but the issue is you (the webmaster) can't manually over-ride the strongbox block, and its very frustrating (and costly) when paying members can't get into the site because they've logged in/out too many times in a day

maybe not a large program, but a VERY popular site with many thousands of members - i think i'm well qualified to speak on this :)

putting a b/w limit on your users HELPS stop ripping, but if you have a pass being shared it also helps stop it

if you have a password being used during the same time frame, from different locations, its OBVIOUS its being shared. a b/w limit isnt needed in that case - a password re-issue & even a temporary "block" is necessary at that time



anyway, we're both agreeing to the same thing, that re-issuing passwords is good

:thumbsup

So your saying random alphanumeric with special charactors is LESS secure then the passwords that strongbox uses for preventing brut force attacks from getting a successfull user/pass....
Maybe its just me, but RANDOM alphanumeric with special charactors is about as secure a password as you can create.
Or are you just talking about that picture that members have to enter, the one that every member hates have to fill in to get into the site?

Seems to me most of the big password sharing sites are forums, I dont know of many forums that alow php tags in posts.
And even then I would be surprised if you got one user a week that would do this and require you to manually dissable his account. That seems a whole lot less work then having to deal with users every single day all the time.

I have only heard of one person using strongbox with zips, and how they got it working is well interesting I guess you would call it. Everyone else says not to even try using strongbox for zips.

"Avoid strongbox like the plague. If you get a big brute force attempt it will crash your server."
From a Server admin...

"All I can say if is that if you use CCBILL and want to sell zip sets you cannot use Strongbox......

Thats why i switched."
From serveral people.


If this stuff isnt true you should make sure people know about it, because it seems people dont.

Clarification about AMS
 

Just to add a little more clarification regarding the
sequence of events and operation of Frog's
AMS for replacing blocked passes automatically
and directly to valid members.

When Frog detects password abuse the password is
changed but NOT emailed. Only when the valid member
returns (could be days or weeks) is the password
emailed --- after the member validates himself.

Both events trigger a notification to webmaster. If a
webmaster sees to much activity, he can take the
appropriate action. Usually a simple, polite email to
the member--along with Frog's proof of abuse copy/pasted
into the email--is sufficient to stop the behavior. The
webmaster almost never has to take further action.

No, what I said was that how the passwords are chosen is just one small part
of keeping them secure. Randomly generated passwords are worthless if they
are posted everywhere. There are other important considerations to making sure
that the bad guys don't get the passwords in the first place. To my knowledge,
none of the other "password trading protection" like systems addresses that
at all, except of course for brute force attacks. They just try to detect
compromised passwords after the fact. If you've ever had your entire
password list posted you know that while detecting it is good, preventing it in
the first place would have been a whole lot better.

jeffrey, you sure do spend a lot of time attacking Strongbox, mostly posting
total BS that's not anything like the truth, which I guess means you've probably
never even seen Strongbox. Do you work for proxypass or did one of us
piss you off in a previous life?