|
I wonder if people who aren't cracked, but are reporting that they have easy-ish passwords are people who had very little in their account. Is there any information about whether our account balances were available?
|
|
|
|
A 5870 can do 3.8 Billion password combinations a second. If you have 3 of them in your system like most miners do, thats 11.4 Billion per second 684 Billion per Minute 41 Trillion per Hour 984 Trillion per day (24 hours) 6.8 Quadrillion per week 210 Quadrillion per Month  I think the days of "passwords" you type with a keyboard are over. Even with those numbers, it would take on average a week to crack a purely random 8-character combination of alphanumeric/special characters. If that number is raised to 10, it's 21 years, according to this spreadsheet calculator. Deepbit could crack a 10 char password every three seconds. |
|
|
|
A random selection of some of the more secure looking passwords: 60x8760b6k328vc3v24kw8y1 Y!m4g6s3j* Ev3rL@NRDX11090821 b1Ackb0x3!1 8W3G7Pds9712++ c65b5DF488 mgq$jc)kw3 w@chtw00rdLanimret! acy7zkprddv2k3iFd& VeryStrongPassword I doubt that these and the many more that are on there 1) got phished and 2)wound up on this particular list at the same time. Well, except for the last guy. Though I do suppose that is an upgrade to using 'password' for a password  I also doubt that all of these were phished. But if they weren't, a network about 1% as large as the bitcoin network must have been pointed at cracking them. |
|
|
|
Wait, what is this? Is this the MtGox database?
Yes |
|
|
|
The fact that a password is in this list doesn't imply that it was cracked. As finack said, the complex passwords were probably stolen by some other means - e.g. phishing - and happened to be reused.
Hmm, so someone who uses the password "7XiBKeJe5ochSqVW" has been phished? I looked that dude up on Facebook. He's an older guy whose activities include singing, sailing, barefoot hiking, etc. No evidence of computer expertise. The complex password was a false sense of security, most likely, and he was phished, in all likelihood. Interesting and creepy... <quietly goes off and changes facebook email> |
|
|
|
The fact that a password is in this list doesn't imply that it was cracked. As finack said, the complex passwords were probably stolen by some other means - e.g. phishing - and happened to be reused.
Hmm, so someone who uses the password "7XiBKeJe5ochSqVW" has been phished? Just because a password is complex doesn't mean the user is not susceptible to phishing, viruses, etc. They could have used the password on an unsecured wireless network - something people do all the time. An extremely complex password can also lead to a false sense of security, inadvertently making people more susceptible to other forms of attack. It's better to use sufficiently complex *different* passwords with every account, than to use the same extremely complex password on all accounts. There are just too many complex ones for that to be the answer. But then again, mine is simple compared to some of these and it isn't on the list. So perhaps you are right. |
|
|
|
By my calculations, a random 9 character password, like this BESys*t3M should take a 5770 about 2/3 of a year to crack. But there it is on the list. How much hashing power did they throw at this?
But they didn't crack all the random 9 character passwords. Mine was only 7 characters total, five lower-case letters then two numbers, and it's not on the list. Paul That seems like an easy crack compared to some of them. That should only take about 8 minutes on a 5770. Maybe less. |
|
|
|
The fact that a password is in this list doesn't imply that it was cracked. As finack said, the complex passwords were probably stolen by some other means - e.g. phishing - and happened to be reused.
Hmm, so someone who uses the password "7XiBKeJe5ochSqVW" has been phished? |
|
|
|
|
By my calculations, a random 9 character password, like this BESys*t3M should take a 5770 about 2/3 of a year to crack. But there it is on the list. How much hashing power did they throw at this?
|
|
|
|
Not cracked on both accounts (made one and forgot I had made it!)
Saweet!
Remember, even if you aren't cracked now, you might be in the future. Don't count on those passwords. |
|
|
|
Some that stick out that should be relatively strong:
j3n0VA$@
Nephi7187$$$
K7mmI8lAsn1o0q
c0urche$ne
7XiBKeJe5ochSqVW
n0k!@N900
yT#g1Srm123
I'm also curious how these were broken assuming these are salted.
Even if they aren't salted, the longest rainbow table I know of is only 10 characters, alphanumeric only. Most of those don't fit. |
|
|
|
Well, that password is done. I was ignorant to think that would suffice.
Numbers are easy. |
|
|
|
|
Hmm, I was not cracked. Some of the cracked passwords look pretty secure. Like
1036 ... ccFy7KpgN
How did that get cracked? Was that one of the unsalted ones?
1938 ... BESys*t3M
This seems like it should be secure, even though it is leetspeak.
1955 ... RYL4McGT
Again, unsalted? How was this cracked?
13434 ... djcnbimil99332k
I think this was is too far down to be unsalted, and it is too long for rainbow tables. Is it following a pattern I don't see?
13449 ... n833bgva
This looks secure enough to me. How are these getting cracked? How much time does it take?
|
|
|
|
We have deactivated already some of these spammers.
That isn't enough. I would like them to be more proactive in making it clear that this will always be the consequence. Make it public policy that any spammers/scammers will have their accounts deactivated. Put it front and center at the page where you get your referral link. Make a thread denouncing the scammers and let everyone know that the penalty is deactivations For some of them we have at least removed the referral IDs of the users who complained they didn't get anything.
This one bothers me the most. People have complained of being scammed and all you have done if remove the referral of the person that complained? If a user has scammed someone, all their referrals should be removed. We even had cases where it was not a scam and some BTCs have been exchanged.
I don't buy this for one second. I have checked the addresses of everyone who has asked to get paid and none of them have been. And furthermore, how would you (bitcoin7) know that? Someone contacted you and said "BTW I did get paid by this referral"? And then you believe this? This sound to me like you are actually trying to give the scammers credibility. Sound really shady to me that you would do that. If you have been scammed please let us know the exact details at info@bitcoin7.com and we will act accordingly and immediately Being reactive isn't enough. Given all the scamming that has happened, I want proactive. Your logic is flawed and I'll not address you again.
Fine, I don't want a response from you. I want action from bitcoin7. |
|
|
|
The IRC channels? That doesn't seem an accurate way at all, I know I've never used them. I know there is a way to look at the number of bitcoin nodes. Which would give you the number of machines running a bitcoin client at this moment. Double or triple that and you would have an order of magnitude guess.
I think you might have the wrong idea of IRC there, basically there exist 100 channels on freenode(?) named something like #bitcoin-(1-99) or something like that; when you start your bitcoin client it joins one of these channels at random and collects a list of initial peers for it connect to - this process is known as Bootstrapping. Once it has this initial list is doesn't necessarily need to talk to IRC again since it can then fetch new peers via its peers and so and and so forth, the slight downside to collecting the stats like this is that you can disable IRC bootstrapping in the bitcoin.conf and either enable a static DNS bootstrap (aka fetch a list of peers from a predetermined address) or simply manually add nodes/connect directly to someone. Edit: To more accurately answer the OP if you wanted to only find a list of addresses that contained at least some currency or have had some kind of transactions in the last x days this could be done by analysis of the block chain, blockexplorer would probably be a good place to start. Oh, ok. I didn't know that. I was wondering if I was missing something since your answer didn't make much sense to me. I see now. |
|
|
|
@ DamienBlack
I want to see you put your foot down firmly. You guys are the main beneficiary of these scam threads, so if you don't make it clear and public policy that anyone who commits these types of scams is going to have their commission privileges 100% revoked, then I consider you responsible for these thread. As long as that is the case I will never consider signing up with you. Which is a shame, because I want to see more exchanges succeed.
That's not fair at all. They can't stop people from doing this! Yes they can pull their commissions but they have to be informed of it and they have just stated that they will investigate all reports. Some guy in the world wants to deceive people and you are going to blame B7 for any thread that arises from here on out? So while they're out to breakfast and having a coffee and some guy at his computer terminal concocts some plan to deceive others the B7 team is responsible?!? How old are you? Perhaps you are feeling a little jaded still since your childhood when you learned that the Easter Bunny and Santa weren't real and now you are hypersensitive to a con....? Tradehill has been very proactive in making it very clear that their policy is to disable commission on any account that scams or spams. This has significantly reduced both because the scammers/spammers have no incentive. They know that if they spam, their commission will be taken away from them. Bitcoin7 has been less clear that scammers and spammers will be treated like they should, and that is why they continue to crop up. In the meantime, bitcoins7s lack of strict enforcement is benefiting them as they continue to get users signing up because of these scams. Bitcoin7 has the responsibility to do everything in its power to discourage scammers. If they don't, then I don't see the difference between them and the scammer, because they are effectively encouraging it. |
|
|
|
I wonder how this could actually work. Would legislation that affects Bitcoin also affect Facebook's game currency or the Linden Dollar?
I can't imagine that they could rush something through like this
Courts don't right legislation, they interpret existing legislation. So either some aspects of Bitcoin fall foul of existing legislation or the courts can't do anything. Who said anything about courts? I think the OP was referring to the legislative branch. |
|
|
|
I wonder how this could actually work. Would legislation that affects Bitcoin also affect Facebook's game currency or the Linden Dollar?
I can't imagine that they could rush something through like this
I think it would be something that involves unregulated money exchanges. That would get to the heart of the difference between bitcoins and game currency. There are lots of places that will sell you some amount of points for cash, but bitcoin is the only place you can turn those "points" back into cash. |
|
|
|
|
The IRC channels? That doesn't seem an accurate way at all, I know I've never used them. I know there is a way to look at the number of bitcoin nodes. Which would give you the number of machines running a bitcoin client at this moment. Double or triple that and you would have an order of magnitude guess.
|
|
|
|
|
Exchanges seems like the easiest target, dealing with all that money. I really doubt we'll see any actual legislation for a few years though. It is possible it gets slipped into some other, unrelated bill sooner then that. But I just don't think bitcoin is really on the radar yet to get real national attention.
|
|
|
|
|
Show Posts
