|
Title: [Warning] People with MtGox Post by: XPiRX on July 02, 2011, 04:04:26 PM So today I wake up to my paypal account being used and several hundred dollars in money were being transferred from my bank account. If you all remember MtGox was recently hacked and they required all your email account passwords to be changed as well as the site. They told us that their passwords were stored in md5 and newer accounts were Salted MD5. I changed every password I could possibly thing of related to my email, making sure they were long and well secure. One password I forgot was paypal, and guess what, my account was being used only weeks after MtGox got hacked. I had been using same password as on MtGox. I quickly changed all my passwords, security questions, phone pin, etc and got it resolved rather quickly with paypal.
My point being with all of this, change your passwords EVERYWHERE! I would also like to point out the fact that I highly doubt MtGox had MD5 or Salted MD5 Encrypted passwords because my password was 14 characters long before (was not a regular word, random letters with 4 numbers). It would have taken an extremely long time to decrypt an md5 hash with that kind of character amount, if not impossible(Due to it taking YEARS). I don't think MtGox had any password encryption at all now that this has happened, this is the first and I hope only time someone has gained access to an account of my anywhere in the 2 decades Ive been online. So please change your passwords everywhere you used the same password and/or email address. Thanks! Title: Re: [Warning] People with MtGox Post by: gentakin on July 02, 2011, 04:46:48 PM The leaked accounts.csv file had a few thousand md5 password hashes, and the rest (total 60k) was md5 with salt.
Unless those have been hashed by the hacker, there's no reason to doubt MtGox had the passwords hashed. Title: Re: [Warning] People with MtGox Post by: dinzy on July 02, 2011, 05:01:51 PM Why would you not change your password on sites involving money after such a hack? :o
Title: Re: [Warning] People with MtGox Post by: AtlasONo on July 02, 2011, 05:16:01 PM Duh
Title: Re: [Warning] People with MtGox Post by: Bitsky on July 02, 2011, 05:20:54 PM Why would you not change your password on sites involving money after such a hack? :o More interesting, why would one use the same password at different sites? Everybody tells you not to do that, but people still do it. There is nobody to blame but himself.Title: Re: [Warning] People with MtGox Post by: vectorvictor on July 02, 2011, 08:58:55 PM The passwords that have been cracked independently include many that are 14 characters long. http://forum.bitcoin.org/index.php?topic=24727.msg314393#msg314393 BTW, one list includes: XPiRX0@gmail.com rascal101 Title: Re: [Warning] People with MtGox Post by: fascistmuffin on July 02, 2011, 09:06:11 PM Pretty sure we said to change passwords weeks ago when that happened. Sorry you missed all 100 of those posts.
Title: Re: [Warning] People with MtGox Post by: geek-trader on July 02, 2011, 09:07:11 PM I used to use the same password at most sites. Sites that had non-financial info, of course. Then Gawker Media got hacked, and that allowed a hacker into my Facebook page, which had the same email and password.
I learned my lesson that day. I got Last Pass, and all sites now have a unique and complex password. Title: Re: [Warning] People with MtGox Post by: geek-trader on July 02, 2011, 09:09:33 PM Pretty sure we said to change passwords weeks ago when that happened. Sorry you missed all 100 of those posts. You win the internets. ;D seriously, made me laugh. Spot on. Title: Re: [Warning] People with MtGox Post by: Oldminer on July 02, 2011, 09:09:40 PM Yea thanks but I already changed my password from password
Title: Re: [Warning] People with MtGox Post by: Bitsky on July 02, 2011, 10:13:15 PM XPiRX0@gmail.com rascal101 "was not a regular word, random letters with 4 numbers", huh? Let me introduce you to dictionary based attacks, you little rascal you.I learned my lesson that day. I got Last Pass, and all sites now have a unique and complex password. http://techcrunch.com/2011/05/05/password-manager-last-pass-possibly-hacked/Anybody who stores his passwords with a 3rd party online service is in a state of sin. Title: Re: [Warning] People with MtGox Post by: BitcoinPorn on July 02, 2011, 10:15:57 PM XPiRX0@gmail.com rascal101 "was not a regular word, random letters with 4 numbers", huh? Let me introduce you to dictionary based attacks, you little rascal you.rascalwned Title: Re: [Warning] People with MtGox Post by: geek-trader on July 02, 2011, 10:16:45 PM http://techcrunch.com/2011/05/05/password-manager-last-pass-possibly-hacked/ Anybody who stores his passwords with a 3rd party online service is in a state of sin. But it turns out the "possibly" became "not". The alternative is to write them down in a little book that you always carry with you. Or have the same password everywhere. Whatever solution you use, it's going to be bad. Unless you have super memory, which I do not. Title: Re: [Warning] People with MtGox Post by: fascistmuffin on July 02, 2011, 10:21:54 PM http://techcrunch.com/2011/05/05/password-manager-last-pass-possibly-hacked/ Anybody who stores his passwords with a 3rd party online service is in a state of sin. But it turns out the "possibly" became "not". The alternative is to write them down in a little book that you always carry with you. Or have the same password everywhere. Whatever solution you use, it's going to be bad. Unless you have super memory, which I do not. Reminds me of a friend I have who has great memory. All his passwords are ~20 characters long, and involve numbers, letters (upper & lower). He picks a phrase and then implements it like: First letter, Number, Last letter, Number... . He makes a new password for every site. Amazing that he hasn't forgot any. Title: Re: [Warning] People with MtGox Post by: Tasty Champa on July 03, 2011, 12:55:57 AM password changed from "password" to "passwerrrrrrd".
Title: Re: [Warning] People with MtGox Post by: Jack of Diamonds on July 03, 2011, 02:12:03 AM password changed from "password" to "passwerrrrrrd". There are ways to bruteforce all combinations with repeats up to 16 letters relatively fast. So if your pass is something like "paaaaaaaaaaaasword" or "passwwwwwword", it's not safer just because you entered a bunch of letters. Repeating the same word twice or multiple times is also one of the easiest ways to get your pass cracked as well (footballfootballfootball is not a safe pass) What you need to do is use completely unique, altering-case letters and numbers & special characters each occurring no more than once. Example of a safe 25 char. password would be 4gD_7´%jU1Q#}!5Lv=¤*h^8~¨ About 20 to 30 characters should be safe forever, the harder it is to remember the better. Don't use sequential symbols, numbers or characters. Don't use words in a standard dictionary of any language no matter how cleverly disguised with stretched vocals or 1337-speak replacement of letters with numbers. Title: Re: [Warning] People with MtGox Post by: phillipsjk on July 03, 2011, 02:21:58 AM What you need to do is use completely unique, altering-case letters and numbers & special characters each occurring no more than once. Repeats can happen in a secure, randomly generated password. For many passphrases, I have started using 32 random hex digits (128 bits of entropy). With only 16 symbols, each symbol is repeated, on average, twice. I did that calculation after noticing that one of my passphrases was actually missing one of those 16 symbols. Quote Example of a safe 25 char. password would be 4gD_7´%jU1Q#}!5Lv=¤*h^8~¨ That password is no longer secure because it has been published and may now be in a password-cracking dictionary. Title: Re: [Warning] People with MtGox Post by: Jack of Diamonds on July 03, 2011, 02:47:47 AM That was just an example I made up on the spot. I hope nobody is dumb enough to actually use something that can be found with Google.
You can construct a similar pass with any combination of symbols |
