Quote:
Originally Posted by rebekahdee
If there was a leak in the host or payment compnay surely no amount of software will protect your site?
|
Quite often a leak at the payment processor is the first thing webmasters
think of, but that's never what we find. It's almost always an issue on the
the webmasters side, often exacerbated by a poorly configured server.
If there was a leak in the payment processor there wouldn't be much you
could do, however you'd also likely see 500 other webmasters posting about
the problem today.
Quote:
|
Are the passwords not already encrypted when they are stored in the password file meaning that even if the file was compromised it would be of no use as it simply reveals usernames?
|
Unlike corporate sites like banks who employ security professionals, most adult
sites still use a very weak type of encryption called DES. DES was created in 1974,
then weakened by the NSA and standardized in 1976. The NSA felt that the weakened
version was good enough in the days of 4Mhz processors. It was broken 1994, so
that encryption you're using has been out of date for a couple decades. Today, with
processors that run over a thousand times as fast as they did in 1976, a readily
available program can crack some of your passwords in just a few seconds if you
use DES. That's not just theoretical - I've done it more than once. So while the
passwords are technically encrypted, that encryption is nearly worthless for a big
password list.
Instead, today's standard for passwords is a salted MD5 hash. When used
in a certain other context, MD5 has a theoretical weakness, but for passwords
salted MD5 should be secure for years to come. SHA1 can also be used, but it
doesn't have the compatibility advantages of MD5 and the SHA2 family is
just around the corner, so we're using MD5 now and will transition to SHA-256
or SHA-512 when the time comes in a few years.
Quote:
Does can strongbox be used to simply encrypt the password file?
Thanks in advance,
Rob.
|
We CAN just do the encryption and that will probably take care of your
immediate problem. It'd only cost you $30 too. That's kind of like locking
the back door and leaving the front door open, though, as you will be
attacked through some other hole. That might happen next week or it
might be next year but it will of course happen eventually. Normally, when
we upgrade the encryption for people we also upgrade the actual user names
and passwords themselves. When you let users choose their own user
names and passwords, an alarming number of them choose "password"
as their password. I don't care how good your encryption is if the password
is "password" the bad guys are going to guess that pretty quick. So we
set up a good system which assigns good passwords that won't be guessed,
yet can be remembered and typed more easily than random characters can be.
That then means that your password list is secure - only the person who
bought the password knows the password.
So here we are and we're happy because only the person who signed up
for the account knows the password. Until he posts it all over the place.
Possibly, he posts all 25 accounts which he got with those stolen card numbers.
That's when the state of the art protection of Strongbox comes into play.
The whole system, all three parts, provide you a complete security system.