Shared/Stolen Passwords
 

Hi,

I am looking for some advice regarding password theft.

I currently use a great bit of software which locks out user when a user/pass combination exceed a given IP count. My problem is not regarding the software but rather the speed at which my passwords are being compromised. I go through stages where I may get 2 or 3 emails from members with valid membership who have been locked out, often new member incidently.

Does anyone else have experience of this problem? I am guessing that this is some kind of leak at either the billing company or the host. The fact that it is new members makes me think that perhaps someone is picking up the signup confirmation emails that are sent when a new member joins as this contains the login data required.

Any tips or feedback would be apprecaited as this is driving me nuts!

Thanks,

Rob.

Quite likely you're seeing your password file or database getting ripped.
The attacker uses some PHP script, most often, somewhere onyour server
to get at the password file and can keep getting new ones whenever he
wants to. This is a real pian in the butt, of course. There are a few steps
to take in order to take care of this problem. There's the basic security
stuff like getting rid of old, unused scripts that an attacker may use, and
more specifically we can apply strong encrpytion to your password list so
that even if a cracker does get the list it's of no use to him, because it's
encrypted such that he can't retrieve the passwords. This page will
provide some more helpful information:
http://www.bettercgi.com/strongbox/p...adyhacked.html

Also feel free to shoot us an email as [email protected] or call us
at 979-530-1300 .

yup we recommend strongbox 100% great guys over there!

Hi guys and thanks for the replies.

I keep an eye on my server and I know what any suspicious files would look like so initially I would doubt that is where the problem lies. If there was a leak in the host or payment compnay surely no amount of software will protect your site?

Are the passwords not already encrypted when they are stored in the password file meaning that even if the file was compromised it would be of no use as it simply reveals usernames?

Does can strongbox be used to simply encrypt the password file?

Thanks in advance,

Rob.

Quite often a leak at the payment processor is the first thing webmasters
think of, but that's never what we find. It's almost always an issue on the
the webmasters side, often exacerbated by a poorly configured server.
If there was a leak in the payment processor there wouldn't be much you
could do, however you'd also likely see 500 other webmasters posting about
the problem today.

Unlike corporate sites like banks who employ security professionals, most adult
sites still use a very weak type of encryption called DES. DES was created in 1974,
then weakened by the NSA and standardized in 1976. The NSA felt that the weakened
version was good enough in the days of 4Mhz processors. It was broken 1994, so
that encryption you're using has been out of date for a couple decades. Today, with
processors that run over a thousand times as fast as they did in 1976, a readily
available program can crack some of your passwords in just a few seconds if you
use DES. That's not just theoretical - I've done it more than once. So while the
passwords are technically encrypted, that encryption is nearly worthless for a big
password list.

Instead, today's standard for passwords is a salted MD5 hash. When used
in a certain other context, MD5 has a theoretical weakness, but for passwords
salted MD5 should be secure for years to come. SHA1 can also be used, but it
doesn't have the compatibility advantages of MD5 and the SHA2 family is
just around the corner, so we're using MD5 now and will transition to SHA-256
or SHA-512 when the time comes in a few years.

We CAN just do the encryption and that will probably take care of your
immediate problem. It'd only cost you $30 too. That's kind of like locking
the back door and leaving the front door open, though, as you will be
attacked through some other hole. That might happen next week or it
might be next year but it will of course happen eventually. Normally, when
we upgrade the encryption for people we also upgrade the actual user names
and passwords themselves. When you let users choose their own user
names and passwords, an alarming number of them choose "password"
as their password. I don't care how good your encryption is if the password
is "password" the bad guys are going to guess that pretty quick. So we
set up a good system which assigns good passwords that won't be guessed,
yet can be remembered and typed more easily than random characters can be.
That then means that your password list is secure - only the person who
bought the password knows the password.

So here we are and we're happy because only the person who signed up
for the account knows the password. Until he posts it all over the place.
Possibly, he posts all 25 accounts which he got with those stolen card numbers.
That's when the state of the art protection of Strongbox comes into play.
The whole system, all three parts, provide you a complete security system.

great informative post from Strongbox and their prices are well worth it:thumbsup