|
2004-06-28, 02:07 PM | #1 |
Internet! Is that thing still around?
|
Password Sitez
I have a question about handling password theft when a username winds up on a password site. I already know about having a script detect this and suspend the username.
Is this grounds for cancelling the user completely, or should I just give a warning? How many warnings before I cancel the guy? Can the user come back and say he never gave his password out in the first place and then he wants a refund becuase I cancelled him before his 30 days is up? Any comments on how you guys handle this would be appreciated. Thanks! Markus K AMJ |
2004-06-28, 03:46 PM | #2 |
Bonged
Join Date: Mar 2003
Location: BrisVegas, AUSTRALIA
Posts: 4,882
|
markus79,
You do need to do some investigation.. and make sure the subscribers password wasn't "leaked" thru a brute force attack or similar. I usually contact them, and issue a new password. If that new password appears on the PWSites, then I would cancel the prick and lock him out. Your site should have a warning somewhere inside your site, saying that you take password swapping very seriously, and that membes will be cancelled. THat usually will keep them under control. DD
__________________
Old Dollars >>>> Now with over 90 Hosted Free Sites <<<< DangerDave.com.au - Adult Links to Free Porn |
2004-06-28, 04:20 PM | #3 |
If something goes wrong at the plant, blame the guy who can't speak English
|
Checking PW sites a lot, I know that it is more often that a password has been discovered by a brute force attack and then leaked by the cracker for others to use, than the legitimate owner sharing it.
Those sharing their passwords, do it mostly on a trade basis, exchanging it with few other persons. If you don't have a program protecting your members area from brute force attacks, you should give the user the benefit of the doubt in the first place and issue a new user name/password. And as Dave says...it the user name appears to be shared again...then lock him out. The user can always claim he didn't share it...but better risk he gets a refund than having a user sharing his password all the time? |
2004-06-28, 04:33 PM | #4 |
Subversive filth of the hedonistic decadent West
Join Date: Mar 2003
Location: Southeast Florida
Posts: 27,936
|
Problems like this went to zero after Strongbox was installed. So far Angel has just been sending them a new password with a note asking them to be more careful. I'm not sure but it looks like Strongbox just suspends some accounts for a bit because we are not seeing many e-mails complaining that they can't get in.
|
2004-06-28, 07:03 PM | #5 |
The only guys who wear Hawaiian shirts are gay guys and big fat party animals
|
Cleo is correct, Strongbox will first suspend the username
for a while - from a few minutes to a few hours, and email the webmaster. Many webmasters will then change the user's password. If the abuse continues then Strongbox will disable the username permanently. It kind of depends, I think. If you recently had a dictionary attack that you think may have been successful that would be different than if you had Strongbox and knew that a dictionary attack was not possible. Also if the user just joined and their password immediately showed up on the password sites that would be different than if they had been a member for years and you never had a problem with them. |
2004-06-29, 09:01 PM | #6 |
Heh Heh Heh! Lisa! Vampires are make believe, just like elves and gremlins and eskimos!
|
I don't know how this Strongbox works but I saw recently a new script which when there's any suspect access, it'll block the username until you change your username and password, and to do that you need to inform your last 4 digits of your credit card. I thought it was a good solution since it's not always the customer fault.
Maybe it's this Strongbox? I searched for its name on the error page but couldn't find ANYTHING related about it... I can just say it was being used on one of these sites: http://www.dhdrevex.com/ |
2004-06-30, 04:16 AM | #7 |
If something goes wrong at the plant, blame the guy who can't speak English
|
Different scripts/programs work differently. The main idea is to suspend/block an account as soon as you detect it has been shared.
PassGuardian suspends the account first for a few hours and warns the user, then it blocks the account for 24 hours and if it keeps getting accessed by different users it simply blocks it for 7 days/indefinetely. Not like P....... that re-enables blocked accounts after 24 hours. That's just a joke. We haven't had any legitimate users complaining about a blocked account, simply because PassGuardian bounces every dictionary attack and the users that have shared their password, know they did wrong and don't dare complain. I doubt though xfalmp, that its the script that requires the 4 digits. This is probably the webmaster that has access to the customers payment info and does a manual check and issues a new username/password. |
2004-06-30, 10:24 AM | #8 | |
Heh Heh Heh! Lisa! Vampires are make believe, just like elves and gremlins and eskimos!
|
Quote:
Now that we’ve got all that out of the way, go ahead and use the tool above to update your Username and Password. We’d like to get you back on to the site before you miss anything. :-) I'm not sure if it's something instantly. |
|
|
|