Home > Features > Password Management Challenges • Bookmark   • Newsletters   • Register Search Options

FEATURE

Password Management Challenges

Password Management Challenges

January 5, 2009
Text size: 
Get XBIZ News
XBIZ Research
Will virtual reality boost the paysite market?
Yes, it will soon
  39.66%
Yes, but in a few years
  36.87%
No
  23.46%
Out of 179 votes. Results based on votes submitted by members of XBIZ.net social network.

" how much impact can an adult site password breach really have? "

Jack Dowland serves as systems administration director for the family of companies whose flagship adult products include TopBucks, PlugInFeeds, WildWestCash, Yappo and Pink Visual. Over the years, Dowland has confronted a wide variety of password management challenges, from the relatively simple task of securing individual adult website members areas to the trickier issue of securing content that also needs to be distributed seamlessly through a third-party website.

XBIZ recently sat down with Dowland to talk about the basics (and sometimes the not-so-basics) of managing password security in a high-volume content distribution environment.

XBIZ: Everybody knows password protection is important, but how much impact can an adult site password breach really have? Is it largely a matter of wanting to prevent spikes in bandwidth, or are there potentially more severe consequences from such a breach?

Dowland: User password breaches can definitely cause an impact in bandwidth, but overall that's a minor concern. There are plenty of programs available that can monitor for these sorts of breaches and shut them down before they become a big concern. One we've used for years with success is ProxyPass.

Another, possibly more serious problem is the impact to customers that have their password breached without their knowledge. There are a lot of customers who insist on using easily guessable passwords, or who leak their password in some other way. It's an inconvenience to those customers to have their account reset with a new password when they just want to use the system. Unfortunately, there's nothing you can do besides reset their password and try to make it as easy as possible for them to get their new password, or to reset it again to a new password that they choose.

XBIZ: Does your company use a proprietary or off-the-shelf solution for password management?

Dowland: It's a completely proprietary system based on a highly distributed database system using custom replication methods. We used to use flat text files, but had problems with file integrity, slow propagation and lack of audit trails. Our new system is highly available, very robust in design using a transaction model, is very fast at propagating passwords to all cluster boxes (less than a second on average) and provides a very easily audited system with a lot of safeguards built in to prevent problems. We've been running on that system for several years now, and tend to forget it's even there because it just works.

XBIZ: Is it harder to secure something like PlugInFeeds, which supplies content to a large number of third-party sites, than it is to maintain password security for a network of your own sites, or is it basically the same kind of challenge?

Dowland: PlugInFeeds is a completely different challenge for security than a traditional paysite. The main problem is that the PlugInFeeds servers have no access to a client's password database. We can't verify if a user is a valid user to them once the user is on our servers. Instead, we use a custom Apache module to allow us to pass around tokens for verification. So the tokens have a given TTL (Time To Live), and they also contain all of the info we need to track where any given user came from, so we know which client to bill for the bandwidth, etc. We rely on those tokens for our front line of security, but we do also offer referrer verification as an extra layer if a customer desires, but at no point do we rely on referrer verification alone.

The main security challenge of PlugInFeeds came when figuring out how to pass our authentication token from the client to the server on each request. We had a few options that we had used before: Cookie, basic auth (http://username:password@domain.com/), or parameters (?token=KDS87...). There were serious shortcomings with all of those methods, though.

The cookie method didn't work with the media players reliably. Certain media players would not pass the cookie that the browser had. So when we embedded the media player in the page, it would request the file without the cookie, and the server would have to reject it. The basic auth method worked with the media players, but it required us to maintain a current list of allowed "tokens" on all of the media servers. This required expensive database connections in the back-end, and was prone to inconsistency in the face of transient errors. We have media servers in several different data centers around the U.S., so it was doubly problematic for those.

The parameters solution was not desirable because then we would have to have server-side scripts process all requests, including simple media requests. It's not very efficient to have file transfers tunneled through a script. It's much better to just let Apache handle that, since that is what it does well.

Instead, we hit on a novel method of putting the token directly in the URI of the request. So our token pretends to be the top-level directory of the site — i.e., http://pluginfeeds.com/_uk_TOKEN123/file.jpg (_uk_ stands for URI Key).

As long as all of the links on a page are relative, the browser happily sends the token with the request. If needed, we can also construct absolute URLs in the page that include the token as well.

This made passing around the token much easier, and it also meant that there didn't have to be any back-end communication between servers. Each media server can verify a token completely locally without having to communicate with any databases, or anything. You can see these tokens whenever you're browsing PlugIn Feeds pages.

There was still one challenge, though, with all of the possible methods, and that was link-sharing. In our solution, the token is in the URL, so it can be easily shared with other people.

The last major piece of our custom Apache module is a mechanism for maintaining the "state" of a token that is cluster-aware. All of the media machines constantly chat with each other in the background, exchanging information about what users they've seen, from where, and who they're blocking. They have a lot of logic built in to come to consensus about how to deal with "naughty" users. Once the system determines that a token has been shared, it will shut it down on all media servers immediately. It also has logic built in to detect shared proxies, however, like the infamous AOL dial-up proxies, so that users on those kinds of systems don't get shut down inadvertently.

Overall it's a system that has worked amazingly well, and is another one that we tend to forget about because it simply works. Since implementation, there has been no breach of this system. It has proven itself to be quite resilient to the undesirables of the Internet.

Implementation of this system was no easy feat, however, and required months and months of development time.

So yes, I would say that securing PlugInFeeds was a challenge many orders of magnitude more difficult than a traditional adult paysite.

XBIZ: It sounds like your company has developed a robust solution to user authentication — thanks for giving us an inside look.


BUSINESS ANALYSIS

Visa Cracks Down on ‘Shell’ Billing Firms

There was a time not so long ago when website operators created billing companies in favorable jurisdictions, whose sole purpose was to bill customers for services provided by the operator and remit the... More »

Retailers Forecast Consumer Trends for 2017

With the New Year barreling down upon us, retailers already are anticipating product categories to grow, and what both vendors and consumers can expect in the coming year. Promotions for 2017 and the release... More »

Sex Toy Manufacturers Offer Predictions for 2017

In 2016, it was evident that the pleasure products sector of the adult industry was thriving when Forbes Magazine quoted CalExotics President Susan Colvin as saying that it now “stands as a $15 billion... More »
XBIZ NEWSLETTERS
Stay informed of the latest industry developments. Get XBIZ newsletters delivered to your inbox. Subscribe today!
Enter email address:

* To manage existing subscriptions click here.






POPULAR PRODUCTS & SERVICES
Submit your press release to
multiple news outlets with 1 click.
Subscribe to RSS news feeds or
add free content to your website.
Access XBIZ news and articles
with your mobile device.
Access the latest issues of the industry's leading trade publications in digital form. View online or download for offline viewing.

UPCOMING EVENTS

Everything To Do With Sex Show

Jan 27 - Jan 29
Halifax, Nova Scotia

The European Summit

Mar 04 - Mar 07
Barcelona-Sitges, Spain

The TEA Show

Mar 05 - Mar 06
Hollywood, CA

Phoenix Forum 2017

Mar 23 - Mar 26
Tempe, Arizona
Everyday thousands of business professionals browse XBIZ's industry directory for quality products and services. Not listed yet? Your company could be losing potential new business. Submit your company today!
Use XBIZ RSS feeds to stay informed of the latest industry developments or as a content syndication tool for your website!