Question about compromised passwords... - GoFuckYourself.com

Amysworld · 02-04-2006, 01:02 PM

Lately I have been seeing a surge in passwords compromised on my site. I use ProxyPass and it does VERY well. Maybe too well.. lol. What I was wondering is if there was anything else I can do. I look at the list of usernames and I know they are legit people (for the most part of the list). Is it normal to have so many passwords compromised? It is a pain in the ass going and changing people's passwords and usernames throughout the week.

Any info on this topic?

Amy

dstaff · 02-07-2006, 10:35 AM

What comes to my mind is why all of a sudden was there an uprise. What kind of server software are you running to handle the passwords in the first place ?

Perhaps a vulernability scan on your webserver is in order ?

everestcash · 02-07-2006, 02:31 PM

where does it store passwords? what are the chances the password file/database could get stolen and passwords decrypted? eveluate those chances and act accordingly.

hakkrdan · 02-07-2006, 10:39 PM

Hi -

For the sake of simplicity, let's assume Apache as the Webserver, storing passwords in the default .htpasswd file. Let's assume we're using default configuration options, which makes downloading any .ht* files not possible (per Apache - however, other languages such as PHP and ASP can certainly read the files).

What are the chances that passwords in this format are decrypted and potentially used? This completely depends on the timeframe being used. If we're talking tens of years, the chances of this happening are very great. If we're talking about the average lifespan of a member of a site, with the same password - let's say 1 year tops - the chances are very slim. The chances are even more slim that this process repeats in that relatively short amount of time.

One important thing to take note of is how long of a period is left in the membership life. What I've seen is that if passwords are about to expire anyway, they are traded. I think I'd do the same thing if I knew the password was about to expire, and I had a login for site X, and someone wanted to trade me for site Y. Once one gets traded once, it will get traded many, many times. What webmasters see as some sort of surge, isn't much of a surge - it's just more people using the single login.

Take this number into consideration and judge based on that. It might be time to start billing people based on logins. It's what I'll start doing, and there's not much that the trader can do about it.

Remember that it's rare for these passwords to be "cracked" in the traditional sense - rather, they're brute forced. One thing that the billers need to understand is that they cannot continue to allow weak passwords. This makes brute forcing passwords a literal piece of cake. The trade-off for them is that users will like the system. They don't understand that weak passwords can be brute-forced with relative ease. This, naturally, kills sales. but you have to ask yourself, what's more important to you - bandwidth charges because your billing system was inadequate, or exposing your users to a little bit more security by throwing the occasional number and/or odd character into their password?

With the advances in software security and (unfortunately) obscurity, it's increasibly difficult for passwords to be downright cracked. Even using a default install of any modern webserver does a pretty good job at protecting this information. However, think of how cheap hardware is getting now, so a lot of CPU doesn't cost much. It's all a game - it always was, and it always will be.

Just my $0.02

Thanks!
-dant

02-04-2006, 01:02 PM	#1
Amysworld Confirmed User Join Date: Nov 2005 Posts: 1,578	Question about compromised passwords... Lately I have been seeing a surge in passwords compromised on my site. I use ProxyPass and it does VERY well. Maybe too well.. lol. What I was wondering is if there was anything else I can do. I look at the list of usernames and I know they are legit people (for the most part of the list). Is it normal to have so many passwords compromised? It is a pain in the ass going and changing people's passwords and usernames throughout the week. Any info on this topic? Amy

02-07-2006, 10:35 AM	#2
dstaff Confirmed User Join Date: Oct 2005 Location: Canada Posts: 198	What comes to my mind is why all of a sudden was there an uprise. What kind of server software are you running to handle the passwords in the first place ? Perhaps a vulernability scan on your webserver is in order ? __________________ We Do Content Marketing pure and simple.

02-07-2006, 02:31 PM	#3
everestcash Confirmed User Join Date: Apr 2002 Posts: 2,194	where does it store passwords? what are the chances the password file/database could get stolen and passwords decrypted? eveluate those chances and act accordingly. __________________ Got solo girls/teen traffic? Promote our exclusive solo girl sites and boost your income!

02-07-2006, 10:39 PM	#4
hakkrdan Confirmed User Join Date: Nov 2004 Location: Phoenix, AZ Posts: 223	Hi - For the sake of simplicity, let's assume Apache as the Webserver, storing passwords in the default .htpasswd file. Let's assume we're using default configuration options, which makes downloading any .ht* files not possible (per Apache - however, other languages such as PHP and ASP can certainly read the files). What are the chances that passwords in this format are decrypted and potentially used? This completely depends on the timeframe being used. If we're talking tens of years, the chances of this happening are very great. If we're talking about the average lifespan of a member of a site, with the same password - let's say 1 year tops - the chances are very slim. The chances are even more slim that this process repeats in that relatively short amount of time. One important thing to take note of is how long of a period is left in the membership life. What I've seen is that if passwords are about to expire anyway, they are traded. I think I'd do the same thing if I knew the password was about to expire, and I had a login for site X, and someone wanted to trade me for site Y. Once one gets traded once, it will get traded many, many times. What webmasters see as some sort of surge, isn't much of a surge - it's just more people using the single login. Take this number into consideration and judge based on that. It might be time to start billing people based on logins. It's what I'll start doing, and there's not much that the trader can do about it. Remember that it's rare for these passwords to be "cracked" in the traditional sense - rather, they're brute forced. One thing that the billers need to understand is that they cannot continue to allow weak passwords. This makes brute forcing passwords a literal piece of cake. The trade-off for them is that users will like the system. They don't understand that weak passwords can be brute-forced with relative ease. This, naturally, kills sales. but you have to ask yourself, what's more important to you - bandwidth charges because your billing system was inadequate, or exposing your users to a little bit more security by throwing the occasional number and/or odd character into their password? With the advances in software security and (unfortunately) obscurity, it's increasibly difficult for passwords to be downright cracked. Even using a default install of any modern webserver does a pretty good job at protecting this information. However, think of how cheap hardware is getting now, so a lot of CPU doesn't cost much. It's all a game - it always was, and it always will be. Just my $0.02 Thanks! -dant