paysite owners: signup/recurring improvement question
 

To be better able to resist bruteforce attacks from hackers i am giving out random passwords and usernames to members instead of letting users choose their own. I was woundering if giving out random usernames and passwords to paysite members influences the number of signups and lenght of rebills.

I was analysing some data which made me wounder this.

In my opinion it does have a negative effect, mainly due to the fact that new subscribers might be affraid of losing their random generated password and username due to computer crashes or f.e hiding it from their wife. Therefor more customers cancel their membership immediately after the purchase.

If this would affect the number of signups and the number of rebills, the question would be how much would it be expressed in percentages.

Anybody want to share their thoughts/experience on this issue?

no experience with it but thoughts from a surfer perspective.
if who ever signed up wanted to hide it then they are definately going to want to choose there own,they would delete there cookies and the email from the billing company so yes it would have an negative effect on rebills and pprobally sign ups as well.

I thought about doing that myself, but didn't. If your main goal is to increase sales and recurring retentions then you have to make things as simple as possible.

Most surfers don't know how to clear out or manage their browser's "auto-complete" or "save password" feature. Change their password every month and they'll never get their login to work again. I have a hard enough time with members who can't remember the username/password they chose themselves.

Could also affect chargebacks. Sometimes a member will just cancel or CB rather than emailing the webmaster for help. And then you have to worry about the Russians cracking your random generator and exposing your entire member base.

I force them to use at least five characters, and don't allow the username "username" or anyones password being "password". Add in a good password management program that blocks dictionary attacks after 15 failures, that's it.

If I were to change anything, it would be to force all lowercase logins, but it is too late to change that on my database. At any given time, I can watch members login and they always try the lowercase version first.

just get ProxyPass

:thumbsup

I had random passwords for years and got several surfers a week loosing passwords. CCBill randoms are the WORST - they use linux mixed case temp file names which are allmost impossible to type - most poorly designed random password generator I have ever seen and the designer should be killed.

Finally I switched to user chosen passwords. Got posted on 3 trading boards within the month, lol.

But I have to agree. Anything that makes it harder for the surfer is bad, so I am sticking with the old fashioned way. But I have software that counts downloads and turns off password trading accounts.

I use random ccbill u/p and I haven't noticed more people canceling their memberships.

My retention is actually better then 40% (which is great in my book)

Hmmm interesting point, im using the random ccbill, might try and to some testing on the effect....

password traders shouldnt even be a concern for anyone any more.
There was a time when there were tons of PW sites, they have dropped off a lot, now people seem to be using msg boards and email lists for password trading.
But get your a good password program like password sentry and it will solve your password problems. Then you can let people choose what ever password combinations they want, ones they can remember ..make them happier and they will stay longer.

just get blocking software, ppl wanna choose their own passwords

Software which automaticly blocks password trading accounts does not solve the whole problem for me. F.e a few weeks ago a good amount of member accounts where stolen and abused. This where accounts from people who have been a member for over 6 months (these usernames and passwords where not random generated). My protection script disabled their accounts to keep out the huge number of people who tried to get in.

A few days later i checked my cancellation reason information and i noticed a sudden increase of people who cancelled their account because of password problems. I lost a good chuck of high value members thanks to blocking out the cheaters.

So actually i am trying to figure out if giving members the option to choose their own username and password (with the risk of losing several high value members once in a while) outweighs the benifit of losing revenue due people cancelling their accounts sooner when they get a random username and password assigned.

This would only be a question off course if it is a proven fact that you'll gain more sales and recurring income thanks to letting people choose their own account info.

dikkechill

If you have a solid password program you should not have to auto-block. I mean to say, don't delete their login via a script if it gets compromised. Always do it manually once you are sure, there are false positives. Sure, a few people get in free, but you kill the paying member in the process. Instead, analyse your logs daily, then change their login for them and send an email explaining why.

Never ever block their account while they are jerking off mid-stroke, that is the quickest way to lose a recur member. Change their login, let them know why, they will understand if you word it correctly and it will never happen again.

I only get these things 3-4 times a month. Like venus said above, password trading boards are a thing of the past. Don't throw the baby out with the bathwater, it will only cost you hard cash.

Here is what I send a member the next day after I find the login has been compromised:

hi ,

Your login has been compromised and is being used on several machines at once. For this reason, your password has been changed-


un=
pw=

The most common reason for this is when a member uses the same un/pw at several sites. The other site gets hacked, the login gets posted on the net, and then is used as a master list by hackers to try against other sites. This site does not get hacked, security is number one.


regards,

Thats good advice, however i dont let the script delete the users. It blocks their account for 24 hours when it detects abnormal activity. When this happens i use the same method as you describe. I also mail an explanation to the member. However only about 15- 20% of the people responds to these emails.

Do you have no auto block which temporaraly disables accounts when cheating activity takes place or is it set at a very high limit?

Simply put yes, it can affect signups and rebills since its just another hoop your surfers will have to jump through when they forget thier password since its generated. Just get some good protection or block ip's after 3 failures. Also use the password boards to your advantage. I like to make fake accounts, post them up and then have them go to a "preview account" where they can upgade :Graucho