Password Forums - this is just fucked up
 

I came across a paysite-password-cracking message board (although its name was mentioned here in the past, I don't want to put a link to it). They have 70,000!!! registered users who get to access free password lists on a daily basis and visit sites such as VideosZ, DeluxePass and MANY MANY others for free. WTF? I'm promoting VideosZ (hi Clement!) and find it disturbing that they don't make it harder for crackers to brute-force them. Can't you give out RANDOM PASSWORDS to members?

I don't agree with the notion that this helps bring on new members.. Give me a break - 20 new access codes to Videosz alone are posted every few hours there. Do programs give a shit about these sites?

Or do they believe in the Microsoft strategy of quietly letting people copy their software (in this case, access a paysite for free) and one day end it all and have many new potential users? Either way, it's fucked up.

I think what is more important is how fast the stolen logins are shut down. Who cares if someone posts a million logins to your site, if they aren't working then no one is getting anything for free. There was a time when boards like that would actually generate sales with 404 traps and other trickery. :2 cents:

That too. But from looking at various posts there, it seems like they work for the entire day sometimes (people seem to post Thank You's in response to password threads.. go figure).

I know, but it's two different things. Back then a user would give up after a while. Now all they need is a password board and they're set. This way they get to visit 10 different sites a day. No wonder they have 70K users.

I see program owners sit here all day while thousands of users access their sites for free.. Maybe they should pay more attention to that than GFY? :)

You could even send the failed attempts to a fake members area, so they THINK they're getting something special, but it's all an upsell to the full site.

Yes, you can, and spend the entire rest of your natural life answering support emails.

SpaceAce

That was the hottest thing, I remember, back in 2000 or so.

if you know what you are doing there is good money there

Not if you simply send it to members via email upon request, without too much hassle. Type your username, bam, check your email.

I really don't see what the big deal is. There are only a few options here:

1. Buy/lease software to stop password sharing, i.e. Pennywize, ProxyPass, KillerSecurity, etc.

2. People break into your sites, you do nothing, you're an idiot.

3. You use 404 traps, dialers, upsells, etc. to make money off these passwords traders.

4. You promote a PPS program, you get your money up front, the program worries about the rest.

5. You order a pizza and send it to me.

I agree. Only thing is, so many choose # 2.

I used to run a series of spiders which mined the listings of password sharing sites and automatically notified webmasters if their sites seemed compromised.

I was surprised to find that many webmasters created bogus password cracks to lite versions of their sites as a marketing 'technique'.

In any case, there was not much interest in this notification system and anyone with password protection can usually detect abuse as soon as it happens.

-Dino

Then I really don't understand what your concern is.

option 5 sounds good i wonder how many people go for it. im sure every major program has a good way of dealing with this shit, i atleast hope so.

I don't have any concern, no one is abusing anything I run. I just find it odd that program owners do nothing, that's all.

you can call the host but as soon as they are shut down they will setup shop somewhere else. belive me we have done it before.

Sounds strange to me that program owners don't close such accounts in 10 minutes unless they make money from it...

I agree with you 100% on that one. :thumbsup

I hear ya.

Surprisingly our sales doubled when some password site listed a valid password of ours years ago. I deleted the username when I noticed this. Now we suspend those accounts used by more than 5 different IPs in a day automatically. It works fine.