GoFuckYourself.com - Adult Webmaster Forum - View Single Post - How easy is it to get a password to just about any pornsite?

raymor · 04-30-2005, 10:58 AM

Thanks to all of you who mentioned Strongbox.
We have thousands of hours of research and development
into making Strongbox THE defense system for your site,
so it's always very good to hear that it's been so helpful
to so many people.

High_Times made a very good point that there are two different
problems to be aware of. Even with Strongbox watching out for
abused passwords, if you hand a cracker youre entire
unencrypted password list then your still going to have a
problem. The cracker will distribute all of your passwords.
Strongbox will dutifully notify you that you have a large number
of cracked passwords out and will suspend those usernames,
but the customers won't be happy.
If you are using an old fashioned .htpasswd file that's only
encrypted with an algorithm called DES which is next to
worthless. If those DES encrypted passwords are based on English
words, which they normally are if you let your users choose
their own passwords, a cracker can decrypt many of those
passwords within seconds. You have to secure your passwords
better than that.

In other words, the first step is to secure your password list so
that a cracker can't easily get the whole list. The second step is
to have Strongbox or another quality security system handle any
passwords that do get compromised. This thread is about to
hit 3 pages, with many posts that may not hold people's
interest and people may well not read all the way to the end,
so I'm going to post a new thread describing exactly how to
solve this other this other problem brought up by High_Times.

04-30-2005, 10:58 AM
raymor Confirmed User Join Date: Oct 2002 Posts: 3,745	Thanks to all of you who mentioned Strongbox. We have thousands of hours of research and development into making Strongbox THE defense system for your site, so it's always very good to hear that it's been so helpful to so many people. High_Times made a very good point that there are two different problems to be aware of. Even with Strongbox watching out for abused passwords, if you hand a cracker youre entire unencrypted password list then your still going to have a problem. The cracker will distribute all of your passwords. Strongbox will dutifully notify you that you have a large number of cracked passwords out and will suspend those usernames, but the customers won't be happy. If you are using an old fashioned .htpasswd file that's only encrypted with an algorithm called DES which is next to worthless. If those DES encrypted passwords are based on English words, which they normally are if you let your users choose their own passwords, a cracker can decrypt many of those passwords within seconds. You have to secure your passwords better than that. In other words, the first step is to secure your password list so that a cracker can't easily get the whole list. The second step is to have Strongbox or another quality security system handle any passwords that do get compromised. This thread is about to hit 3 pages, with many posts that may not hold people's interest and people may well not read all the way to the end, so I'm going to post a new thread describing exactly how to solve this other this other problem brought up by High_Times. __________________ For historical display only. This information is not current: support@bettercgi.com ICQ 7208627 Strongbox - The next generation in site security Throttlebox - The next generation in bandwidth control Clonebox - Backup and disaster recovery on steroids