Password Traders
 

Every single time I have one of my sites reviewed at one of the top porn review sites I get about a half dozen signups and every one of them is a password trader. That must be where they shop. I'm done with that shit. I'm submitting no more reviews to any review sites now.
Anyone else have this problem? Site owners, I mean.

ouch nasty password tradeers :(

strongbox:thumbsup

Strongbox is great, but I have close to 50 sites. Kind of pricy.

We use ProxyPass. Does anyone have a page that reviews Strongbox?

I'm looking at their site, but it's kind of throwing me off because of errors on the site.

When your sales site has problems...

Strongbox works great for me and is good value if you don't have 50 sites :thumbsup

This :thumbsup

We'll work out appropriate pricing for you. Generally, Strongbox costs about 80% less than
the other guys, over three years.

Can you please tell me exactly what error you're getting on what page, and in what browser?
The whole site should be 100% valid HTML 4.0 and CSS, but some browsers (IE mainly)
don't properly handle correct HTML so we may have to add some hacks for your browser
version.

You asked about "reviews". There are many posts on this board and others.
Here are links to some of them:

https://www.bettercgi.com/strongbox/references.html

A few quotes from posters on this board and others:

# "strong box the shit, Kicked pennywize and proxypass in the ass", "two thumbs way up here too. Pennywize was a joke in comparison" mattyboy, The Doc, and others say on GFY
# Icecycle says "The box rules" on GFY
# Stramm says "It's cool. I love it." on GFY
# Jayeff and More Booze agree "Works perfectly and it's a bargain price too" on GFY
# "It works great" Lindamight tells hahahahahahaha
# "the Strongbox security systemtm rocks!" Kevin, Linda, Cleo, and Chop have a the Strongbox security systemtm love fest
# "unbelievably amazing! ... blocking way more people than PennyWize"
Jen and several other people chime in on Greenguy and Jim?s
# "it fuggin rocks!" according to topsmutlinks, on GFY
# "my BW dropped in half. STRONGBOX IS BY FAR THE BEST"$spikes and boobmaster say on GFY
# strongbox is amazing, according to xclusive, Forplaz calls it pretty damn impressive
# "On the morning of January 14, 2010, in a timespan of about 3 minutes JustNips.Com had a brute force attack of 930 hacks trying to guess passwords & usernames. Thanks to Strongbox, not a single one of these got access. I feel like I have the protection of Fort Knox for my site & I am able to keep my bandwidth usage 100% for loyal paying members. And that's how it should be!" -- Edd, JustNips.Com

# "the Strongbox security systemtm is the way to go", say Lee of Gay Wide Webmasters and other posters
# "I cant recomend Ray's Software enuff.. If you have a pay site.. you NEED it.DangerDave says
# one word...WOW!LindaMight raves about the Strongbox security systemtm
# Boobmaster says "Ray's the Strongbox security systemtm ROCKS!" on GFY
# Tony "totally recommends" the Strongbox security systemtm on adultwebmasters.co.uk


...and from someone who does NOT like Strongbox...

* Dear sir-

I've been surfing the net for years, picking up passes to sites and abusing the heck out of them. But I just quit when I see the Strongbox login interface. I've never once been able to hack it. I don't even waste my time.

Stop your good work, please....

signed-
--- cheap guy who refuses to pay for web content.
<email address removed for privacy reasons>

get proxypass for your server

it's priced per server no matter how many sites you have on it, covers them all

I heart strongbox

oh, i forgot to mention, most password traders don't buy passwords

traders hack your password file

I use ProxyPass, which is how I found these guys, that and server stats. I have had my password file hacked, but I think that is pretty much buttoned down now. ProxyPass caught their usernames and I found they had joined just after the review.

I used Strongbox before so I know how good it is. I may have to just begin adding it a site at a time till I'm bulletproof.

proxypass for your server is the key:)

Another Viable Solution
 

There is another innovative, leading password protection system you should be aware of.

At Phantom Frog, we feel its important for a webmaster to make an informed decision about protecting their sites and business. That is precisely why we offer a Free Trial to help you test drive the system. It is designed so you can keep your existing password protection system (Pennywise, Proxypass, etc) enabled during this Free Trial. In this way, you can observe first-hand how our Hi-Res Geo-IP Tracking Password Abuse Detection feature WILL detect pass abuse whicih flys beneath the radar of the other systems. No other system offers a Free Trial.

Frog also has a feature called Automated Member Support (AMS) which is designed to make your webmaster life even easier and to minimize member charge-backs. It provides uninterrupted 24/7 access to your member's area to legit paying members and none to hackers without requiring any involvment from the webmaster.

------------------------

Read Stellar Webmaster Testimonials On Our Website Here

It's critical to realize that many of the PhantomFrog testimonials come from seasoned webmasters who are also ex-customers of every other major pass protection (Pennywise, Proxypass, etc) on the market. So, their decision to use and stay with Frog comes from a position of first-hand experience.

Lucky from RonisParadise: "Tried most of the systems out there, but for the past 2 years, I've had Phantom Frog in place and 99% of my worries are over! There's no need for me to go anywhere else, because password traders accounts are immediately blocked by an automatic password change."

feetishes client quote: "Phantomfrog is absolutely the BEST password protection out there. I don't have to babysit the sites anymore with the Automated Member Support feature that this program uses. Just give it a try. There is a free trial, so you have nothing to lose."

Mitch from NetBilling: "We have several clients using Phantomfrog with great success."

------------------------

Sometimes, quotes from the "enemy" are just as valuable as client testimonials:

Here are some quotes from a hacker forum regarding a major cash program that just installed PhantomFrog: (client's site names removed for confidentiality reasons)

"I am having a problem with passwords I crack with AD for xxx.com and yyy.com. They seem to have a security system that kills the cracked pass within about one minute."

"Well the party appears to be over with the xyz sites. I had a previous pass for xxx.com that I had cracked months ago but never used. I used it today and guess what
after one minute it was dead."

"if a system like this is implemented, then we should better look for other means to get our "abc porn niche" fix :(.

------------------------

• The vast majority of webmasters who take advantage of our Free Trial become clients within 3 days and are ex-customers of ProxyPass, Pennywise, etc
• PhantomFrog has clients who have been with us for over four years and counting
• PhantomFrog has outperformed every other password protection system in detecting password abuse during parallel tests with both systems enabled on the same website

-----------------------

Click Here To Learn More About PhantomFrog

Click Here To Request a Free Trial of PhantomFrog

We have a built in Password Protection module "PasswordPHP" that is included with our "PaysitePHP" CMS solution.

It's just the tubes getting some content.. totally acceptable

Adapt or die

( sarcasm mode off )

man, seriously. hacker is human. he is looking for new targets. if you put your site to big review site, it is possible hacker is watching the review site for new targets! it is not fault of the review sites, which are you making money, but it is fault of your security and your business ... go and buy a strongbox yourself

tubes :mad:

btw ... if you put your site on review, you got about 50 signups, and about 5 logins are soon hacked? come on ... you have a brain ...

Hey buddy,

I'm the guy that emailed you earlier:

https://www.bettercgi.com/forum/

This gives me a 403 Forbidden.

Password traders!

We recently removed the forum. I suppose we haven't found every place on our website that references it yet. Thanks for letting us know.

Password crackers (as they are called) use software that tries thousands of logins per second across hundreds of compromised machines across the Internet.

Custom login mechanisms work great to thwart this and should only take an experience programmer under an hour to implement.

In short what you do is set a cookie upon a successful user/pass. The cookie is based on something that is secret and also not reversible.

Here is some example pseduo-code:

hash = md5(IP ADDRESS + DATE + HOUR + "secretstring")
if (cookie has hash value) let them in
else if (isGood(user, pass)) set cookie to hash

You will also want to check the previous HOUR and reset the cookie if they cross over an hour boundary.

This technique is extremely simple to implement. 10-20 lines of PHP depending on how fancy you want to be. Each person has a different IP so it is only valid for them. Also, each cookie is only valid for an hour so even if someone did spend hours cracking the password what good would it be because it is already expired. The secret string is what is know as a "salt". This prevents people from being able to recreate the hash even if the algorithm is known because the salt is secret. After all that we md5 the result because you can not easily go from an md5 back to what it was.

I hate to say anything negative about other companies but a lot of their "solutions" are really just snake oil. The above solution is MUCH cheaper and MUCH more effective.

There are ways around captchas now (OCR or captcha farms/sweat shops).

Having a custom form makes it so that the people writing cracking software need to customize their software to your site. The vast majority of crackers are "script kiddies" that don't know how to program. They only use the tools that exist.

i am in the process of setting up my first site i had no idea this was an issue....now that i do once i go live i will make sure to have something in place....thanks for the thread!

Hey TeenCat,
Glad you stopped by to add your 2 cents worth.

Because IP addresses don't change do they :upsidedow

You're better logging the country of origin using GeoIP. Possibly hashing the user agent, although this isn't good either.

Use a captcha, yes there are farms etc. but it costs money to get people to fill them out.

Force password reset via email on 5 failed attempts.

This isn't rocket science and isn't worth $150.

AdultSoftwareSolutions,

I might throw you some work on some projects that are in no way security related,
becuase you do seem to have some clue about programming overall. However, you're
missing basic security 101 stuff.

You do realize, don't you, that trading standard authorization methods for for non-standard
ones has absolutely ZERO effect on password trading and brute forcing, which take place
at AUTHENTICATION time. Your proposed "solution" wouldn't even be invoked until after
it's too late. You do know the difference between authentication and authorization, right?
If not, that's cool, you sound like you know a little something about programming, so maybe
we can throw you some jobs that have nothing to do with security, because you're about
ten years of study away from being qualified to help on a security related project. There's
a reason it's a felony in many states for someone such as yourself to sell that kind of
"security". You probably write some nifty custom scripts, but man you are so far from having
a clue on this it's ridiculous. Please leave the security to the licensed professionals. Our
10,000 hours of research and development over thirteen years is far from snake oil.

If you'd like to learn security, maybe we can work together on some projects. If you worked
with us "full time" for three years then you'd be legally qualified to get your license, after passing
the tests and background check.

Think mafia man - you just pointed out that the last guy who thought it was easy is actually
clueless. But then you think YOU have the easy and secure solution ...
5 failed attempts, you say? Never heard of a proxy list? Seriously there's a reason Strongbox
has over 7,000 lines of code - because all of the 5 minute "solutions" are as worthless as
you showed the IP-cookie to be.

I'm going with Strongbox on my new site. I've used it before and it's bullet-proof. Plus the support is excellent. I'm getting to the point that I need the best to protect my business.

Adult Software Solutions, I'm sorry I jumped all over you.
I was up all night with a "server down" situation where the guys in the DC are
clueless and I'm in a mood. I apologize.

Don't misunderstand me, I can't "take back" what I said - your sig says you do:
You probably do a half decent job of all of those things. You don't have "security"
in that list and there's a reason for that. The problems to be solved are
AUTHENTICATION problems. You suggested a different AUTHORIZATION
method. The two are totally separate things. It's like say "Car won't start?
Just air up the tires". Completely nonsensical, but I I understand - few
software books and classes teach even the very basics of security, so you
would have no reason to have learned these things. If you're curious, the
first couple of chapters of any good security book will explain what those two
things are, authentication and authorization.

Passwordtraders are great!

Password traders don't bother me one bit and have not at all since Proxypass came on the scene.

I have had a few password traders use passwords after reviews were made. I think your right about the traders keeping an eye on review sites.

Indeed, Strongbox has worked for us! Ray everything up within an hour! :thumbsup

What are the chances of guessing the correct password in 5 attempts.

Practically zero amigo. If they have the correct password then that's the customers fault and he should be warned.

7,000 lines for authentication sounds like a lot of bloat.

Banks don't use all this kind of crap, you can detect some proxys (http://proxybl.org/), you can blanket ban most proxy lists, ask for random digits of a password etc.

Not rocket science most websites cope fine.

We've also seen that the very passwords given to review sites are passed around and often posted.
It _looks_ like at least a couple of review sites are basically fronts for password sites.
Using a user name like "tomesreviews-mysite" makes it easy to tell WHICH reviewers have
a password site on the side.

Password trader sites are gold if you know how to milk them

I have one site and use Strongbox. It works well. :)
Piper

Derek Boorgard Death Ruled An Accident
 

Booze and oxycotin

i wouldn't recommend it to anybody but seems like a gentle way to go if you have a painful terminal illness.

I cant afford passwords...

I love strongbox. I found a password posted on a trading site last week and strongbox blocked all the assholes that tried to log in using it.

The weird thing is that they paid money to download a zip file with the username/password. Why don't you just sign up for my site? I don't understand paying for stolen content. Or in this case a stolen password that they couldn't even use because strongbox locked them out:D

fuck everyone in this fucking world :mad:

No comprendo :question

7000 lines of code, I remember that.

Had some good laughs right there.

SOLID AND CHEAP SOLUTION = STRONGBOX

Contact Ali and Ray. They are great ppl.

I use http://www.PhantomFrog.com they kick ass! It blocks and changes passwords as soon as password abuse is detected

I can control how much a customer can download as well

I think you just hit the nail on the head. It could be a coincidence or he is just reading into and seeing the data how he chooses to see it instead of letting it tell its own story.

Most people don't share their paid for password with the world. They get their password cracked. If you allow the customer to create their own username/password and you don't have any kind of throttling for bruteforce attacks, I can get perhaps 20% of your users passwords in about 1 hour...

If you do make the passwords for them, you need to keep your password file secure. That means not using free versions of calendar software, forums, etc... Also your own programmer(s) have to be top notch.

Strongbox!:thumbsup