Bitcoin Forum

https://claim.mtgox.com

It seems MtGox has really stepped up their password security requirements to the point that I am not able to claim my account now because I've yet to enter a password that passes the security check. I used a randomly generated password consisting of symbols, letters (uppercase and lowercase) and numbers, more than 10 characters in length, and I got this error:

The new password is not secure enough. Security tips include using special characters, make the password longer, etc...

My new password did not need special characters. It was long, however.

I don't know what more I can do.  If I have to write my password down to remember it, it is no good.   I swear I typed a phrase and it wasn't good enough.

I just used a bunch of random numbers Uppers Lowers and symbols.
Take that me!
I'll love typing that crap out.

Just put xxxxxxxxxxx at the end of it?

Maybe I'll just double up on the password, enter the same damn thing twice.

Would be nice if they posted the new password requirements so we wouldn't have to guess.

Remember it is not just length and complexity. If you use real words that is not strong enough. There are about 80k English words in common usage. It would take only seconds for a dictionary attack to check if your PW is one of those words.
I hate long, hard to remember passwords also, but the days of anything less are gone. In the past year or two simple PWs became obsolete. You may have not noticed because no one really wants to break into your facebook account. Now that BTC users have accounts with money in them, the serious criminals are here to show you just how open you are.

Below is an example of a hard to brute force pw. Not very user friendly is it?

Kt#*8t487C9cV;F7C*^8c(*vexlk7dsYry%$C6E5

to generate a solid password, create an .html file and copy/paste this code into it.  This will locally create a random string of 12-17 characters.  Confusing similar letters were removed (eg L 1, I, l, |, 0, o, O, `, ') you can add them if you wish.



I recommend that you:

1) write down the password
2) take photo of the password
3) don't store the password on your computer

I had to use 16 characters to get an acceptable password on mtgox. My bank doesn't even require that level of security.

How the H$(( did you guess my password ???
now I have to change it again

Take a phrase and l33t speak it, and add some numbers that you can remember. myB1RTHDAY15t0day! or whatever.

Well.. since it rejected a password like XC357g1w0sZeV2f1 (example), I'd expect anything resembling an actual word you'd have no chance.

Of course the danger now is everyone sticks their mtgox password on a file on their PC because they can't remember it...

Anyone have any thoughts on Steve Gibson's recent stuff on length vs entropy?  Per his Haystack page:

I claimed.







Just waiting on hackers to release all my proof data to the world now.

To get an idea of how "easy" it is to crack a simple password, you can go to this site:

http://howsecureismypassword.net/

(you obviously don't have to type in your exact password, just something like it ;))

"It would take about 6 trillion years for a desktop PC to crack your password"

(One that mtgox rejected as too simple)

"It would take about 288 duodecillion years for a desktop PC to crack your password"

(One that was accepted)

Clearly MagicalTux thinks bitcoin has a long future!  ;D

Use imagination. Something like /Jdy4%*L$) will suffice.

Perhaps this may help:

http://www.random.org/passwords/

Password generator, select length and how many you need generated, done.
(I'd insert some special characters as well.)

About 717 quattuorvigintillion years.

:o

I love password managers. Every account with a new random 50 char password. :D

Brute forcing is so much more possible now-a-days due to GPUs, but Brute forcing SHOULD also be impossible because any site worth a shit should be locking out after 5 or so failed attempts (personally I think 10 is plenty, it gives you a couple attempts to realize "oh wait I'm typing the wrong password, not typing it wrong, then a couple more to figure out which password you used)

I used a 15 letter PW generated on this website http://strongpasswordgenerator.com/
worked. :)

Bruteforcing won't work that way, just post sending random values till something matches, this is too limited due to traffic. MD5 Hashes have to be leaked first, they get brutefroced and THEN the plain passwords can be used to login :)

The problem obviously wasn't the password length, how about NOT LEAKING my damn hash to begin with.

If I wanted my password to be "123" then let it be, as long as I don't brag about it, the chance of that account gets broken is still fairly low, with limited login attempts and all. And, if my account gets stolen I won't blame gox for it, as I don't have an 500k account anyways.

My guess is that doesn't take the human element into account.  I'll exaggerate to make the point clearer - which one is more secure?:

PasswordPasswordPassword1!
PrXyc.N(n4k77#L!eVdAfp9

The one above has 26 characters, the one below has 23.  If I were a hacker, I would prioritize the first one as part of an algorithm of well-known words/characters (even though it matches the criteria of a secure password) before leaping into the random character abyss.

I could be wrong, though.

If you don't want to use a password manager, write down part of your password but keep a portion of it just in your head.

Oh yea... >.> didn't think about that :/ really guess I should have...

Ahh yeah.. Come at me.

"It would take
About 4 sextillion years
for a desktop PC to crack your password"

I used password generator that came with LastPass an MtGox accepted it with no problem.  According to http://howsecureismypassword.net/  It would take
About 81 octillion years for a desktop PC to crack your password.

Makes sense.

As part of preparation for a new password database leak they wanna ensure that only GPU-farmers will be unhashing stolen passwords. :)

I couldn't claim. Or rather, I'm not sure if I claimed or not. The website timed out processing my request. :(

ok this is stupid i tyed to use a pw that was 15 charterers including symbols upper and lower case and  number and the pos site said The new password is not secure enough. Security tips include using special characters, make the password longer, etc...    does any on know how long it has to be i even tried adding 8 number to the end of  a already long 9 charterers pw and it still carped it out yall guys that have gotten it to take it how long was your pw?

just tried my pw i was going use and  that site said It would take

About 6 trillion years.....

Hey! How'd you guess my password?  :D

Edit: Damn, carbonc beat me to the punch!

Exactly!  I just started using LastPass, and it's great for that.

Glad I didn't need to provide additional proof.
Thanks to all of you who advised on security.

I came... er, claimed.

What are you, 32 or something?

Unfortunately, hacks happen to the biggest and smallest of sites and are never 100% preventable.  Proper security steps are like roadblocks that stand in the way of a hacker and your account

1) Security of the actual database
2) hashing passwords
3) Salting before hashing
4) using a robust hash algo
5) using secure passwords

There is no credible excuse for not using a secure password.  Some of the passwords in that table were just a joke.  I think I found several hundred 6-char or less passwords in 2 seconds.

so, how did you manage to get hundreds of password in 6 seconds?

OH YOU HAD THAT LEAKED HASH LIST!!

Now how long would it take you to get those hundreds of passwords / account combos w/out that list?

Wow, guys  I dont think Id be using an online password generator. 
Call me paranoid, but any generated password could be going into a database somewhere and possibly used later for hack attempts.

It's pretty much impossible without the hashed password list, but you are either missing the point completely or you're being intentionally obtuse.

Every network is hackable.  It's not a matter of if, but of how long it will take and what methods will be employed.

Password hashing and salting wouldn't have been invented if this wasn't the case.  Why do you need to secure the contents of something if you can prevent it from being stolen in the first place?

Secure passwords are another barrier to preventing your account from being compromised.  Have you seen the news recently about various sites/businesses that are being hacked?  

If a multibillion dollar corp (or a multitrillion dollar world superpower government) can be hacked, why should a piddling site trading a made up currency be immune?  

not sure if I've actually claimed my account or not... I got to the page that says they will review my claim, but thats not claimed really. I did have a pretty long secure password. hope that's enough to claim it.

me the same.

@MagicalTux

-> do we get further email if claim was succesfull ????

This means 'general if we get an email-confirmation' about the claim.

This means NOT how long it takes, its clear that its much work.

Website isn't working for me, come on Mt Gox seriously?

You can also use KeePass to store and generate secure passwords.

That's plain appeal to imagination.

A website isn't it's owners amount of currency or the power of a government. To quote a movie, "you are not your khakis".

The security of a website is measured in how well it's implemented, not how many dollars were thrown at the project. In the case of Sony and Mt. Gox it was clearly inadequate.

There are many, many smaller sites that are practically impossible to hack due to excellent security standards and skilled coders who stay up-to-date even on blackhat news.

Slow and not functioning properly. :\

>There are many, many smaller sites that are practically impossible to hack due to excellent security standards and skilled coders who stay up-to-date even on blackhat news.

Site meaning exchanges? Please link some and prove how secure they are.

Just change a couple characters and you're good to go.

Has anyone received verification that their claim was successful?

I'm using KeePassX for everything now. Come at me with my 25 char random passwrods.

The status link they emailed is timing out.  WORKING AS INTENDED.

Sites, as in websites. Not bitcoin exchanges.

is timing out for me also. since 20 minutes and 6 tries
you should have more than 1 server right ? is it being DOSsed ? ?

61,000 claims???  how many weeks is that going to take to wade through!!!

pure insanity this is. 

Give me my USD and let me be on my way as I shake the dust from my boots. 

Hmm.  Sounds a likely possibility.

Protip:

-launch "base64" in Terminal/Konsole
-let your cat walk on keyboard:  564174kl:mml;jbhçiyhvezf"dm;àiht-de"quté
-Ctrl+D to base64 this: NTY0MTc0a2w6bW1sO2piaMOnaXlodmV6ZiJkbTvDoGlodC1kZSJxdXTDqQo=
-pick a piece of the string: 6bW1sO2piaMOn
-add special chars, for fun: 6b!W1/sO+2piaM*%On
-> strong enough to Mt.Gox, proceed claim.

Also, do this when Mt.Gox successfully blocks incoming UDP (DDoS) and TCP (SYN flood).

+1

I don't plan to claim or touch Mt. Gox again.

Haha this is so cool.....I tell you that the problem is basically that all dictionary hacks are based on the english dictionary....really s****d. Just make your password in some other language. I am sure for example there is no dictionary about the complete possibilities say for example of all sanskrit words...forget hackers they would be in deep s**t trying to figure and crack a combo password of sanskrit and some french and some german words. right. I would say the problem is our limitation to english........

cheers

This is F-ing stupid. I've been trying to get past step 2 for over an hour. Keeps timing out because his site is too busy.

Mt.Gox Account recovery service
Step 2/2: Provide proof

MtGox claims lots of things, but seem to have issues with delivering.

I hate those sites that lock you out in 3 to 5 tries.  I have so many passwords I can never remember which one I used, so I have to poke each one in the likely order I used them.  I think they should give you at least ten tries.  Enough for someone who is forgetful like me, but way too few to break a password more complicated than a single digit number.

Site seems to be down. Is this just regular volume or is it being DDoS'ed?

Lucky I already got through the process, just waiting for them to review my info now.

haaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaay

mtgox down http://www.downforeveryoneorjustme.com/mtgox.com

ugh. niether the regular or claim site is working for me...i just want to get back to trading  :-\

calums link says they are down atm

It's trivial to add a foreign language to a password library isn't it?

wrong address dude!

its:    claim.mtgox.com

Yes, very trivial.

http://www.downforeveryoneorjustme.com/claim.mtgox.com   <------fixed ;).....aaaaaaaand still down

there is always a weak link.  Every site/network is hackable.  

their both down

For those who are waiting for their claim to get processed, I have the following point:

I think that even if the first 20% of the claims will get processed reaaaly quick (like in 12 hours) the exchange will stay closed because MtGox will wait for the other - at least - 50-60% of the user DB to get their claims submitted. Reopening trade before the majority of the users is cleared would be just unfair! And of course those users above 20% will have forgotten about Mtgox and wont look into the issue for another week or two.

Keeping this in mind one can say that ETA for Mt.Gox exchange is at least 1 to 2 weeks, or even longer!

So everyone just relax in the mean time... :-)

my password can be cracked in a billion years, but it accepted it as complex enough!
 

talk about Gox being irresponsible!!!  This is an outrage!!! Gox should be held to a higher standard.  They should require passwords with at least 1 trillion years average crack time. 

The claim site is overloaded. I think Mtgox is just going to cash out on this one. Oh wait, they don't even have an exchange to cash out on.

True.

PING claim.mtgox.com (72.52.5.67) 56(84) bytes of data.
64 bytes from unknown.prolexic.com (72.52.5.67): icmp_req=1 ttl=246 time=24.4 ms

httping -g claim.mtgox.com -p 443 -c 3 -s -l
PING claim.mtgox.com:443 (claim.mtgox.com):
error receiving reply from host

prolexic.com ->

Oops, service provider #fail.

I think you're wrong.

Erm, how about the cash?

this=lame

I think the gox team all went to sleep, come back next morning.

I want to withdraw my BTC out of MtGox already.

I've been trying to do this for hours now. I got so far once as to change my password, but then I got disconnected.

Steve Gibson-- Online security guru and new theory on passwords.

https://www.grc.com/haystack.htm

Longer is better...
Larger character set is better...
Entropy doesn't matter as long as not in dictionary.

Well, besides the fact that the side is down: With this tool even my homepage is down, but it surely isn`nt.

It seems there is not a one person out there that has got their claim processed ... or am I wrong on this this?

- not until now

Anyone been processed yet?  I sent a follow-up email.

Not much longer until trading is supposed to resume.

Are these MtGox guys purposefully trying to create a cluserf*ck?

The site has been down for roughly 4 days . . . we know little more now than we did when this whole thing first went down . . . and they are allowing all of one hour between the time they first let us back in and the time they allow trading to resume?

This is going to be an effing circus.

• MyGox has undoubtedly made mistakes in this process . . . and an hour is not enough time to solve them
• Folks undoubtedly will get left out because their account claims have not been approved
  
• I would not be surprised at all if the site crashes . . . if not due to the load of users then certainly to the hacker attack that is most certainly coming
• And they do this just before the weekend?

The Mt. Crooks situation is getting worse and worse. Nobody's been processed, and trading is about to resume - for whom?
I bet they made this all up to steal the money, and are dragging it out until enough people lose hope and give up.
Even if they opened up, there would be a run on them causing another crash, which then would have to be "rolled back", etc etc.
Good thing they are pretty much anonymous. If I were one of them, I'd be afraid to be held liable.

so has anyone actually received the email instruction to sign in today later when MtGox opens?

nope still waiting

Not yet, I'm still waiting and bailing to Bitcoin7 when we finally get access. All we can do is wait...

I still have received nothing except for the e-mail stating that my claim is being reviewed. What is the most effective way to contact the Mt. Gox staff?

Wtf is up with these impossibly long passwords, it wasn't the users that got hacked it was MtGov's woeful internal security practices and now they penalise the users ...?

They may as well just go to keys of some sort, have they even got an inkling ... hint 16 inklings in a clue ... maybe they don't like being in business?

Do something for 3 days and it becomes a habit.

That includes trading at Tradehill or some other exchange.

If I was addicted to Mt. Gox before, the addiction has certainly been "cured" by going cold-turkey for over 4 days -- even if involuntarily.

Don't they realize this?

Account recovery request submitted at 2011-06-22 02:12:21 GMT.
Your account recovery request is pending review by our staff.

SILL PENDING

Given 4 "details" including IPs and ballances.

Oh internets.

Full of idiots like you.

owner-organization: Tibanne Co. Ltd.
owner-name: Mark Karpelès
owner-street: Cerulean Tower 15F
owner-city: Shibuya
owner-state: Tokyo
owner-zip: 168-0082
owner-country: JP
owner-phone: +81.345501529
owner-fax:
owner-email: contact@tibanne.com

and it is also on their website.

They are registered company.

You mean Mtgox != Silk Road != Bitcoin?? That's not what the Guardian told me.

 have heard nothing back from them.
 Seems like a lot of folks got lost in the shuffle?

Now everybody will be using that one :)

http://www.youtube.com/watch?v=RAKsMnAM8vk (http://www.youtube.com/watch?v=RAKsMnAM8vk)

Good thing that domain registration information is 100% reliable! Like everything else on the interweb.