I created this topic just because of the lately hacks of some paid2read accounts ..
And I guess thats just because none of the paid e-mail sites do encrypt the member passwords.
I just think that it's time to grant some kind of privacy to members and add to your sites some code snippet, that encrypts the member passwords. I know that it would be much harder to make the password recovery script .. but in this case members could feel more safe than they are now. And it's definetely worth it.
Full Version: Do we need a script modification?
Get Paid Forum - Get Paid Discussion > Webmaster's Corner > General Discussion on Building, Running & Making Money from a Website
hi
u r rite
we do certainly need script modification so that user get more piracy!!
i have heard that ian is a person who do script modification?
maybe you can contact him
u r rite
we do certainly need script modification so that user get more piracy!!
i have heard that ian is a person who do script modification?
maybe you can contact him
AAAARRRr not more changes - I haven't coped with the last one yet! lol
I think you are right tho! - There definately needs to be a little more security - but randomised passwords are such a hassle so can we avoid those.
Just an encryption that stops webmasters seeing passwords might b ok - but then we lose the ability to find cheaters by their same password.
Well I've talked myself in and out of all the options here I think. Security is definately a problem tho. I think having different passwords for each company would be the best thing for members to do though. I know I've been round making sure my passwords are different in different companies.
I think you are right tho! - There definately needs to be a little more security - but randomised passwords are such a hassle so can we avoid those.
Just an encryption that stops webmasters seeing passwords might b ok - but then we lose the ability to find cheaters by their same password.
Well I've talked myself in and out of all the options here I think. Security is definately a problem tho. I think having different passwords for each company would be the best thing for members to do though. I know I've been round making sure my passwords are different in different companies.
QUOTE (BonusEmails @ Aug 30 2002, 06:19 PM)
AAAARRRr not more changes - I haven't coped with the last one yet! lol
I think you are right tho! - There definately needs to be a little more security - but randomised passwords are such a hassle so can we avoid those.
Just an encryption that stops webmasters seeing passwords might b ok - but then we lose the ability to find cheaters by their same password.
Well I've talked myself in and out of all the options here I think. Security is definately a problem tho. I think having different passwords for each company would be the best thing for members to do though. I know I've been round making sure my passwords are different in different companies.
I think you are right tho! - There definately needs to be a little more security - but randomised passwords are such a hassle so can we avoid those.
Just an encryption that stops webmasters seeing passwords might b ok - but then we lose the ability to find cheaters by their same password.
Well I've talked myself in and out of all the options here I think. Security is definately a problem tho. I think having different passwords for each company would be the best thing for members to do though. I know I've been round making sure my passwords are different in different companies.
as about finding cheaters .. encrypted passwords look the same, if they are equal ..
oohh - that'd be ok then. The experience I had with them a couple of years back was them not being in anyway identifiable (scripting has probably advanced a million miles since then! lol) - goody
The problem of hacked account is not because the password is not encrypted. The problem arise either because the password can be easily guessed like 123456 or they are using the same password for all programs.
So it is best to use a different randomly generated password for each program.
So it is best to use a different randomly generated password for each program.
QUOTE (lgwong @ Sep 3 2002, 12:44 PM)
The problem of hacked account is not because the password is not encrypted. The problem arise either because the password can be easily guessed like 123456 or they are using the same password for all programs.
So it is best to use a different randomly generated password for each program.
So it is best to use a different randomly generated password for each program.
lol .. most of the members feel safe with the same password .. and most of them do not understand that they can't use the same password for all programs .. (including me .. LOL) .. so as it's not as hard to implement that, I would suggest to add that feature ..
Here's the problem:
There are two major types of encryption, the type that can be decrypted, and the type that can't. The type that can is OK for being sent through URLs or whatever, but its worthless if you are storing it in a database using two way encryption. Newer two way encryption has multiple ways of being encrypted and encrypts a little key into itself, but it still can be decrypted.
MD5 is the most powerful one way encryption (encrypts it only, no decrypting is possible other than brute force (guessing all possible passwords). The problem with that then is just like at this board, if you lose your password, you have to get a new password, and to prevent people from requesting other people's passwords (and getting them changed), you would need a validation email. This email can't assign a new password when clicking it through a link, since then that would most likely leave a security bug (or take up a rediculous amount of space) so it would include a link to get your new password with a validation key in it. Then on that page you either get your new password, or it gets emailed to you.
When I explain it, its harder then it is... but the big thing is it makes the forgot your password page might harder to create, and much harder for a user to use. The programs view it as a feature that you can retrieve your current password via email, rather than retrieving a new password via email... Randomly generated passwords are always hard to remember...
There are two major types of encryption, the type that can be decrypted, and the type that can't. The type that can is OK for being sent through URLs or whatever, but its worthless if you are storing it in a database using two way encryption. Newer two way encryption has multiple ways of being encrypted and encrypts a little key into itself, but it still can be decrypted.
MD5 is the most powerful one way encryption (encrypts it only, no decrypting is possible other than brute force (guessing all possible passwords). The problem with that then is just like at this board, if you lose your password, you have to get a new password, and to prevent people from requesting other people's passwords (and getting them changed), you would need a validation email. This email can't assign a new password when clicking it through a link, since then that would most likely leave a security bug (or take up a rediculous amount of space) so it would include a link to get your new password with a validation key in it. Then on that page you either get your new password, or it gets emailed to you.
When I explain it, its harder then it is... but the big thing is it makes the forgot your password page might harder to create, and much harder for a user to use. The programs view it as a feature that you can retrieve your current password via email, rather than retrieving a new password via email... Randomly generated passwords are always hard to remember...
QUOTE (lgwong @ Sep 3 2002, 09:44 AM)
The problem of hacked account is not because the password is not encrypted. The problem arise either because the password can be easily guessed like 123456 or they are using the same password for all programs.
So it is best to use a different randomly generated password for each program.
So it is best to use a different randomly generated password for each program.
Exactly ~ I had several accounts deleted
Cause I was doing exactly that
QUOTE (YBonline @ Sep 5 2002, 12:51 AM)
Here's the problem:
There are two major types of encryption, the type that can be decrypted, and the type that can't. The type that can is OK for being sent through URLs or whatever, but its worthless if you are storing it in a database using two way encryption. Newer two way encryption has multiple ways of being encrypted and encrypts a little key into itself, but it still can be decrypted.
MD5 is the most powerful one way encryption (encrypts it only, no decrypting is possible other than brute force (guessing all possible passwords). The problem with that then is just like at this board, if you lose your password, you have to get a new password, and to prevent people from requesting other people's passwords (and getting them changed), you would need a validation email. This email can't assign a new password when clicking it through a link, since then that would most likely leave a security bug (or take up a rediculous amount of space) so it would include a link to get your new password with a validation key in it. Then on that page you either get your new password, or it gets emailed to you.
When I explain it, its harder then it is... but the big thing is it makes the forgot your password page might harder to create, and much harder for a user to use. The programs view it as a feature that you can retrieve your current password via email, rather than retrieving a new password via email... Randomly generated passwords are always hard to remember...
There are two major types of encryption, the type that can be decrypted, and the type that can't. The type that can is OK for being sent through URLs or whatever, but its worthless if you are storing it in a database using two way encryption. Newer two way encryption has multiple ways of being encrypted and encrypts a little key into itself, but it still can be decrypted.
MD5 is the most powerful one way encryption (encrypts it only, no decrypting is possible other than brute force (guessing all possible passwords). The problem with that then is just like at this board, if you lose your password, you have to get a new password, and to prevent people from requesting other people's passwords (and getting them changed), you would need a validation email. This email can't assign a new password when clicking it through a link, since then that would most likely leave a security bug (or take up a rediculous amount of space) so it would include a link to get your new password with a validation key in it. Then on that page you either get your new password, or it gets emailed to you.
When I explain it, its harder then it is... but the big thing is it makes the forgot your password page might harder to create, and much harder for a user to use. The programs view it as a feature that you can retrieve your current password via email, rather than retrieving a new password via email... Randomly generated passwords are always hard to remember...
lol .. but I don't see the problem .. if you have forgot your password .. then you have to get a new one that you can remember ..
and about the problems with password recovery .. don't you think that TasiasPaidLinks are using this kind of system? I guess they are .. and there are no member complaints ..
Ok, it's a bit harder to use that .. and I've had some problems with them .. I FEEL SAFE and that's the most important thing ..
If the requesting of a new password task is too complicated, people will just email the webmaster to get there old one... the webmaster won't be able to view it... then they will get a new password without using that function.
Try the requesting your password function at this forum, you'll see its not a simple task to do it... Then try requesting your password at a paid to program (that doesn't encrypt your passwords, that just sends you a copy of them). Its a very simple task. Thats the problem, people want the way that is more user friendly, even if they sacrifice security for it, that is true in Windows, and it is true in these paid to programs. This is a result of programs that are being sold (like CAC) are competing againist the others and if you make yours harder to use, it means less sales, even if its more secure.
One more comment on this: we lose the ability to find cheaters by their same password
You will still be able to view the MD5 hashes, if they are equal you got yourself someone who is using the same password as someone else...
Try the requesting your password function at this forum, you'll see its not a simple task to do it... Then try requesting your password at a paid to program (that doesn't encrypt your passwords, that just sends you a copy of them). Its a very simple task. Thats the problem, people want the way that is more user friendly, even if they sacrifice security for it, that is true in Windows, and it is true in these paid to programs. This is a result of programs that are being sold (like CAC) are competing againist the others and if you make yours harder to use, it means less sales, even if its more secure.
One more comment on this: we lose the ability to find cheaters by their same password
You will still be able to view the MD5 hashes, if they are equal you got yourself someone who is using the same password as someone else...
QUOTE (YBonline @ Sep 6 2002, 01:08 AM)
If the requesting of a new password task is too complicated, people will just email the webmaster to get there old one... the webmaster won't be able to view it... then they will get a new password without using that function.
lol .. I'm repeating that once again .. look at TasiasPaidLinks .. almost everybody is using them, they have a feature like this ..
It doesn't make the users angry but rather the webmasters angry for the lazier ones... If I was scripting a site for myself I would definetly encrypt the passwords in MD5 and have a method as I described below (and in TasiasPaidEmails)
MD5 is a must in password protection...
I've used it myself (not on a GPT site) and I personally think that webmasters prefer to keep their system as safe as possible. And the 'request a new password' routine isn't as complicated as you make it out to be!
I've used it myself (not on a GPT site) and I personally think that webmasters prefer to keep their system as safe as possible. And the 'request a new password' routine isn't as complicated as you make it out to be!
lol... this is a whole lotta talking about something very simple.
The nature of the security isn't really the important question... Most webmasters aren't going to implement it (it costs money and there are more important issues to be addressed) so security is up to members.
The only real solution is for members to use different passwords at different programs.
Unless every site is using one way encrypted passwords, it doesn't change anything. See? And honest webmasters (the only ones that would even consider paying for an additional feature like this) already know they're not going to take advantage of their member data.
It's too bad, life was a lot simpler with only one password... Too many chinese guys with too much time on their hands. ;-)
The nature of the security isn't really the important question... Most webmasters aren't going to implement it (it costs money and there are more important issues to be addressed) so security is up to members.
The only real solution is for members to use different passwords at different programs.
Unless every site is using one way encrypted passwords, it doesn't change anything. See? And honest webmasters (the only ones that would even consider paying for an additional feature like this) already know they're not going to take advantage of their member data.
It's too bad, life was a lot simpler with only one password... Too many chinese guys with too much time on their hands. ;-)
With the account dueletion problem, how hard would it be to create a double opt-out process much like the sign up process. If a member wishes to delete an account, then they must click on an email link generated by the request.
M
M
That wouldn't be a problem.
In fact email confirmation for email address changes would also solve the stolen accounts problem.
Unfortunately this brings up other issues like members trying to unsubscribe and being unable to because they don't have access to their email account anymore.
The webmaster would then have to handle these cases manually. It would be a small inconvenience, however.
The question is still whether or not webmasters would be interested in implementing a feature like this.
In fact email confirmation for email address changes would also solve the stolen accounts problem.
Unfortunately this brings up other issues like members trying to unsubscribe and being unable to because they don't have access to their email account anymore.
The webmaster would then have to handle these cases manually. It would be a small inconvenience, however.
The question is still whether or not webmasters would be interested in implementing a feature like this.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.