Membergate Password Management Critical Update


Web site owners have an obligation to protect their visitor data

Subscribers expect their email, address, phone and card details to be secure. And Membership Site Owners have a duty to protect subscribers card, address and email data. To make good on that promise, Site Owners need a good password management system and subscribers must use strong passwords

That's why we made some fundamental changes at Membergate

"PlainText Passwords are no longer fit for purpose"

The universal way of password management was to store passwords in a database as "PlainText"

This worked pretty well for all sorts of sites, large and small. It was easy to support and easy for subscribers to use: Should a member forget their password, a script can send the password to the email on file. For Membergate sites we used SendPass

However, subscribers use passwords that are easy to remember and so are easy to hack! They also use the same password, over and over This may be convenient, but risky as hackers are able to intercept emails. If they intercept one email with a password, who knows how many sites they can access with it. Worse still, if they get the password of site admin, they can download all the passwords stored on file!

Many are still feeling the repercussions of the Sony, Twitter and Ashley Madison hacks but most don't know that they all had the same root cause: Plain Text Passwords

Membergate Infinity Password Management: Strong Passwords and Password Reset

We no longer use SendPass at Membergate, we now use

Password Reset

Password Reset Membergate 

If a subscriber forgets their password, they can request a reset link be sent to their email address. This means the password they used is never sent and so can't be intercepted. When the reset email is received, they can click on a link to create a new password. This link is a 'one time use' only. As people now use multiple devices to log onto their sites and may forget they updates on-the-move!

Membergate Password Reset System also means the site team can't see the password on file. So they can't provide phone support. This means Membergate site owners can't be exploited by a new hacking trend of 'Fake Calls: Please Reset My Password' . Also any temptation by a disgruntled team member also removed.

Strong Passwords

To help subscribers protect themselves, Membergate now asks subscribers to use Strong Passwords

Membergate Strong Passwords

Membergate has always had a counter measure to Password Guessing Software

This is where a bot will try to access the site by trying continuously, working it's way through variations of passwords. The latest password guessing software is smarter than just guessing at random. Instead it is trained using leaked lists of millions of passwords to make guesses that try the passwords—or patterns found in passwords—most commonly used first. Password-guessing software can be used to try to reveal improperly encrypted passwords leaked online like the 130 million taken from Adobe in 2013!

Membergate allows 3 tries after which you are 'locked-out' for 24 hours.

It is always better to use the Password Reset if you have forgotten your password. It's often quicker, too!

And raising our minimum accepted strength, makes subscribers do their part in securing their online data.

If your members are frustrated with the extra steps, please remind them that we are doing all we can to keep them safe