"Brute force" describes an attack in which many thousands of possible username/password combinations are attempted very quickly. This type of attack will often compromise a site protected with basic username / password pairs. This is particularly true because hackers use lists that include very predictable user names such as admin with thousands of likely passwords. To prevent a brute force attack from succeeding, the traditional advice has been to choose long, difficult to guess (and difficult to remember) user names and passwords such as "8x!O;9&)Mej9g$C". Even if all your subscribers did use such passwords, preventing a compromised password is not enough. Looking over server logs, we've seen that failed attacks are fairly common. Because the attack may or may not compromise any passwords, the site owner often is none the wiser. But you may notice a drop in sales or more customer complaints as your server is significantly overloaded during the course of an attack. One popular adult web host advised us that failed brute force attacks regularly "bring servers to their knees". For that reason, you need to prevent a brute force attack, along with it's effects on your server, from ever occurring. If it does occurr, you need to keep the attacker from using up all of your server resources in the process. the Strongbox security system provides both technology to discourage anyone from even attempting such an attack and a defense against the crippling overload if they attack anyway. To be precise, strongbox uses a 52 bit session ID. If an attacker were to send your server 100 requests per second, they could expect to correctly guess one the Strongbox security system session ID after 1,425,000 years of trying.

Today there are more ways for attackers to share passwords than ever before. Years ago, webmasters only needed to be concerned with password sites. Today, there are old fashioned password sites with links, Yahoo! Groups for sharing passwords, password message boards, sites with sophisticated ActiveX controls to circumvent your protection, and many other methods for password distribution. In today's web environment you need the protection of the Strongbox security system to keep people from stealing your bandwidth by using these passwords. In some cases the Strongbox security system has been able to save webmasters 6 GB per day in bandwidth used by password traders. The average site that doesn't use proper security software like the Strongbox security system seems to be losing about 1 GB per day this way. By eliminating this theft of service, the Strongbox security system will pay for itself the first month you use it.

The Strongbox security system also allows you to link between sites securely. That is, you can have links in the members section of one domain that can securely bring your members to the members section of another domain, which may be on a different server. You guys with AVS sites know how much of a problem referrer spoofing has become, so it's no longer wise to have that kind of setup with just a referrer check.

The Strongbox security system is also designed to allow easy integration of a script to protect against "slurping", or bulk downloading of your whole site. While there have always been software programs that would allow a user with even a short term trial membership to download your whole site, this functionality is now built in to major browsers such as IE. In the worst case, after the thief downloads your whole site with the click of a button they will change the referral links and upload the copy to their own server, effectively stealing your business. I can't imagine the uproar there would be if this happened in the offline world - somebody breaking into a store, stealing all of the merchandise, the display racks, signs, etc. and using it all to open an identical store across the street. Yet, many webmasters allow this to happen to them and don't do anything to prevent it. With the Strongbox security system, you can choose from several techniques for detecting the slurping and then ask the Strongbox security system to kick that user out. If they want to look at the rest of your content next month, they'll have to keep their membership current, rather than having a copy on their hard drive.

This module provides reports of the most active users over any chosen time period, the most active usernames, etc. You can look up any username to see the exact times, dates, and IPs when they logged in to your site. You can also see what the Strongbox security system determined about the attempted logins. If a username or IP range is suspended or disabled you'll be able to see exactly why. This is also helpful with users who claim to have never used your site and ask for a refund. More than once the Strongbox security system webmaster has had a hearty laugh as they emailed a user a complete record of the 22 times the person "used" the site over the last 5 weeks. The users generally apologize and comment on how much they really do like the site. This module also shows any errors that may have occurred, to help in resolving customer complaints. You can see some of what it provides in the Strongbox Screenshots.

Each day, our bettercgi.com spider analyzes all known password sites, retrieving tens of thousands of compromised passwords. As a subscriber to our proactive spider service, your system will be notified immediately when one of your passwords is posted on a password site. The Strongbox security system will then disable that password even before anyone is able to use it to access your site. Just as when anything else of note occurs, our system will also email you to let you know which username was found posted on which password sites. This optional service is only $5 per month.