Printable View
Just trying to find out some info about password protection scripts, specifically, those scripts that kill usernames/passwords that have been accessed by multiple surfers (like what you find on passowrd sharing sites) and wanted some opinions from you folks..
Which scripts do you currently use to stop this happening? Right now im looking at PennyWize and Password Sentry, are there any others i should be aware of?
TIA for any help you can offer.
Regards,
Lee
Greetings:
Oh my gosh!
Pennywize wants $30 - $170 PER MONTH just to maintain a database of your logins and front end it with a stupid little script to view potential sharing violations?
And... Password Sentry is secretly sending data back to their servers, and they're bragging about the fact that the script does it?
I think not......
Hire a programmer to make a database for you, and a simple php front end. These two look like crooks.
We used to use PennyWise over at HCB's when i was there. Worked well, but the fees where a bit much. Seems like the would just sell the you the program and be done with it.
The program is great, but that fee, after a few months, would make me want to just hire a programmer to make something to do it in house.
Heard a lot of good things about Strong Box
I haven't used it so can't say but its an alternative to Pennywise & has some good reviews elsewhere.
hth
Ian
We've found that Strongbox works really good for AVS/AEN sites, but that Pennywize is the best choice for our paysite. We get tons of BruteForce attacks and password sharing and Pennywize shuts them down like clockwork. The reporting is really good and you can really tweak it to do exactly what you want it to.
The $30 per month will handle up to about 1000 members we found. That is for 300 unique logins per day. If a surfer logs in 10 times in a day, that username is only counted once toward the 300. Most site visitors don't visit the site every single day...even on a site updated daily.
Robot Control Pro (can't find the referral link) at Webcomposing.com. One-time charge and handles thousands of brute force hack attacks without a problem.
JustMe, can you give more information on what you said about Password Sentry? I've never heard that before and had used it when I had my paysite running.
We've been using Pennywize for about 6-8 months and it's done a great job for us. My only gripe is the way AOL does their IP address distribution, Pennywize always thinks that AOL users are sharing passwords... but that's a relatively minor problem.
We tried another product called Investment Guard which looked amazing, but the guy who wrote it was completely unable to get it to reliably work on either of two different servers (Redhat 9 and Redhat Enterprise) and when it did work at all, it did weird stuff like block access to some legitimate parts of the site, which he couldn't explain or fix.
We are seriously considering having one of our PHP guru types write something fairly comprehensive for us. If anyone is interested in going in with us, drop a line and we'll kick the idea around and see if it's practial...
i know a few people using proxypass with good success
http://www.proxypass.com/
no, pennywize does NOT want $170 per month. they charge $6 something per week or so.
and they do a lot more than that. i've been very happy with them. they're a good solution if you don't want to host your password and brute force attack protection yourself.
Quote:
Originally posted by JustMe
Greetings:
Oh my gosh!
Pennywize wants $30 - $170 PER MONTH just to maintain a database of your logins and front end it with a stupid little script to view potential sharing violations?
And... Password Sentry is secretly sending data back to their servers, and they're bragging about the fact that the script does it?
I think not......
Hire a programmer to make a database for you, and a simple php front end. These two look like crooks.
Greetings All:
From the pennywize website: Fee - From $29.95/month to $169.95/month. So, ok they aren't charging YOU that much, but they are charging SOME PEOPLE that much.Quote:
Originally posted by basschick
no, pennywize does NOT want $170 per month. they charge $6 something per week or so.
Outsourcing the security of your website is just a very bad idea IMHO. Talk about a single point of failure for 1/2 of the adult industry. Find a way past Pennywize, and you're home free as a password site, etc. Plus, they're in Australia? Talk about unneeded latency.
From the Password Sentry website: "PS uses special tracking algorithm to log usages so that we can track where PS has been installed, and where PS is being used."Quote:
Originally posted by rick
JustMe, can you give more information on what you said about Password Sentry? I've never heard that before and had used it when I had my paysite running.
Special tracking algorithm being secretly installed on my system? Uhm, no thank you. "Special tracking algorithm" is not something that anyone in the security industry would ever expect to see contained in a piece of software that's supposed to manage your security for you.
In short, these companies are typical of ones I've seen so far. They take advantage of the fact that most webmasters in the adult industry are not very technically proficient. So, they come up with cheap pieces of crap services and applications like these, and rape everyone for the privilege of using them.
Now that's a smart way to go. I think you'll find such a solution will be very easy for him to code, and should be very inexpensive for you to have programmed.Quote:
Originally posted by boyfunk
We are seriously considering having one of our PHP guru types write something fairly comprehensive for us.
pennywize charges that month if you have many, many members. it doesn't seem unfair to me -
keep in mind that having your own script - and why write one when you can buy one? - means you use your own resources. if you are a smaller company without a separate server for your scripts, when 150,000 password traders all hit you in one day and then start attempting brute force attacks, your server will be repelling them all. that is going to use a lot of system resources.
Greetings:
I'm sorry, but you're obviously not understanding the technologies involved. Even if you are using pennywize, it is YOUR server blocking the attempts, NOT theirs.Quote:
Originally posted by basschick
when 150,000 password traders all hit you in one day and then start attempting brute force attacks, your server will be repelling them all. that is going to use a lot of system resources.
All the pennywize does, is instruct your server to block the IPs using mod_rewrite. It's YOUR server that's keeping track of each request, YOUR server that's keeping track of bandwidth usage, YOUR server that's keeping track of file accesses, YOUR server that's keeping track of login attempts, and YOUR server that's blocking abusive users.
The only thing that THEIR server does is aggregate the stats that YOUR server feeds it every 1 minute.
Basically, the entire thing could be run off of your own server, the only reason they have their servers involved at all is so that they can rape YOU for a monthly fee, instead of a 1 time buy.
Greetings:
Ok, one thing I hate about message boards. That last message of mine came across mean and nasty sounding after I read it back.
Honestly, no flame intended.
:1ymca: :2ymca: :3ymca: :4ymca: :5ymca:
i didn't take it as a flame...
i think you're going to have to accept that we don't agree ;-)
Ya know, if it's a small company with limited programming skills, use something prebuilt. (e.g. PennyWize and Password Sentry)
If you feel like you can do it, build it or hire someone to build it... See, Was that so hard? :specs:
We use a proprietary script that we had coded to handle this from a two pronged approach, IP and Username.
We block users that use the same username from the same class C range of the IP within 24 hour period, with an adjustable threshold
level of sensitivity. Using the Class C range of the IP allows for multiple dial ins by AOL users or other ISP users that have dynamic IP assignment per dialup.
When it is flagged first, it removes it for one hour, then gives it a second chance. If it happens again after that in a 24 hour period, it blocks it and sends us a notice email.
We then change the password and send out a nice little email to the
registered user.