Extra information pertaining to passwords:

I came across this interesting blog/forum post in regards to an article written in AVN Online Magazine a year ago in regards to hackers and how to best protect you and your paying members from password theft. I’m not going to repost the entire discussion here, but there are some interesting things to take note here:

How good is your password policy? Are your users required to choose a password at least 8 characters long, consisting of upper case letters and lower case letters and at least one digit and at least one punctuation character? Better yet, do you assign random passwords such as 8p6Emb3A ?

If you do not enforce a password policy, I can almost guarantee you that the majority of your users indulge in easy to guess passwords. They’ll use a name, a birthdate, or the word Password just to be cute. If the hackers can find your password file, chances are they can guess most of your users’ passwords! Today’s cracking programs are extremely powerful, and wordlists run to 2 gig or more.

A beginning cracker’s rule of thumb is to crack 50% of the available passwords. And, generally speaking, they can! How will it affect your site if 50% of your paying members get locked out because of password trading activity? Fortunately, the password traders have “ethics” and “rules.” They aren’t supposed to post more than ten or twenty passwords to your site at a time. They go on to explain that otherwise the site owner might notice, and close up the hole!

Your basic password problem is due to normal human nature. Most people will choose passwords that they can easily remember. The trouble is that if you can remember it, a cracker can guess it. The only solution is to require an extremely difficult to guess password. It does not matter whether you assign the password, or whether you allow the new member to make one up. What matters is whether a cracker can guess it within the next year or two.

How and when does the password get chosen when your surfer signs up as a member? Normally they go to the secure join page, take care of their billing info, and choose a username and password. Here’s where your password policy must be enforced! Who controls the policy at that point? Your secure transaction processor!

I cannot emphasize this enough: If your billing company is allowing members to create easy-to-guess passwords, your billing company is responsible for your hacking problem. It really is that simple!

In addition, the writer (obviously anonymous) added the added security needed in protecting the billing script. Most companies will have this covered – but make sure that you’re using a company that protected and encrypts their billing script password as well.

If you visit the “elite” areas of the paysite hackers’ boards, you’ll see that the billing scripts are the most commonly published method of breaking into a server. If you’re having a hacker problem, it’s very likely that a billing company is your problem. The problem could be your billing company; or the problem could be someone else’s billing script on the same server. (This is why you are far more vulnerable on a shared server.)

Earlier in this series I mentioned hosting companies. At a certain point, I do strongly recommend getting your own dedicated server – precisely for this reason.

In closing:

Talk to your billing company. They’re your friend – or should be. They have a stake in your success, and vice versa. You have two key issues to discuss.

* Members Area Password Policy
* Billing Script Security

The difficulty, of course, is that these two areas are extremely sensitive. If your customers discover their password has been lifted, they’ll also assume their credit card information is unsafe. This is quite untrue – but your customers don’t know that! You know that billing information is treated far more carefully than is their paysite username and password. That difference is, in fact, probably the basis of your hacker problem.

Even more difficult is discussing the security of your billing scripts. Every company considers them proprietary. Never mind the fact that you can find indexed copies in google, complete with master password. Nobody cares to admit to security holes. Especially when the admission carries the implication that credit card information might be no better cared for! We all know the credit cards are safe. We know the problem is that members area passwords are treated with less respect. But your members don’t know that.

The hackers themselves will tell you that if you limit yourself (and anyone else on your server) to difficult passwords and better-secured billing scripts, they will have a difficult time indeed. They may even go broke because they can no longer charge their members for the chance to steal your bandwidth.

Popularity: 15% [?]