Nice reading...

Good read, nice information for the non initiated.

look sunshine, you are obviously a smart guy.

and it appears that you spend an inordinate amount of energy stealing from others.

why not use all that brain power and seek gainful employment, your time will be better spent.

bump for more opinions

Well.. I would bet most of the owners don't know how to use mirc. :upsidedow

They care; they just don't care at the same time. I don't care that the PW's are on mirc, I was more worried with how many. Most of the sites listed and myself included have protection software. The only problem is MIRC is a very slow pw leak normally across many accounts. One person requests your site and enters, no protection script stops from that. Now do this across 50+ accounts and it's a huge pw leak that most owners never notice.

I do not spend a great deal of energy stealing from others. I just know how to.

I use my brain power in my profession and I am gainfully employed.

My time is better spent on my own projects and not helping others to a point. I rely on others to stop giving up their password files unencrypted. I rely on others to stop letting the surfer generate a (dictionary) password. I rely on others to put protections in place so that surfers can no longer find free porn so easily.

Rather than mIRC, we can say, the IRC. But IRC chat rooms are only one problem. On large password boards it is common for posters to post as man as 1000 passwords in a day. Let me clarify that. It is common for 1 poster to post that many. 20,000 may get posted altogether on just one board. Add that up with all of the other boards in over 100 languages and you can see that this industry has a HUGE hole in it.

If everyone used a form login, encrypted passwords, server generated passwords and did a little bit of work on their security, the outcome would be that we all make a lot more money. We all would have over 1 Billion dollars to share. If you are a major sponsor you will get a larger piece of the pie.

This should be a seminar at Internext-expo. You all do seminars on some mundane shit. Shit that will gross less than 100 million. This is way bigger.

Now for a lesson.

Google for these phrases,

awstats exploit
phpbb exploit
ikonboard exploit
cpanel exploit
invision qpid exploit
vBulletin Calendar Command Execution Vulnerability

That is enough for now. A large majority of you use this software. Before you go using open source or even paid for software, it is a good idea to google for its exploits before you install it.

bump again for serious discussion....

Thank you HighTimes. Very good information there.

I can tell you that 99.999% of new surfers have no clue WTF a newsgroup or IRC is. I myself have never been to or used neither and I have been on the net since 1999. Most surfers are to stupid use anti-virus and anti-spyware on their computers and are ignorant of the very basic fucntions of their computers.

Follow me,

Google for a site and the word password.

[site] password

You get a list of sites, mostly bullshit trying to sell the site in question. Perhaps you get one site like, http://www.bestpasswords.com/passwords/index2.shtml .

From there you go to, http://www.worldstopsites.com/ and from there to, http://www.passwordforum.com/v3/index.php?showforum=12 .

Posted here are thousands of logins to thousands of websites. You can upgrade to a gold membership where the passwords last longer and are for bigger name sites or harder to crack/hack sites. The owner of the forum has a login ID of imgltd for just about every big sponsor out there. Proudly displaying your banners while giving your passes away enmasse. Comical to say the least.

Notice the same sites are being hit over and over. This is because they all lack form logins, generated passwords or they stored them unencrypted so no one had to crack the form, they just stole the database (probably sold the emails too).

BTW, Think about emails. Would it be advantageous to split the email address at the 8th character and encrypt it? Of course this would stop you from being able to sell the list or use it for targeted mailers but it would also protect it. Or you could encrypt the entire list and use a long key to decrypt it as needed.

Pennywize support passwordboards. Choise another security program

:thumbsup

Pfff... google is so much easier.

"SiteUrl.tld" login password

Usually gives out a shitload of working passes.. oops.

I agree this is a HUGE problem.

:thumbsup to High Times, definately a good read even if you are aware of this.

Thanks to all of you who mentioned Strongbox.
We have thousands of hours of research and development
into making Strongbox THE defense system for your site,
so it's always very good to hear that it's been so helpful
to so many people.


High_Times made a very good point that there are two different
problems to be aware of. Even with Strongbox watching out for
abused passwords, if you hand a cracker youre entire
unencrypted password list then your still going to have a
problem. The cracker will distribute all of your passwords.
Strongbox will dutifully notify you that you have a large number
of cracked passwords out and will suspend those usernames,
but the customers won't be happy.
If you are using an old fashioned .htpasswd file that's only
encrypted with an algorithm called DES which is next to
worthless. If those DES encrypted passwords are based on English
words, which they normally are if you let your users choose
their own passwords, a cracker can decrypt many of those
passwords within seconds. You have to secure your passwords
better than that.

In other words, the first step is to secure your password list so
that a cracker can't easily get the whole list. The second step is
to have Strongbox or another quality security system handle any
passwords that do get compromised. This thread is about to
hit 3 pages, with many posts that may not hold people's
interest and people may well not read all the way to the end,
so I'm going to post a new thread describing exactly how to
solve this other this other problem brought up by High_Times.

great read

High_Times pointed out that many crackers won't mess with
form logins, which slow them down quite a bit compared
to the pop up gray box. That's a very good point and is one
of the main reasons Strongbox uses such a form. In addition,
Strongbox further discourages people from even attemtping
an attack by using a Turing image, where you have to type the
secret word into the form. Strongbox also places a hard limit
on how many attempts it will process in a given time period
so that to go through a dictionary of 20,000 entries
would take the cracker 3 YEARS. I don't think too many
crackers want to wait 3 years to get a password. :)

thats pretty sneaky

Sorry but it isnt helping you...........This server is infested.

100........

too much naming calling in here for me

SHIIIIIIIIIIIIIIIT! I just want to PUNCH YOU IN THE F A C E!

Sponsor programs want s BOOST in sales?

Stop getting hacked! People give away some of your passwords like candy on X-mas!