can find a website that uses basic authentication and has a large pool of users it is better than a form based login to a site with 200. But if you know how to disable alarms and tracking systems it is like being able to just steal the password file. It is easier than spending 12.5 hours PER USERNAME....

If he had MULTIPLE users with VIP passes, then he was hacked.