Password thieves
 

http://www.xxxpass.se/pass2/2007-03-28-(5567).php

Anyone know these people?

Fuckers! :321GFY :321GFY

nope sorry cant help

*bookmarks*

That's funny, this is how I started my review site in 2002, by using a password hacking IRC channel to gain access to the sites. So many sites were shit back then, and we really tried to review the bad ones as well as the good ones. And really, who lets you into their shitty site so you can tear them a new one? :)

I always figured I was the only one who was breaking in to make people money though, so how mad can they be!

But yeah I feel your pain, they cause real problems, but things are a lot harder for them nowadays.

Couple tips: they use brute force cracking programs to run password lists of people who have previously signed up to porn sites. Usually people use the same username and password, so they'll work on many different sites over the years.

1> if you can, use a form based login, not a pop-up password box as is normal
2> add a human sentry to the form, captcha
3> Block IP's of people who try more than 50+ login attempts in a 15 minute period
4> pick usernames for people
5> force long passwords with letters, capital letters and a number. every extra character makes the number of possibilities way more.

Why did you post the full URL? GFY is full of surfers...

most of the links don't work

Shit... can a mod edit it?

I always try to think of this as a webmasters' board....

I know of 2 other review sites other than ASS to start with hacked passwords too actually :D

get strongbox :)

Glad my site aint in there (maybe I should say yet?)
These guys have been busy...

Is hacking not illigal though? And isnt it so that a good host removes illigal sites?

Let me add to this that after trying at least 40 links, I am happy to discover that 0 worked....

I presume they get blocked, as ours did.

Ok... my main problem is how can I get my paysites listed on such place on regular basis.
You will be amazed how much money can you make by listing your sites to these lists... then of course you also must know what to do with the surfers they send you or you will end with a BIG BW bill and nothing in exchange.

Thank you for the link. I will submit my sites to them tomorrow at some time when I finish a couple of fixes :)

thats some good advice, altho i must say that altho its harder to crack passwords that use forms logins its still possible. and blocking ip addresses is pointless, any good hacker will be using proxies.

i also think its a bad idea to pick peoples passwords for them, correct me if im wrong but i think ccbill uses computer generated usernames and passwords. and the fact is that if you can get hold of and a ccbill log file (which isnt very difficult from some sites) and decrypt it (which isnt very difficult) you get access not only to all the passwords for that site but to the format that the usernames and passes are in which makes creating a username:password list alot easier.

and on that if you havent already then password protect your log files, cos i know for a fact that their are still sites out their which havent and that is a serious lack in security

He's referring to:
http://bettercgi.com/strongbox/

Strongbox also matches the suggestions that Humpty made:
1> if you can, use a form based login, not a pop-up password box as is normal
2> add a human sentry to the form, captcha
3> Block IP's of people who try more than 50+ login attempts in a 15 minute period

We can also help with his other suggestions:
4> pick usernames for people
5> force long passwords with letters, capital letters and a number.
> every extra character makes the number of possibilities way more.

You said:
> http://www.xxxpass.se/pass2/2007-03-28-(5567).php
> Anyone know these people?

Yes, our spider database has thousands of passwords we've found on that site.

Indeed, which is why you block those proxies using something like Strongbox.

Any reason for that? If you DON'T choose their passwords for them, a suprisingly
large number will choose the word "password" as their password. Another large
percentage will make their password the same as their user name and their user name
is easy to get.

It can be set to generate user names and passwords, random ones that suck.
It can also be set to use GOOD user names and passwords generated by our tool.

Kind of close, but no. The CCBill log doesn't include the password and it's not encrypted.
Also this has nothing at all to do with choosing the user's password for them, BTW.
The CCBill log and other files are IDENTICAL whether the user chooses the password,
the password is random characters assigned by CCBill, or it's a good password genertaed
by our tool.
What you're thinking of is the password file, .htpasswd, which every password protected
site has. A very few sites store the list in a database rather than a file, but that makes
no difference becuse they are both just about equally readable. Way back in the day
the passwords in the password file used to be encrypted using a type of encryption called DES,
which can now be cracked in seconds. CCBill and the other processors all still use DES
as the default and make it easy for a cracker to get most of your passwords. We routinely
update the scripts that the processor's give you to use a much stronger type of encryption
called "salted MD5".
More info about all of this can be found on this page:
http://bettercgi.com/strongbox/passgen/

You're right that if you use a simple, or even complex algorithm to generate a "key" or password, and have enough of these generated passwords, a good cracker can figure out the system.

But the hing is with security is that anything is breakable, it's just how hard, time consuming and expensive it is to crack. Kind of like car thieves, they go for easy targets, they don't want to stand outside a car for hours pondering ways to get in. It's it's not easy, they will move on.

So if I have your user name, and you have a 4 digit password, it only takes a standard computer a few minutes, if that, to run *every* possible 4 letter password that could exist. a, b, aa, bb, ab, and so on. If you add Capital letters and numbers, the possibilities are more.

However if you're looking at an 8 or 9 digit password, we're talking days to figure it out, and probably impossible through a web form without getting all your proxies blocked.

If you don't like the idea of randomly generating passwords, I'd suggest just forcing them to make it at least 8 characters long, and have a capital letter and number in it.

More of you should use Strongbox, it sounds like this guy knows what he's doing, and while form based attempts are indeed crackable, you're again cutting down the number of people willing to put in the time. Most password crackers have very little knowledge of this stuff, they're not the same people that are going to break in, deshadow your password file or decrypt your forced passsword algo.. They're probably 15 year old kids playing with a password cracking windows program and some proxies.

- use verotel (or any bill scheme that use random passwords)
- use turing protections
- warn on your login page, that brute force is useless.
Also most cracker knows that with some payment processor brute force is useless.

Strongbox is not a very good option, imo.

I have run it for 6 years on a paysite that gets quite a bit of password crackers attempting to rip my shit, strongbox gets them every time and I have never had a password posted to a password forum that was successful

in fact, before strongbox (using ccbill) I had my entire members password list posted....since strongbox that has never happened

bah i dunno

be glad for those password thieves. they are not stealing from you, but from private boards and are publishing real h*ckers hard work and without sites like this you will never find our that password to your site is h*cked and public :2 cents:

Well that's assuming you enjoy spending your life scouring the web for people who posted passwords. I think most people would rather..


SET IT, AND FORGET IT!

get the source, ban your passwords, leave the source private, thats the way i meant it :thumbsup

yes strongbox gives a protection, however it is not unbreakable, with brute force attack, you have to run the attack slowly with >500 proxies. Off course most people don't use so much proxies, but strongbox is not unbreakable.
Also ccbill's pass scheme can be very weak sometimes, if it is 6/8 user/pass choosen from the users.
I have never seen a verotel password posted, you have to use an other way that brute force to enter.
Also it is possible to break turing protections, but it is hard.

So if you ban ips 30 minutes after 3 unsuccesfull attempts, with a free turing protection you should have a pretty unexpensive protection.
(at least against brute force)
If you see you full password database posted you should be warned that yo may have a keylogger on your server.
Because if your password are crypted it is usually not possible to crack more than 70% of the password from a database. (with online brute force you have to use a corrupted combo database)
Switch from des to freebsd md5 could be a solution to prevent password offline cracking. (for stolen db).

need a perfect10 password ?
http://www.google.com/search?hl=en&s...ssword&spell=1

and perfect10 started a lawsuit against these sites... (or against google)

thats fucked up

only webmasters are f*cked up, if they will have some simple script with "3ips and password blocked and new sent max three times to email" there is nothing to be affraid of search engines, cause there will be no alive passwords :2 cents: but that will be not so big adventure and drama :thumbsup

pornmasta you talk a lot about Strongbox for someone who has probably never
even seen it and I know for sure you haven't broken it. Noone claimed the $5,000
prize for cracking a Strongbox site, so it seems to be awefully secure.

Teencat, that kind of naive counting worked fine until September of 1999 when all the crackers
started using proxy lists. Since then you HAVE to be smarter than that.
Also of course a single AOL, Earthlink, or DTAG user may show up as 6 different IPs
in one hour, so naively counting IPs liek that will block your AOL, Earthlink, and DTAG customers.

What a crappy site. No pass I tried worked!

Very interresting.

wow one of my sites is listed like 3 times there, but pennywize did its job :)

7 urls to my site. I'm glad I am using proxypass... :)

Fuckers...

this is simmilar to ultrapasswords dot com

none of the passwords work you just get sent to the main tour of the supposidly hacked sites

quite ingenious if you think about it the surfer thinks he or she is going to get a freebie instead they get sent to a 1 dollar trial pass (which in my books is almost free) in their frustration they will probbably sign up!! webmaster is quids in!

Somehow I don't see someone doing something illegal claiming a prize. Strongbox is way better then anything else out there but I have seen a couple of Strongbox protected sites with working passwords being shared a while back. Who knows how the passwords were actually obtained though.. they could have been shared or carded and not cracked. Ultimately though, I think Strongbox is the happy medium as far as site security, if you make it any more of a pain in the ass to log in or surf the site you're going to piss off your legitimate customers.

Another Solution
 

Many of these password trading sites are outside of
the US. Time has proven that they have multiple lives
and just rear their ugly heads over and over again
after being shut down.

You can easily use Google to pinpoint exactly who is
publishing stolen passwords from your sites.
Basically, in Advanced Search Mode in Google, use the
template:

"http://*:*@xxx.com/members"

There will always be malicious hackers who get their
kicks by publishing stolen passes. The trick is to
make sure those stolen passes DO NOT WORK. That takes
all the fun away from hacking them and will discourage
leechers if all they find are dead passwords in those
trading forums.

I represent a Next Generation Password Protection
System called Phantom Frog that is based on the
premise of providing 24/7 uninterrupted access to your
valid members and none to hackers/leechers. Our system
uses Geo-IP Tracking technology which will not even
allow 2 friends to share the same password let alone a
whole trading forum with hundreds of leechers!

The second way we make life simple for webmasters
is through Automated Member Support. So, if this
abuse/sharing happens while you're sleeping or away,
your legitimate paying member can have a
fresh new password re-issued to them via email.
As a result, the paying member is not blocked out of
your website and isn't looking to cancel their
membership.

Our product is integrated with CCBill, NetBilling, Paycom,
NATS, MPA3, Verotel, 2000Charge, SegPay, Jettis, and
365Billing. We have stellar webmaster testimonials listed
on our site.

Phantom Frog has a simple FREE Trial Version which
installs in 5 minutes or we can handle the complete
demo installation for you from our end. Most of
customers were motivated to purchase our password
protection only 3 days after installing the demo!

Chec out our recent partnership announcement with
Mansion Productions:

http://www.gofuckyourself.com/showthread.php?t=727421

Visit this link to try our FREE demo:
www.PhantomFrog.com/g

Please feel free to contact me with any questions or
feedback.

[email protected]
ICQ: 226948212

how about this:

WWW.OPIUM.SE

or

www.forums.anticommon.com

sweet, thanks for the free porn!

http://i86.photobucket.com/albums/k9...mystride37.gif

http://www.opium.se - Wow... nice teeth!

:1orglaugh welcome

Wow, that's fucking cool. Looks totally 3-D.

that's pretty cool:thumbsup

well a old solution was to add fake password that redirect to a tour, so if a bruteforcer tries to start an attack he will get fake password (very common) first, then, or it publish the pass, and it is good for your website, and i notice that there is too much fakes and stops.

Also, a famous forum is deny.de, you will (strangely) find a lot of adult webmaster there and they know the market.