Paxum: No, stop this right now.
 

http://i.imgur.com/wl6K0i6.png

There is no security reason to force your users to periodically change their passwords. This is bad user experience and is unneeded unless your database has been compromised and requires your users to change their passwords ONCE.

CCBILL does it every 3 months {or so}...
It's not "just a Paxum thing"...

I've never had to change my CCBill password...

Hi Dankasaur,

Password reset is usually requested about every 6 months or so. Yes, this is a security feature implemented when we updated our login server some time ago to a higher level of encryption.

Thanks for your feedback!

Ruth :)

I should clarify...I mean for those who use it for processing.
As an affiliate I haven't ever changed mine, either.

+1 :2 cents:

I don't give a fuck CCBill does the same. At least they don't need special fucking characters in the pw so I am swapping 2 pws all the time. W paxum its different.

Annoying, but can live w it.. :pimp

It's been proven that your method of "security" behind this is not good...

http://www.pcmag.com/article2/0,2817,2362692,00.asp

next you're gonna be telling us that anti-virus software is modern day snake oil

I have no issue with it. Better security is a good thing.

You are entitled to disagree with our methods, however we do not have any plans to remove this security feature at this time.

Thanks again for your input. :)

As a company who's in control of data 100x more sensitive than Paxum, I'm sure Microsoft spent millions to come to this conclusion and is far from "snake oil".

It's not better security. It's false sense of security and is actually LESS secure in the long run.

Obviously one person won't change your mind, but don't inconvenience your users and say it's for "security" when multi-billion dollar companies in the exact field of security have proven it's worthless.

It also encourages people to write down passwords or to choose nearly the same password each time with slight variations. No one can remember 20-50 different passwords which have to be changed every few months. You simply cannot keep all that in your head.

Worse yet if the company is incompetent there is the risk that they store past passwords without hashes or encryption so if a hacker gets the database they not only get your current password but all your past stored passwords too. They then can use these at all your other online accounts. More than likely Paxum uses hashes or encryption (if not the owners should go to jail) but even then there is still a risk of compromise depending on the implementation.

And judging by that screenshot it says "cannot use any previous used passwords" so unless they store that data for referencing every time they require a password change, you're essentially just giving the hacker more stuff to use against you if they do get the database... Thus making the password change requirement WORSE.

So I forgot that they require the special characters in the password and as I use Chrome sync and password remembering I don't even know my original password... So I used the forgotten password feature, and guess what? My "new" password was sent to me in plaintext via email where anyone can hijack it...

So, as a security measure, they require us to change our passwords every 6ish months, and at the same time send our PLAINTEXT passwords to use via email...

Real secure...

That's weird, I'm an affiliate and I have to change my CCBill password about once a month.

A good program for keeping track of your passwords (across Windows and Linux) is KeepassX and you can lock your database via a master password, a key tied to a file, and you can encrypt the database if you want. Then you don't have to try and remember those 25+ character passwords :).

I'm not a fanboy of Paxum (regardless of the passwords, I think you're out your mind if you hand over all the private and personal info they demand) but I'd be surprised if they don't store your passwords hashed, and compare the hashes only. Anything else would be insanely reckless.

Paxum send new passwords via email in plain text? Perhaps they do store them in plain text then.

:1orglaugh:1orglaugh:1orglaugh:1orglaugh:1orglaugh

https://www.pcisecuritystandards.org...pci_dss_v2.pdf

I have nothing to say about Paxum here, but that is a link to PCI DDS requirements for Data Security.

rule 8.5.9 - Change user passwords at least every 90 days.

rule 8.5.10 - Require a minimum password length of at least seven characters.

rule 8.5.11 - Use passwords containing both numeric and alphabetic characters.

rule 8.5.12 - Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used.

rule 8.5.13 - 3 Limit repeated access attempts by locking out the user ID after not more than six attempts.

if you go to that link and scroll to page 49, you can view a complete list of the rules regarding user passwords, I would expect a company that controls peoples money to follow PCI regulations.

Agreed.

This bullshit is annoying as hell.

Wow, that's not secure at all... "Hey not only are we gonna require you to change your password every 3 months, but we're also gonna store your last 4 passwords to make sure you don't use them either." Great way to give access to all your shit.

Fact of the matter is, no password storage or hashing or anything security related matters when your users use easily guessed passwords... This is just an inconvenience for the users and will just make them rotate between a select few passwords, making the whole security aspect of it worthless..

I'm sure, and hope, they store them hashed, as you can send a new password without storing it in plaintext, but that still doesn't stop the fact that someone can access my email data and get that password no problem... The best thing to do would be send a link that is only usable once and then take them to the site to set a new password. Not send a password.

I have to regularly change my ccbill password as an affiliate.

Paxum load wires rejecting due to their bank not meeting OFAC regulations. Their own intermediary bank is being rejected.. Paxum support not responding for over 24 hours now.

paxum rocks I use it in any country of the world and it works

I wouldn't worry too much about that...

I haven't hit this feature on paxum yet, but I did have it on my old online banking (raiffeisen) and hated it enough that I switched banks because of it. Not only did they force a password change ONCE A MONTH that did not match my last 6 passwords, it had to be at least 10 chars long with at least 2 special characters, at least 2 upper case letters and at least one number - pretty much forcing you to write it down. They wouldn't let you choose your own pin for your bank card either - and if you forgot it you had to order a new card (for a fee of course).

The domain registrar for PL does this shit too, also with some complicated as fuck password scheme. Every time I login there I have to use the forgot password form - effectively negating any security this adds since it's sending me my password in plain text to my email...

The guy wasted more time in writing this message, than he could spend changing his password in PAXUM for a whole year.

I really don't understand some people.

:thumbsup:thumbsup:thumbsup

Sometimes, when someone is actually helping you, you don't even see it... :Oh crap

1000% agree .

Grab the whaaamulance.

Grow up, Change it and move on.

what this man said..

Holy shit, you mean there are security rules involved with the electronic transfer of money !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

lol was thinking that myself.......

if this is the worst of your problems you have had a pretty good day then

PAXUM stop making me have to login to send money, i want to be logged in 24/7 no matter what computer I use and what is the deal with TP, i mean do we really have to wipe our asses. Just another way for the man to make money by selling TP to wipe our asses. I mean we just throw it away after so what is the point??

I don't mind changing password every 6 months

Am fine with that, makes me feel safe

Sure, if false sense of security is your thing, good luck. :thumbsup

Boners and poo

Use KeePass
Life will be so much better