I sail 50 pass w0rts AIT

My request for ArikaAmes was just filled... with a working password.

I totally agree with you. If the "know it alls" here at GFY think otherwise or are not hip to what is going on, the poster goes down in flames. End of story. That's sad.

Not once did I hear this guy selling anything. He was just giving us information. Maybe it is good info, maybe it is not, but it's worth looking into. :2 cents:

GFY is da place for wiggaz and cool bitches. I'm just here to meet some honeys.

word. :pimp

That would be because that account can't upgrade. Username already cancelled.

Most sponsors don't think they have a problem. They hope the softare protects them and BW is cheap enough.

I have password sentry and proxy pass

On this board you will always get shit from people even if you are correct.

wow that is alot to read

Interesting thread and read.

strongbox appears to work pretty well.

congratulations on a very long thread filled with bullshit and paranoia.

Strongbox is the shizzle

Paranoia???

How about this, how many program owners want me to post examples of their own passes being given away and how the cracking can be stopped or how the hacker got in?

Then we can see if I am for real or just full of shit.

-ASP1serv:#asp- INFO there are currently 48,901 passes in 3,985 sites in the database.

2 of my paysites were in that forum only freshly posted too. Thanks for the post, I now know that my current protection wasn't up to the task.

Time for strongbox.

HT, your ideas are great in theory and have been passed around here for a very long time. Unfortunately you are not the first one to come around here trying to fix something that many consider - not broken. GFY is a terrible place to give out good info because a lot of people are just here to talk shit.

These problems you have discussed have been a problem since the beginning and will be here in the end. Things change to fast for anything to make a difference. MD5 passwords can be cracked a lot faster then you posted BTW. Rainbow tables, look it up on Google. If you fix a hole, another is posted publically a few months later.

The webmasters all know this and are affected by it, but they are making millions so like I was saying earlier, if it ain't broke, don't fix it.

Daaaaamn, thanks!!!

I'm gonna try it out right now! :Graucho

if you have interesting sites you will always have asswipes trying to do brute force attacks. proxy pass blocks proxies as fast as these fuckers can throw them at your box---like a thousand different proxies in 3 minutes---soon the fucker is out of working proxies.

so maybe someone gets lucky and they get a password once a month, and then post it on a password site.

if you have the right scripts in place, the first time you have "X" number of simulaneous users with same name/pass every subsequent attempt is redirected to your sales page.

this is just not much of a problem anymore---it used to be, but no more.

but the info is valuable nontheless. the more webmasters saavy enough to keep the freeloaders out, the more people will pay for memberships.

security costs a little bit true, but it is money well spent.

Negative. It is damn easy to get 2000 anonymous proxies.

If I set the software to use only 10 bots and it cracks at 18000 per hour, I am going to try to crack about 300 per minute. That means it will take 6 minutes to see that 1st proxy again. If you have proxypass set to block a proxy after 5 tries, it will take 30 minutes to finally block its first proxy.

Now think about this, if you own milffuckedindaass.com, I will use the password file I obtained from assfuckingmilf4homies.com. Both sites have about 1,000 users who have signed up at either site with the same user/pass combo. Currently 150 are still active on milffuckedindaass.com. The combo file from the later site is 8,000 passes long. Every 53rd user is one of the 150 that is active. (8000/150). I am doing 300 tries per minute. I run 1,000 tries in less than 4 minutes are get 18 passwords.

I give the 18 out all month. I crack a session for 4 hours a day because I feel like it. Everyday someone asks me for the site 8 times. In one month those 18 passwords never get used by the same illegit or legit user at the same time. Even if they do, we can have up to 5 using them. Out of the 18 passwords 8 are still working at months end. But I only need 8 to feed the surfers requests for them.

240 people have now viewed your site for free. But BW is cheap.. Yeah, no shit, but getting me to crack your passwords is even cheaper. Out of the 240 about 40 are just people who are to stupid to store them. So 200 are individual surfers that will not be buying your product.

Those are just the surfers for 1 site that I cracked. I also will do the same for about (240minutes / 4 minutes per pass) = 60 surfers/sites that day. I am just one cracker. There are 4 to 20 more in a channel who will crack at other times in the day. I'll average that to 10. That is 600 passwords a day for the channel. 1800 in a month. ( 18000 x $20 = $360,000).

Now take the auto_requests you see going by. Someone asks for a megasite or a site with all access passwords. Those are being filled 2 to 3 times faster. $1,080,000.

And the searches going on with the bots that you don't see. Most surfers use the bots because they are nervous about asking for a site in the channel. Searches happen at the rate of a few thousand in a day. We will say 2000 even though the number is usually around 4000.

Add it all up and it is $88,000 a day. $2,640,000 a month. $31,680,000 a year. And this is just 1 channel. Undernet and many other smaller nets have channels of their own. Most other networks have 2 to 10 channels. And this is just English speaking. There are networks for people speaking many other languages. I will say a small number, 30 other channels.

$950,400,000! This is just lost revenue do to people not signing up. Add to this the cost of customer service, chargebacks, refunds, etc and this problem is costing you a HUGE sum of money.

This is just the IRC BTW. It doesn't include password boards, forums or other forms of trading them.

But I am just a punk, a surfer and a skript kiddie. So you all go on with your lives. I gave you the 3 keys to cutting this problem down to 10% of its current form. People didn't accept the world as being spherical or the Sun as the center of the universe, I don't know why I thought you people would be any different.

I don't get it, this guy addresses a serious issue and he gets flamed for it?

I just checked out that asp channel on IRC and it's filled with passwords to dozens of sites man. I understand that a lot of you are already protected but a lot aren't, so this is a valid issue IMO.

needless to say....High Times is soooooo fuckin' right.....!!

Sure....Security costs...but remember what you loose due to a lack in security!

It's very easy if you accept checks.. takes 30 seconds.

I just wanted to see if he had anything product wise to offer.
Answer = No.

Serious issue yes.

Is there a working solution?
Yes.

With the right knowledge and taking your sites security seriously there is not much to worry about.

get strongbox

Especially if you are correct :1orglaugh

Password leaks are and aren?t that big of a deal. Paysite owners have PW?s posted almost daily. We rely on our protection systems (pennywize, proxypass, strongbox, etc) to protect us. The fact is, even the best software in the world can?t 100% protect you from leaks, brute force attacks, hacks, exploits, etc.. It happens at the billing level, site level, program, and any other little side hole they can. PW webmasters share the information on how to beat pennywize/proxypass, they share backdoor info, they trade lists.

For the most part, PW sites are no worry to the standard program owner. They just don?t care. The people that need to worry about the leaks, don?t have a clue that it?s going on. Normally smaller site owners. Free site owners have to make sure they cover all the backdoors to content too. It?s a huge world that relies on the mistakes that webmasters of all sizes make.

Myself, I monitor my logins. If a member has a user/pass problem I e-mail them before they e-mail me. If I see a pw leak I change the pw and e-mail the member. This is the ONLY way to truly protect your sites.

no it can't, and it will never do, but the best software & security can reduce the attacks to 10% or less of what they are now... i was looking in this channel right now, and i can't believe that nobody of you paysite owners care bout this... come on man....that's all money you loose there... I don't care about this really cause i own no paysite, but i would if i had one....!

I think thats what HT wanted to say....

Very interesting thread. bump

Nice reading...

Good read, nice information for the non initiated.

look sunshine, you are obviously a smart guy.

and it appears that you spend an inordinate amount of energy stealing from others.

why not use all that brain power and seek gainful employment, your time will be better spent.

bump for more opinions

Well.. I would bet most of the owners don't know how to use mirc. :upsidedow

They care; they just don't care at the same time. I don't care that the PW's are on mirc, I was more worried with how many. Most of the sites listed and myself included have protection software. The only problem is MIRC is a very slow pw leak normally across many accounts. One person requests your site and enters, no protection script stops from that. Now do this across 50+ accounts and it's a huge pw leak that most owners never notice.

I do not spend a great deal of energy stealing from others. I just know how to.

I use my brain power in my profession and I am gainfully employed.

My time is better spent on my own projects and not helping others to a point. I rely on others to stop giving up their password files unencrypted. I rely on others to stop letting the surfer generate a (dictionary) password. I rely on others to put protections in place so that surfers can no longer find free porn so easily.

Rather than mIRC, we can say, the IRC. But IRC chat rooms are only one problem. On large password boards it is common for posters to post as man as 1000 passwords in a day. Let me clarify that. It is common for 1 poster to post that many. 20,000 may get posted altogether on just one board. Add that up with all of the other boards in over 100 languages and you can see that this industry has a HUGE hole in it.

If everyone used a form login, encrypted passwords, server generated passwords and did a little bit of work on their security, the outcome would be that we all make a lot more money. We all would have over 1 Billion dollars to share. If you are a major sponsor you will get a larger piece of the pie.

This should be a seminar at Internext-expo. You all do seminars on some mundane shit. Shit that will gross less than 100 million. This is way bigger.

Now for a lesson.

Google for these phrases,

awstats exploit
phpbb exploit
ikonboard exploit
cpanel exploit
invision qpid exploit
vBulletin Calendar Command Execution Vulnerability

That is enough for now. A large majority of you use this software. Before you go using open source or even paid for software, it is a good idea to google for its exploits before you install it.

bump again for serious discussion....

Thank you HighTimes. Very good information there.

I can tell you that 99.999% of new surfers have no clue WTF a newsgroup or IRC is. I myself have never been to or used neither and I have been on the net since 1999. Most surfers are to stupid use anti-virus and anti-spyware on their computers and are ignorant of the very basic fucntions of their computers.

Follow me,

Google for a site and the word password.

[site] password

You get a list of sites, mostly bullshit trying to sell the site in question. Perhaps you get one site like, http://www.bestpasswords.com/passwords/index2.shtml .

From there you go to, http://www.worldstopsites.com/ and from there to, http://www.passwordforum.com/v3/index.php?showforum=12 .

Posted here are thousands of logins to thousands of websites. You can upgrade to a gold membership where the passwords last longer and are for bigger name sites or harder to crack/hack sites. The owner of the forum has a login ID of imgltd for just about every big sponsor out there. Proudly displaying your banners while giving your passes away enmasse. Comical to say the least.

Notice the same sites are being hit over and over. This is because they all lack form logins, generated passwords or they stored them unencrypted so no one had to crack the form, they just stole the database (probably sold the emails too).

BTW, Think about emails. Would it be advantageous to split the email address at the 8th character and encrypt it? Of course this would stop you from being able to sell the list or use it for targeted mailers but it would also protect it. Or you could encrypt the entire list and use a long key to decrypt it as needed.

Pennywize support passwordboards. Choise another security program

:thumbsup

Pfff... google is so much easier.

"SiteUrl.tld" login password

Usually gives out a shitload of working passes.. oops.

I agree this is a HUGE problem.

:thumbsup to High Times, definately a good read even if you are aware of this.

Thanks to all of you who mentioned Strongbox.
We have thousands of hours of research and development
into making Strongbox THE defense system for your site,
so it's always very good to hear that it's been so helpful
to so many people.


High_Times made a very good point that there are two different
problems to be aware of. Even with Strongbox watching out for
abused passwords, if you hand a cracker youre entire
unencrypted password list then your still going to have a
problem. The cracker will distribute all of your passwords.
Strongbox will dutifully notify you that you have a large number
of cracked passwords out and will suspend those usernames,
but the customers won't be happy.
If you are using an old fashioned .htpasswd file that's only
encrypted with an algorithm called DES which is next to
worthless. If those DES encrypted passwords are based on English
words, which they normally are if you let your users choose
their own passwords, a cracker can decrypt many of those
passwords within seconds. You have to secure your passwords
better than that.

In other words, the first step is to secure your password list so
that a cracker can't easily get the whole list. The second step is
to have Strongbox or another quality security system handle any
passwords that do get compromised. This thread is about to
hit 3 pages, with many posts that may not hold people's
interest and people may well not read all the way to the end,
so I'm going to post a new thread describing exactly how to
solve this other this other problem brought up by High_Times.

great read

High_Times pointed out that many crackers won't mess with
form logins, which slow them down quite a bit compared
to the pop up gray box. That's a very good point and is one
of the main reasons Strongbox uses such a form. In addition,
Strongbox further discourages people from even attemtping
an attack by using a Turing image, where you have to type the
secret word into the form. Strongbox also places a hard limit
on how many attempts it will process in a given time period
so that to go through a dictionary of 20,000 entries
would take the cracker 3 YEARS. I don't think too many
crackers want to wait 3 years to get a password. :)

thats pretty sneaky

Sorry but it isnt helping you...........This server is infested.