Dankasaur

There is no security reason to force your users to periodically change their passwords. This is bad user experience and is unneeded unless your database has been compromised and requires your users to change their passwords ONCE.

fitzmulti

CCBILL does it every 3 months {or so}...
It's not "just a Paxum thing"...

__________________

Dankasaur

I've never had to change my CCBill password...

RuthB

Hi Dankasaur,

Password reset is usually requested about every 6 months or so. Yes, this is a security feature implemented when we updated our login server some time ago to a higher level of encryption.

Thanks for your feedback!

Ruth

__________________
Send & Receive Mass Global Payments - Mass P2P/Wire/EFT/SEPA - Adult Industry Friendly - Award Winning Payment Service - Fast, Reliable & Secure!
Paxum ...... Paxum Bank
Email: [email protected] ~ Telegram: PaxumRuth

fitzmulti

I should clarify...I mean for those who use it for processing.
As an affiliate I haven't ever changed mine, either.

__________________

Matyko

+1

I don't give a fuck CCBill does the same. At least they don't need special fucking characters in the pw so I am swapping 2 pws all the time. W paxum its different.

Annoying, but can live w it..

__________________

-=- Register with our ref link and we help you with the setup! -=-
AdSpyglass.com - Double your profit from brokers

Dankasaur

It's been proven that your method of "security" behind this is not good...

http://www.pcmag.com/article2/0,2817,2362692,00.asp

_Richard_

next you're gonna be telling us that anti-virus software is modern day snake oil

NaughtyRob

I have no issue with it. Better security is a good thing.

__________________
[email protected]
Skype: 17026955414
Vacares Web Hosting - Protect Your Ass with Included Daily Backups

RuthB

You are entitled to disagree with our methods, however we do not have any plans to remove this security feature at this time.

Thanks again for your input.

__________________
Send & Receive Mass Global Payments - Mass P2P/Wire/EFT/SEPA - Adult Industry Friendly - Award Winning Payment Service - Fast, Reliable & Secure!
Paxum ...... Paxum Bank
Email: [email protected] ~ Telegram: PaxumRuth

Dankasaur

As a company who's in control of data 100x more sensitive than Paxum, I'm sure Microsoft spent millions to come to this conclusion and is far from "snake oil".

It's not better security. It's false sense of security and is actually LESS secure in the long run.

Obviously one person won't change your mind, but don't inconvenience your users and say it's for "security" when multi-billion dollar companies in the exact field of security have proven it's worthless.

signupdamnit

It also encourages people to write down passwords or to choose nearly the same password each time with slight variations. No one can remember 20-50 different passwords which have to be changed every few months. You simply cannot keep all that in your head.

Worse yet if the company is incompetent there is the risk that they store past passwords without hashes or encryption so if a hacker gets the database they not only get your current password but all your past stored passwords too. They then can use these at all your other online accounts. More than likely Paxum uses hashes or encryption (if not the owners should go to jail) but even then there is still a risk of compromise depending on the implementation.

__________________

You don't like my posts? Put me on ignore or fuck right off. I'll say what I want.

Dankasaur

And judging by that screenshot it says "cannot use any previous used passwords" so unless they store that data for referencing every time they require a password change, you're essentially just giving the hacker more stuff to use against you if they do get the database... Thus making the password change requirement WORSE.

Dankasaur

So I forgot that they require the special characters in the password and as I use Chrome sync and password remembering I don't even know my original password... So I used the forgotten password feature, and guess what? My "new" password was sent to me in plaintext via email where anyone can hijack it...

So, as a security measure, they require us to change our passwords every 6ish months, and at the same time send our PLAINTEXT passwords to use via email...

Real secure...

Sid70

__________________
Русня, идите нахуй!

anexsia

That's weird, I'm an affiliate and I have to change my CCBill password about once a month.

A good program for keeping track of your passwords (across Windows and Linux) is KeepassX and you can lock your database via a master password, a key tied to a file, and you can encrypt the database if you want. Then you don't have to try and remember those 25+ character passwords .

helterskelter808

I'm not a fanboy of Paxum (regardless of the passwords, I think you're out your mind if you hand over all the private and personal info they demand) but I'd be surprised if they don't store your passwords hashed, and compare the hashes only. Anything else would be insanely reckless.

Paxum send new passwords via email in plain text? Perhaps they do store them in plain text then.

Supz

PR_Phil

https://www.pcisecuritystandards.org...pci_dss_v2.pdf

I have nothing to say about Paxum here, but that is a link to PCI DDS requirements for Data Security.

rule 8.5.9 - Change user passwords at least every 90 days.

rule 8.5.10 - Require a minimum password length of at least seven characters.

rule 8.5.11 - Use passwords containing both numeric and alphabetic characters.

rule 8.5.12 - Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used.

rule 8.5.13 - 3 Limit repeated access attempts by locking out the user ID after not more than six attempts.

if you go to that link and scroll to page 49, you can view a complete list of the rules regarding user passwords, I would expect a company that controls peoples money to follow PCI regulations.

__________________

Lichen

Agreed.

This bullshit is annoying as hell.

Dankasaur

Wow, that's not secure at all... "Hey not only are we gonna require you to change your password every 3 months, but we're also gonna store your last 4 passwords to make sure you don't use them either." Great way to give access to all your shit.

Fact of the matter is, no password storage or hashing or anything security related matters when your users use easily guessed passwords... This is just an inconvenience for the users and will just make them rotate between a select few passwords, making the whole security aspect of it worthless..

Dankasaur

I'm sure, and hope, they store them hashed, as you can send a new password without storing it in plaintext, but that still doesn't stop the fact that someone can access my email data and get that password no problem... The best thing to do would be send a link that is only usable once and then take them to the site to set a new password. Not send a password.

BSleazy

I have to regularly change my ccbill password as an affiliate.

__________________
icq 156131086

imabro

Paxum load wires rejecting due to their bank not meeting OFAC regulations. Their own intermediary bank is being rejected.. Paxum support not responding for over 24 hours now.

nikki99

paxum rocks I use it in any country of the world and it works

__________________
SMC Revenue - Best Tgirl websites of the world now VR
Non exclusive BIG Tranny/shemale Package for sale, full 2257 - hit me up skype: nikkimontero

LeRoy

I wouldn't worry too much about that...

__________________

k0nr4d

I haven't hit this feature on paxum yet, but I did have it on my old online banking (raiffeisen) and hated it enough that I switched banks because of it. Not only did they force a password change ONCE A MONTH that did not match my last 6 passwords, it had to be at least 10 chars long with at least 2 special characters, at least 2 upper case letters and at least one number - pretty much forcing you to write it down. They wouldn't let you choose your own pin for your bank card either - and if you forgot it you had to order a new card (for a fee of course).

The domain registrar for PL does this shit too, also with some complicated as fuck password scheme. Every time I login there I have to use the forgot password form - effectively negating any security this adds since it's sending me my password in plain text to my email...

__________________
Mechanical Bunny Media
Mechbunny Tube Script | Mechbunny Webcam Aggregator Script | Custom Web Development

MainstreamGuy

The guy wasted more time in writing this message, than he could spend changing his password in PAXUM for a whole year.

I really don't understand some people.

fitzmulti

__________________

Zeiss

Sometimes, when someone is actually helping you, you don't even see it...

__________________


Adult Webmasters Guides

Rebel D

1000% agree .

Grab the whaaamulance.

Grow up, Change it and move on.

MaDalton

what this man said..

__________________
AmazingContent.com - providing only the best content and service since 2003
Monetize your content on Veegaz.com - one of Germanies largest VOD sites
Got German traffic? We convert it into money for you!
Skype: madalton02826 - Email: oltecconsult [at] gmail [dot] com

OldJeff

Holy shit, you mean there are security rules involved with the electronic transfer of money !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

__________________
"As pornographers we must act responsibly! ;))"- Nickatilynx

I might be Old and Tired, but at least I don't support a whiney cunt

TampaToker

lol was thinking that myself.......

__________________
Icq 247-742-205

Penny24Seven

if this is the worst of your problems you have had a pretty good day then

__________________
Our site is coming soon. It will be one of the best ever! I know so. Brian and Penny

Penny24Seven

PAXUM stop making me have to login to send money, i want to be logged in 24/7 no matter what computer I use and what is the deal with TP, i mean do we really have to wipe our asses. Just another way for the man to make money by selling TP to wipe our asses. I mean we just throw it away after so what is the point??

__________________
Our site is coming soon. It will be one of the best ever! I know so. Brian and Penny

CaptainHowdy

__________________
FLASH SALE INSANITY! deal with a 100% Trusted Seller
Buy Traffic Spots on a High-Quality Network
1 Year or Lifetime — That’s Right, Until the Internet Explodes!

bluebook18

I don't mind changing password every 6 months

Lykos

Am fine with that, makes me feel safe

__________________

Dankasaur

Sure, if false sense of security is your thing, good luck.

PornDiscounts-V

Boners and poo

__________________

Aidoru

Use KeePass
Life will be so much better

__________________
Gravurecash - 50% Lifetime RevShare on all signups and rebills, 5% Webmaster Referral