Bitcoin Forum

If you are using MCXnow, be very careful!  RealSolid and his cronies has access to all your password.  This came directly from his mouth in chat. 

So If you have an account there make sure you withdraw those coins soon.  RealSolid has access to every single account's password.

Change your BTCE and other passwords to protect yourself against RealSolid and his crew.

Ask him yourself, this is from his own mouth.  He's not to be trusted.

As much as i think RS is a stuckup, and far too cocky about the security of his exchange. You need to piss off with these threads. Its definitly more secure than half the exchanges around

Lol unsalted passwords. What a fake

 I honestly believe all mxcnow thing was a set up , just a public stun to attract more customers with creating awareness and than fixing it.

It's hard to trust a site that can go into your account and look at your password.  This is irresponsible coding.  He needs to answer for this.  Why are you stealing Account info Real solid??

This coming from a low level coder that can't even keep a simple pool running without stealing people's wallets.

Are you kidding me?  You're such a pantie waste.   This thread should be deleted!

 You need to piss off with these threads. Its definitly more secure than half the exchanges around +1

You are supposed to use a unique password at every site, so what's the problem. RealSolid can't do a things with it.

Ow man what a fucking stupid bullshit

Sites that claim to store the passwords salted and hashed might not, who knows.
Sites that store passwords salted and hashed still might log them on somewhere else to misuse them, who knows.
Sites that store passwords salted and hashed still can take all your money and run.

There is absolutely now added value in this hashing and salting, when people are lax with their login credentials.

Yeah what's the point of stealign user accounts and trying it on other exchanges?

This.

Some of you guys are plain stupid. The only benefit of salting/hashing is that, in the event of a db theft, the passwords cant be read by the thief.

Any info you enter on a site, the admin can ALWAYS see it.

wrong. i cant see any users password on my site. only the hash. However it is possible to change the hash to something else which i got a used to do before i had a working mail system on the old server's

The point is : all other site can do it too. You don't know if they really salt your password.
At least RealSolid is honest with it.

As i said, stick a pool up and try to compete with me. No other pool offer's close to 24/7 support aswell as 0 fees to the majority of dedicated miner's as i have

dude, stop calling yourself an admin.  you are a little baby that code from following instructions you found with google. 

@Alexp -  I hope you have pets that you love ever so dearly.....  and today you watch them get run over by a car!!!

Which is why the web is not a good platform for important applications like financial apps.

Better would be client-side encryption where the server does not ever see your keys, like Open Transactions uses for example.

-MarkM-

yeah you keep believing that. You're just pissed off that you keep getting all of your arguments thrown back at you. Seriously you're a waste of life. Troll a bit harder. Forget RS you couldnt get on my level wasteman

You made me laugh!!! Thanks for that! ;D You think you are safe on BTC-E?!  :P Think again... My friend had about 800 ltc stolen from BTC-E, and he had unique pass & 2FA enabled!

MCX is by far best and safest exchange out there... Is it perfect?! Maybe not, but it is far superior than others...

MCX did 1500 BTC in volume last 24 hours = $200,000... that is just the beginning...
That's maybe 5 times what Ripple is doing after 6 freaking months.

Nobody is gonna fuck with passwords with a $10,000,000+ business on the line, baby.

Have any screenshots of that?

Why in the fuck would you use a non-unique password on any bitcoin site?

do you know how computers work?

Exactly!

I didn't think of it at the time. Go on chat and ask other users, they will remember.
Or request a chat log from RS for security reasons.

"Realsolid: Soandso, what other sites have you used password garbanzobunk on?"
Almost identical words to that, I don't remember their exact password though.

As someone who was there lurking when this happened, I'd like to offer a bit of context (though I have no screenshots).

The question was posed, "What site did the leaked passswords come from?"

The answer from RS was something to the effect of, "We're not sure, so check your security log and it will say something like 'Failed attempt to login using Garb******' " (using your example as I don't recall it verbatim either)

The conversation then went back and forth and it was mentioned multiple times that the passwords being attempted could be seen by the admin and consequently by users logging in (but only the first 4 letters and ****s). The group was making an effort using the passwords to try and determine which site the leaked database may have come from. These were NOT mcxNOW passwords, rather they were the passwords which were tried against mcxNOW.

I agree 110% that having unsalted plain text passwords on ANY site with $$ involved is MORONIC. However, I also agree that if you're dim enough to use a password that's not unique on ANY site with $$ involved you're asking for trouble. I'm not condoning nor defending RS or mcxNOW's site, I just thought for vitriol's sake I'd share. I don't see how its anyone but the user's fault if their passwords are the same; then again the troll box isn't really the best place to ctrl+v any passwords whatsoever.

He posted their full password, with no ******'s.
The ***'s is a recent thing he switched over to today only.
You may have been lurking for a different conversation than the one I refer to.

Other people who were there will remember.

One password was like monkeynuts or something. But I can't remember exactly.

This thread is getting out of hand with the goddamn FUD omg!    And I remember that he said  WTF!!!  "Somebody's password was their username"  he never posted the password. 

You guys are just upset because volume at btce is lacking because of the mcx update!  get the fuck over it!!!

Absolutely false. You are not being truthful. For example, he asked a user whose password was COMPLETELY UNRELATED to their chat username, about their full plaintext password.

Somebody else will verify this.

Cant 100% Verify that

But he admitted to entering the usernames/passwords of users at other sites to attempt to gain access. Whether or not it was to find the leak its a questionable practice

I was there. You were not.

Ask realsolid for a chat log of yesterday.
Or ask somebody who is using the API and possibly has a local log.

oh  mg. thank your message.                               

Zyl - Since your leaving mcxNOW, I'll take your mcxFEE shares!  ;o)

I thought I'd chime in here.

#7 rule of the internet: Use unique passwords for anything remotely important. Especially places where you hold money. If you follow this rule, these claims are irrelevant to you.

Secondly, I'm not even sure if this is correct. As a developer, I have a bit of a conundrum over whether I would do this or not. Generally, I prefer simpler code, and plaintext is as simple as you can get for passwords. While it may put the users at risk if something is compromised, I would rather tell my users that they *must* use a unique password and let them deal with the consequences if they do not.

And off topic, MCXNow is an awesome exchange in my opinion.

Pure lies.  All of it except for the unsalted passwords.  Alex has created several of these threads for some reason.  He uses several socks to bump them.  All of it is complete bullshit.

Last night an unknown site was compromised.  Someone was trying the DB of username/passwords against mcxNOW accounts.  After 1 theft of B was verified the site immediately went into lockdown to prevent other nubs who didn't use unique passwords from losing their money as well.

I remember someone working on something like this for BTC. Something that ran locally in your browser, but interfaced with a remote site. Maybe I'm misremembering about exactly what it did, but I remember thinking it was pretty cool. :P dunno what became of it though.

Don't blame me for reporting the truth.  All the information I post is true.  And I am pointing these things out because I am a reporter in my normal job and this type of thing is something people want to know!  So if it's false then prove it. But out of his own mouth, Realsolid can see each and every one of our passwords.

Stick to the facts.

Then you are a reporter the world does not need. Go find scandals that really are abuses, not things every site admin can do if he chooses so. You are only reporting this with the sole purpose of discrediting RealSolid. Why are you sol jealous>

It's not about jealousy, it's about irresponsibility, and breaking trust with your clients.

RS is an obvious amateur when it comes to security.

This is all about jealousy and envy.
Salting and hashing is absolutely no added security. I said it twice and will repeat this forever, EVERY SITE ADMIN HAS THE ABILITY TO SEE YOUR PASSWORDS.

At least RS is honest about it, and I cannot see how that is breaking trust.

I wished you people use your brain for once instead of saying what others are saying.

wrong, most can only see the hash. they would have to decrypt it to see the password
i use the exchange before but even i can tell you no matter how well it works the non hashing is the single flaw in there

The password is encrypted server side, hence you can see it period.

doesnt make much of a difference where its encrypted. yes its possible to check its before its encrypted. thats nothing to say that the majorityof site admins will. you as a dev should know better than that

Are you joking?? Of course they can see the password, it's the admin (or their software) that does the hashing in the first place.

Admin wanting to have passwords 101.
1) User enters passwords
2) Code on site logs cleartext password to a logfile, then hashes password into the database.

Non hashed passwords in the database only make the database more vulnerable should it be stolen. That's it. It doesn't make RS untrustworthy. Let's just hope his db is unstealable.

I have never said nor have i implied that site admins ARE looking at the passwords. I merely stated that if they WISHED to, they COULD.
This was about trust and that trust is broken by not hashing and salting passwords.

That is utterly bullocks. Hashing is only helping if the DB is stolen and people are so foolish to have only one password for everything.
But even hashed passwords can be guessed and as a dev you should know that. ;)

Also RS' database is apparently encrypted in someway, so a potential thief still does not have access to the password right away.

There is no such thing and if he claims otherwise, than he's just being arrogant. But keeping passwords in cleartext is a real threat. In hosting companies there is a lot of people who have access to servers. It's much secure to make sure they can't just make a copy of your disk and start stealing accounts from stupid users who are too dumb to use diffrent passwords.

Don't get me wrong, I am using myself mcxnow and have no intention in undermining his credibility - just pointing how it works. I've created multiple applications and this kind of thing is Security 101.

I don't see why this is a surprise? Of course a site run by a few individuals with zero regulatory oversight could have access to passwords. In fact I'd hazard that many IT companies who do not have solid information security management systems in place (eg. ISO27001) have the capability for rogue systems administrators and/or developers to capture user passwords. Many even likely have them stored in plain text so that they can easily send out reminder emails and such.

As with all sites, you should use a different, unique password for each one. We provide a free tool for the purpose, here (https://www.memset.com/tools/password-generator/).

Caveat emptor. RS has a somewhat questionable past (https://forum.litecoin.net/index.php/topic,6161.msg47451.html#msg47451) and people should make up their own mind.

Kate.

According to RS the passwords ARE ENCRYPTED, but it is a two encryption not a one way like hashing is.

Here is some basic Internet info for noobs.

Assume the site owners, your ISP, your email provider can read or bypass your passwords as required.

Never use the same password on two different sites.

Assume everything you type is being recorded.

Do no click on email enclosures from people you don't know.



As for MCXnow, the site probably works better than most of the exchanges out there, it has some great features like earning interest on your deposits every 6 hours, and payban which is a real hoot.

Maybe youre saying he can hack Google Authenticator too?  This thread is retarded. 

2 month ago I tryed to recover my mcxnow password. I sent an email to admin and he asked me about the password, or to tell him what letters are in my password.

I suppose that my password was in clear text for him.


just take care...

One should always assume the admin can see what you store. I'm surprised that people are worried about this aspect when in reality the fact that in a large majority of cases they store significant amounts of crypto on the site in a shared wallet. What do you care more about - that he can see your stupid "hunter2" password or that he could, at any time, jank your funds? There has to be a certain level of trust at some point. If you don't trust him or mcxnow, go elsewhere. I hear there are some Russians that are pretty trustworthy with these kinds of things. ;)

All my sites use JS client side to hash the password and send that over. That hash is then salted server side and rehashed to check against the db. No plain text password ever leaves client machine.

Guys, since we are talking about security and passwords on Exchanges,
have there been any breakins at https://bter.com/ ?
Looks like a solid site to me.

You wish.

The crypto world is full of amateurs.

I am tired of these people who are unprofessional and who have no clue about business. I already lost much money with bitcoin-24, this site was made by an amateur, an unprofessional kid, and now he has problems with the justice... I learnt the lesson, I will never send my money on a site like this one without address nor name, even with btc-e, i am not sure that they are very professional.

The crypto world needs rules and professionalism!

Why are you involving yourself at all in crypto if you are that paranoid? Stick with fiat or cash under the bed if you don't trust bankers.

I really don't like scammers and unprofessional people but fortunately, there are also professionals who do their job with competence. They are not numerous but they exist.

The biggest scams come from the most professional looking people.

*head-desk*

As far as I know are the passwords used on Cryptsy hashed, yet I hear numerous stories about people losing coins on Cryptsy. On the other hand I have never heard a single story of people having lost coins on mcxNOW.

I've lost quite a few coins from quite a few currencies to random disappearing transactions on Cryptsy. mcxNOW on the other hand, is paying me interest on all my coins :)