Compromised Passwords..
 

Ok I posted on the other section but it seems like this is where all the traffic is...

Lately I have been seeing a surge in passwords compromised on my site. I use ProxyPass and it does VERY well. Maybe too well.. lol. What I was wondering is if there was anything else I can do. I look at the list of usernames and I know they are legit people (for the most part of the list). Is it normal to have so many passwords compromised? It is a pain in the ass going and changing people's passwords and usernames throughout the week.

Any info on this topic?

Amy
__________________

Two things..... go to ccbill admin and change to random passwords if you have not already.
Also, get http://www.bettercgi.com/strongbox/

Need anything else contact me, I am in Vegas (we should hook up and you can shoot with some of my girls.)

Already hit on above... I used to crack passwords for fun when I was younger. Your website is a PRIME CLASS A website for cracking passwords.

#1, use the random password option. It is in the CCBILL admin or ask corvette to help you.
#2, use a form login like strongbox. Crackers hate form logins.

In your current situation I can steal the password file of a website similar in scope to your own. A solo-model amateur site. Most likely you both have say 800 to 4000 users at any given point in time. Of the 800 (low ball figure) you and the other site have had 25% of your customers signup at both sites at some point in time.

Since this has occured, many of the same combos I stole from them now work on you... You have no form login so checking which ones they are happens at 100,000 tries per hour. If you had a form it would be closer to 8,000 if it had a security code and 25,000 without one. This is because of all of the extra data and computing time a form sends. You current basic authentication popup screen is a header only request so it is very small and takes no time at all.

So again... random passwords so you do not share the same combos with other sites (just the same users)... And back it up with a form login with a security code... You will be like a car with an alarm and steering wheel lock... why steal your car when so many others are easier?

Yes, it's the same thing I have been saying for a long time; I personally (not my company) know alot of people that are into the whole Warez and Pass Cracking scene (alot of them even have their own sites). But most of the program owners ban you from working with them (posting ads/links on their sites, etc). It would be very easy for someone like me that has friends on "that side of the line" to go to them and cut a deal. For instance (let's pretend I was one of your affiliates), if I went to a few of them and said "hey, here's the deal, we want to start getting more (paying) traffic to this site but we can't if you guys are allowing their user:pass combos to be listed on your sites. So here's what I'm proposing, blacklist (ban) all links to amysworld on your sites and in return for each signup that we get from our "marketing" * on your boards, you get 1/2 of the commission." I guarantee that you would see a HUGE drop in the number of compromised passes on your site....... But unfortunately, as I said before, most programs forbid us to deal with these sites.....:disgust



* - There are very clever and "secretive" ways to market on these sites (with the site admins support) that is not know to many and can be very successful.... :2 cents:

Good advice here. Thanks guys.

Another popular thing is making 10 fake accounts a day and sending them to these sites... The accounts get blocked as asual and the users get the 401 screen telling them about how to signup...

Ok.. I think I got this but am confused at the same time...


Isnt it GOOD for me to have them stop promoting the passwords and promote my affiliates? I mean, more traffic for my affiliates which means more traffic for me. Clear me up, please.

I like your style ;) How long do you make these for though? I dont want someone swiping my site.

Yes, that is a GREAT thing, but here is the deal..... let's say I join your program as an affiliate and in the Affiliate Terms and Conditions (yes, I actually read those :winkwink: ) it states that I AM NOT allowed to post links on any "password trading sites, warez sites, etc." otherwise my affiliate account will be terminated and I will not be paid. Well. that means that I cannot go to my friends that own the password trading sites and tell them to pull the links to your site and put up our own "marketing" links or I will risk getting banned by you as an affiliate and I won't make any money..... (I hope I am making sense so far?)




This is one of the forms of "marketing" that I am talking about. However, without the Site Admin's prior approval you will either get banned very quickly for doing this or develop a reputation as a scammer.


Bottom line: If program owners would just authorize people like me to make deals with these types of sites, it would work out well for everyone involved (except the people looking for free passwords :winkwink: ); instead of just forbidding people to even deal with them.

Hit me up on ICQ.

One problem with making free passwords and posting them though is that people who are savy enough to find free porn passwords are also savy enough to download your entire site and possibly mirror it for their network of friends...

A lot of big name sponsors apparently don't care because they have been using this advertising tool for years... So it apparently is working out for them.

How long do you make them for? Depends... how long do you want to keep tricking people into coming in? You can make 20 accounts and then rotate them by sets of 5... to try and keep the surfer from realizing the same 5 accounts keep getting posted... Activate them and I am sure proxy pass will close them within an hour or two of use... Which is when the advertising starts...

I think ppl from xxxpassword forums dont buy anyhting, they expect porn for free, why bother promoting there?
And you will be exposing your site to some crackers, slowing down your server with they're attacks,etc.
but its up to you..

my 2cents

This is a VERY common misconception in this industry. First, it's not that people on pass sites don't buy anything; but why buy something if you can get it free? Also, regarding "exposing your site to some crackers"..... you don't think that you're already vulnerable? All I have to do is go to any one of those boards and say "does anyone have a working login for blahblah.com and within minutes your server is under attack.... this is the same thing their members do. It's not a matter of "If I ignore them, they won't try to crack my site". Conversely, if I made a deal with them not to allow your site to be posted or requested, none of their crackers would attempt to attack your servers.

Amy,
you can do everything everyone recommends and more and still have passwords get out. Its just how things go. Nothing is 100% secure, but the more secure you try to make your site the more you inconvience your customers. I like to keep things as simple as possible for my members.

There are lots of ways to fix your problem, last week I had about 40 passwords out, they were killed pretty quickly, I researched my logfiles and found they were comming from a couple of msg boards. so I went to the boards to see what was going on there and found they were pay to view boards. These guys had to be newbies, one was using paypal to collect his money, the other storm pay, the paypal one I had shut down the same day, storm pay, it took several days for their pay section to get shut down.

if passwords are only a slight inconvience to you you may not want to increase security and go after the places posting your passes. Its just a technique, everyone has their own way of doing things, but after almost 9 yrs, I am pretty used to it password traders so they dont bother me much. You have lots of options.

Make sure any PHP programs you are using are updated, check your directory that holds your .htpasswd file for any strange php files, one in particular is called help.php, it will allow them to create users (or do pretty much anything to your server).

If you are using a forum, don't use FreePHBB, use vBulletin and again make sure it's the most recent version.

Plus all the other shit other people have said.