How do password trading sites get the passwords? - GoFuckYourself.com

Lord Voldemort · 12-15-2011, 01:56 PM

Several passwords were traded for my partner's site and he ended up with over $1000 in bandwidth overage fees. All the passwords were legitimate passwords in the htpassword file, created on very different dates from IPs in different countries, so we're wondering how the hell those fuckers got the passwords.
Anybody knows?

MakingItPay · 12-15-2011, 02:03 PM

They sometimes hack your server. Members share them, etc. But you gotta pony up the money to have a proxypass or phantomfrog to keep these jerks from eating you up. It is well worth it.

bean-aid · 12-15-2011, 02:03 PM

Teencat would know.

Plus he should be protecting his server for multiple logins, ask around. Several good options

alias · 12-15-2011, 02:05 PM

Brute force with proxies using word lists is one way.

BNMedia · 12-15-2011, 02:05 PM

Do your self a favour and get Strongbox. Could have saved you the $1000 overage!
They will also upgrade the encryption (if you ask them) to make the password file much harder to hack ;-)
Speak to Ray Morris, Raymor on here I think.

Roald · 12-15-2011, 02:05 PM

is your partner using some sort of protection like strongbox?

spazlabz · 12-15-2011, 02:06 PM

Quote:

Originally Posted by alias

Brute force with proxies using word lists is one way.

pretty common for the script kiddie crowd

x-rate · 12-15-2011, 02:07 PM

It's say by itself.... they trade it! :P

AdultEUhost · 12-15-2011, 02:16 PM

Of course every case is different but mostly people really sign up and either download the entire members area to upload it on torrents etc or they publish the login on a password forum. Mostly because they want to be cool or keep a good reputation on these forums.

fris · 12-15-2011, 02:39 PM

i dont feel sorry for companies that still use htaccess and pennywize, its their own fault.

Adult Insider Dave · 12-15-2011, 03:58 PM

Quote:

Originally Posted by Lord Voldemort

Several passwords were traded for my partner's site and he ended up with over $1000 in bandwidth overage fees. All the passwords were legitimate passwords in the htpassword file, created on very different dates from IPs in different countries, so we're wondering how the hell those fuckers got the passwords.
Anybody knows?

Hack attempts at your server is the most common I would say based on what I've seen. We implemented a lot of different ways to help prevent this on our backends including when a login is used from more that X number of IP's they get disabled. This will fix most of the overage problems, since when a password is shared on most of this shit sites you'll see a flood of logins with the same user from multiple IP's within a matter of minutes/hours.

Often times though you need to be aware that a legit member could be effected so you need to change their user/pass and get it to them ;)

Adult Insider Dave · 12-15-2011, 04:02 PM

Also be aware that if you offer a free or low cost trial there is a greater chance that the password is bought just to share with their group. Keep your eye on those ;)

lucas131 · 12-15-2011, 04:11 PM

rich people buy memberships, they share maximum with close friends. nobody is sharing his own membership in public, not anymore. all logins are hacked, from database, from emails, or from pay gateways. if you see traffic on your logins, put the login into google and see how much results will show up. if no login, mostly you are hacked, check your database and server logs and so, fill the holes. if you see hacked combos in google, paying owner is using the same combo to every site he buy. all is going from private, hacker are hacking databases, some rats are stealing the databases and put them public, there some self called hackers runs machines with proxies and trying to use the combos to every site where it is possible. so, at the end, it is fault of the site that it is opened, hacked, or it has low security, and having low security today is like sharing your password in your sig. enjoy, i mean, have luck

Fenris Wolf · 12-15-2011, 07:06 PM

Quote:

If you are using an old fashioned .htpasswd file that's only encrypted with the most common method, that's an algorithm called DES which is next to worthless. If those DES encrypted passwords are based on English words, which they normally are if you let your users choose their own passwords, a cracker can decrypt many of those passwords within seconds. You'll want to secure your passwords better than that.

First, how to know if this is a problem for you: 1) If you let users choose their own passwords you have a problem. 2) If your database or password file has the passwords in it in clear text you have a problem. 3) If each line of your password file has the user name, a colon, then 13 characters you have a problem. 4) If any of 1-3 applies to you and you run PHP scripts, you probably have a bigger problem.

PHP scripts make the problem worse because most of them, including most of the most popular ones, include a security hole that will let the attacker download your password list or database. So especially if you use PHP you'll want to be sure your password list is not easily cracked.

DES encryption, used in most .htpasswd files, is no longer effective. I've run a cracker program against some customers' password lists and indeed I was able to crack many passwords in seconds. Part of the reason it's so weak is that it only uses the first 8 characters of the password. With user chosen passwords the first 8 characters are often found in a crackers dictionary because they choose passwords based on English words.

You can read more at https://www.bettercgi.com/strongbox/passgen/ and when you are done reading have your friend get Strongbox. It will be the best $159.00 he will ever spend.

Lace · 12-15-2011, 07:41 PM

Quote:

Originally Posted by lucas131

rich people buy memberships, they share maximum with close friends. nobody is sharing his own membership in public, not anymore. all logins are hacked, from database, from emails, or from pay gateways. if you see traffic on your logins, put the login into google and see how much results will show up. if no login, mostly you are hacked, check your database and server logs and so, fill the holes. if you see hacked combos in google, paying owner is using the same combo to every site he buy. all is going from private, hacker are hacking databases, some rats are stealing the databases and put them public, there some self called hackers runs machines with proxies and trying to use the combos to every site where it is possible. so, at the end, it is fault of the site that it is opened, hacked, or it has low security, and having low security today is like sharing your password in your sig. enjoy, i mean, have luck

Ding, ding, ding. Brute force is so 2001.

12-15-2011, 01:56 PM	#1
Lord Voldemort Confirmed User Join Date: Nov 2008 Location: in your darkest dreams Posts: 181	How do password trading sites get the passwords? Several passwords were traded for my partner's site and he ended up with over $1000 in bandwidth overage fees. All the passwords were legitimate passwords in the htpassword file, created on very different dates from IPs in different countries, so we're wondering how the hell those fuckers got the passwords. Anybody knows? __________________ You can't buy love. But you can adopt!

12-15-2011, 02:03 PM	#2
MakingItPay Confirmed User Industry Role: Join Date: Feb 2005 Posts: 1,920	They sometimes hack your server. Members share them, etc. But you gotta pony up the money to have a proxypass or phantomfrog to keep these jerks from eating you up. It is well worth it. __________________ Giant Boob High Def Trifectas http://www.TrifectaBucks.com 3D Super Sites that Sell http://www.ThrillBucks.com Giant Boobs Anyone? http://www.MakingitPay.com ICQ me at 213177906

12-15-2011, 02:05 PM	#4
alias aliasx Join Date: Apr 2001 Posts: 19,010	Brute force with proxies using word lists is one way. __________________ https://porncorporation.com

12-15-2011, 02:05 PM	#5
BNMedia Confirmed User Industry Role: Join Date: Nov 2009 Posts: 433	Do your self a favour and get Strongbox. Could have saved you the $1000 overage! They will also upgrade the encryption (if you ask them) to make the password file much harder to hack ;-) Speak to Ray Morris, Raymor on here I think. __________________ --------------------------------------------------------- Webmaster of www.kinkykicks.net - Your 1 stop resource for ballbusting and cruel sexual femdom. Join our affiliate program at www.cash4kicks.com

12-15-2011, 02:05 PM	#6
Roald SecretFriends.com Industry Role: Join Date: May 2001 Location: IMC Headquarters Posts: 27,887	is your partner using some sort of protection like strongbox? __________________ WE ARE BUYING PAY SITES! CONTACT ME ClubSweethearts \| ManUpFilms \| SinfulXXX \| HOT * AdultPrime * HOT Paying webmasters since 1996! Contact: r.riepen @ sansylgroup.com \| telegram: roaldr

12-15-2011, 02:03 PM	#3
bean-aid So Fucking Banned Industry Role: Join Date: Jun 2011 Location: the land of woke sleuths Posts: 16,493	Teencat would know. Plus he should be protecting his server for multiple logins, ask around. Several good options

12-15-2011, 02:07 PM	#8
x-rate Confirmed User Industry Role: Join Date: Jun 2008 Location: Montreal Posts: 725	It's say by itself.... they trade it! :P __________________ Have quality traffic? Make money with Crakrevenue Email: misterxmtl @ hotmail.com Skype: misterxmtl

12-15-2011, 02:16 PM	#9
AdultEUhost ORLY? Industry Role: Join Date: Oct 2005 Location: NL & US Posts: 2,579	Of course every case is different but mostly people really sign up and either download the entire members area to upload it on torrents etc or they publish the login on a password forum. Mostly because they want to be cool or keep a good reputation on these forums. __________________ ICQ: 267-443-722 / leon [at] adulteuhost [dotcom] Nominated for an XBIZ Award as "Webhost of the Year" in 2007, 2012, 2013 and 2014

12-15-2011, 02:39 PM	#10
fris Too lazy to set a custom title Industry Role: Join Date: Aug 2002 Posts: 55,372	i dont feel sorry for companies that still use htaccess and pennywize, its their own fault. __________________ Since 1999: 69 Adult Industry awards for Best Hosting Company and professional excellence. WP Stuff

12-15-2011, 04:02 PM	#12
Adult Insider Dave Confirmed User Join Date: Jun 2005 Posts: 533	Also be aware that if you offer a free or low cost trial there is a greater chance that the password is bought just to share with their group. Keep your eye on those ;) __________________ Promote our penis growth and acne books, earn 75% on sales and rebills. Contact me if you want a custom backend like Pornstarbucks and Freenetpass integrated with any billing gateway:

12-15-2011, 04:11 PM	#13
lucas131 ¯\_(ツ)_/¯ Industry Role: Join Date: Aug 2004 Posts: 11,475	rich people buy memberships, they share maximum with close friends. nobody is sharing his own membership in public, not anymore. all logins are hacked, from database, from emails, or from pay gateways. if you see traffic on your logins, put the login into google and see how much results will show up. if no login, mostly you are hacked, check your database and server logs and so, fill the holes. if you see hacked combos in google, paying owner is using the same combo to every site he buy. all is going from private, hacker are hacking databases, some rats are stealing the databases and put them public, there some self called hackers runs machines with proxies and trying to use the combos to every site where it is possible. so, at the end, it is fault of the site that it is opened, hacked, or it has low security, and having low security today is like sharing your password in your sig. enjoy, i mean, have luck