Login Changed

[Lee_Owen]

Dig your passwords out.

[graeme]

Quote:

Originally Posted by Lee_Owen Dig your passwords out.

Yes, today we moved to using a SSL encryption for the login process.

We recently (in the last few days) had an isolated case where an Affiliate account was accessed by someone who changed both the account and payment information to themselves. They then requested payment (this was not made). We believe they accessed the account by guessing the password (it was a weak password). There has recently also been a thread elsewhere in this forum about this happening with other network. So we have taken proactive measures starting today.

Now with Paid On Results your Affiliate ID and password are never sent in clear text at any stage of the login process. But what about when we email them to you when you signup, or forget the details - well yes that is plain text, however you can change your password via the interface, and this is over SSL too so if you do have to get it via email then change it straight away after.

Some Affiliate accounts are like banks - containing large sums of money, plus important details such as keywords used to make sales, where sales are made and more - if you gained access to an account to a major affiliate imagine what you could do with that information.

Now we know SSL encryption won't prevent this on its own, but this is one of many things we are working on to improve the security and to protect the integrity of our system. More will be announced within the next few days.

And remember if you use your children's name, pets name or girlfriend/boyfriends name, add a number to the mix as it's these passwords that are the easiest things to break.

Graeme

[Lee_Owen]

I only read a bit of the above but from doing a bit of domaining to help with a learning curve, you could go one step further with your security.

If an affiliate signs up with a certain domain, gets newsletters on that account and then doesn't renew the domain for a reason, new owner gets emails from your site, and is a bit dodgy, he can then simply put the email address into your system and get username and password and he's in, no problem, you need the 'question security' as well or at least something else.

It would be rare but you'd be surprised how many people are signed up to myspace and a few other sites and leave their old domains as the regd email and it continues to get the newsletters, I know as I have several like that, luckily I aint dodgy... much.

Your system is nice and easy to get a reminder username and password from but a little too easy, for me as a user it's good but for the thief even better.

[Supercod]

Hi, we are one step ahead of you on that one, we already thought about this (only not based on the example you give, as lets face it someone can't be too bright if they lost the domain name that is your main one for all the Networks and so on) but it is to do with the whole if you did get access to a username and password theme, as to be honest it is easy enough to key log someone’s machine (folk that can’t renew important domains for example LOL).

Anyway expect to hear more from us shortly. It’s all about enhancing security without making the system a nightmare to access for legitimate users.