- This topic is empty.
-
AuthorPosts
-
April 3, 2007 at 4:28 pm #732872
Anonymous
InactivePasswords should always, always, always be encrypted. Storing a password in a database “as is” makes it much easier for an evil-doer to hack into someone’s account.
April 3, 2007 at 4:31 pm #732874Anonymous
InactiveAgree.
And user passwords should not be accesible to administrators !
April 3, 2007 at 9:38 pm #732895Anonymous
InactiveThanks for the feedback guys.
The Income Access software has several levels of security built in to control the affiliate manager’s access to information. Our servers are located in a very secure facility and we’ve never had a problem with security.
That said, we understand that this is a concern and we will put the issue to our development staff right away to see what more can be done.
Thanks again.
April 7, 2007 at 3:01 pm #733262Anonymous
Inactiveany news ?
April 10, 2007 at 6:37 pm #733521Anonymous
InactiveHi hostrup,
Following up from Daniel’s post, passwords are not visible to administrators. They are encrypted.
Thanks for your input and comments. Much appreciated.
Best regards,
Sara
April 10, 2007 at 6:57 pm #733525Anonymous
InactiveSorry to say, but what you are writing simply isn’t true.
An affiliate manager at a site using the IA software could easily see my password.Best regard
April 10, 2007 at 9:29 pm #733533Anonymous
InactiveHi hostrup,
Many thanks again for your reply. To confirm, Affiliate Managers at Income Access cannot see your password nor that of any affiliate account in our network.
Furthermore, Income Access affiliate managers have no access to White Label partner programs.
As my colleague Daniel mentioned, we are upgrading the software across the board as a priority and our development team will implement changes to make our software more secure.
Hope this answers your comments and concerns.
Thanks again,
Sara
April 10, 2007 at 9:55 pm #733535Anonymous
InactiveHi.
Just one question.
Howcan it then be that an affiliate manager I am working with can give me my password ?
Best regards
Hostrup
April 11, 2007 at 2:36 am #733552Anonymous
InactiveHi hostrup,
Can you please let me know which merchant you received your password from and when?
As mentioned, we have upgraded the security and I would be more than happy to send you a screen shot of what our affiliate accounts looks like in our admin so you can see for yourself that passwords are not visible.
If you have an affiliate account with us, please send me your username via email or PM and I’ll send you a screenshot of your account.
Many thanks,
Sara
April 11, 2007 at 10:36 pm #733683Anonymous
InactivePm sent to Sara.
After Sara recieved the message, i got a PM from her basically confirming that this is a security flaw, and that the IA team is working to solve the problem.
So until this problem is solved, take care of your accounts and passwords !
April 12, 2007 at 1:41 am #733694Anonymous
InactiveMuch appreciated Hostrup
:hattip:April 12, 2007 at 3:40 am #733704Anonymous
Inactivehostrup wrote:Pm sent to Sara.After Sara recieved the message, i got a PM from her basically confirming that this is a security flaw, and that the IA team is working to solve the problem.
So until this problem is solved, take care of your accounts and passwords !
So publically there is no problem, but in private conversations she admits there is a security flaw? :grunt:
Time to change my password.
April 12, 2007 at 3:12 pm #733764Anonymous
InactiveHi guys,
There was nothing said in private that wasn’t said in public. We have never tried to hide anything from our affiliates, and don’t plan to start now.
There is no security flaw in our system. I informed hostrup of excatly what was said here: Our passwords are NOT displayed in the Income Access network and this security feature was being upgraded across our white label partners.
A screenshot of hostrup’s Income Access account was sent to prove this.
Furthermore, I informed hostrup that once the security upgrades were completed in our white label partners, I would be happy to let him, and everyone know of this. I also reiterated that we, the Income Access affiliate team, had no access to our white lable programs as they are outside of our network. Nothing more was said in private. I am more than happy to post the PM here if you would like, with hostrup’s permission.
This industry is about trust and honour, which I am certain you would concur. Without it, one WILL NOT survive.
Thanks,
Sara
April 12, 2007 at 3:20 pm #733768Anonymous
InactiveGuys.. you are barking up the wrong tree here.
If there is one person in this industry that you can definitely trust, it is Sara. I have been working happily with her for many years now and have come across very few people.. let alone industry peers as reliable and full of integrity as her.
They are upgrading their system.. so let it go. Why is this such an issue when there are so many other issues that go by the wayside?
When a predatory casino says.. we are updating and changing the terms.. everybody jumps up and yells “Great!” – but when Income say they are upgrading their system.. nobody says “Great!” – no – they get attacked further..
Beyond belief.
April 12, 2007 at 4:00 pm #733774Anonymous
InactiveSara is one of the nicest affiliate managers I’ve ever known, and I’ve trusted Income Access for years.
I suspect that quite a few casinos, affiliate programs, and message boards store passwords “as is.” If you forget your password, it can be emailed to you, or (in the case of an online casino), the help desk might tell it to you on the phone after asking you a few security questions.
Ideally, passwords would be encrypted in a way that does not allow them to be seen or un-encrypted. Using “md5” or “sha1” on the password accomplishes this perfectly. Every time the user logs in, the password they type is transformed via md5 or sha1 into the encrypted version, which looks like a series of random letters and numbers. This “hash” is 32 characters long if md5 is used; 40 characters long if sha1 is used.
Only the user knows the password; it isn’t possible to email the password to the user, nor is it possible to tell it to them over the phone. If the user forgets the password, the only solution is to send a “new” randomly generated password to the user’s email address. The script that generates this new password also resets the password in the database, encrypting it with md5 or sha1. Nobody ever knows what the password is — except for the user, when he opens his email. Presumably the user is the only one who has access to the email account….
My point is — Income Access doesn’t deserve to be grilled here any more than PartnerLogic, 400 Affiliates, Casino Rewards, or even CAP (all chosen at random — I have no idea how passwords are stored at any of these sites).
The best thing to do (to protect yourself) is to use a different password for each account.
Income Access should be commended for taking steps to make their program even better than before. :thumbsup:
-
AuthorPosts