Ryan, seriously ? you are asking me to share my password here ?
I mean, is the question really about how strong my password is ? Shouldn't the question be, why did they let me choose a weak password if at all I chose a weak password ?
Sure, why not? My password was yMrND9DpHD9T (but I just changed it). Your account has already been hacked, so it presumedly doesn't even have money in it. I don't see the harm in sharing a password as unique and strong as you claim  I can tell you that my password is stronger than yours with more than alphanumeric. That's simply untrue, I can google the password you supplied me and get plenty of results of it being used as a mysql password. Note when you google "yMrND9DpHD9T" you get no results. If you want a full refund feel free to post it here (after changing it on primedice) and close this discussion. I also have strong doubts you only used it on primedice which is why I imagine you are hesitant. You took 4 days to respond to me and now you say that I'm wasting your time. I never wanted to sound harsh but you called me a liar and make me sound like a beggar. It's upto users of this forum to judge you I suppose. My password was pP@$$w0rd and it's definitely unique to this site. you tell me that this a password that could be guessed by a random guy in less than 10 minutes, I have nothing to say to you. and guys, do google it and tell me if you find it. I was able to find pp@$$w0rd in plaintext and MD5 in a leaked password list. People use rules that change letters from lowercase to uppercase using Hashcat meaning that the password isn't exactly 100% unique but yeah the chance of someone guessing it... or brute forcing it.... hell nah Fair, the username of his account is widely used on a bunch of other bitcoin websites though. And regarding Robert, that really is terrible but there were no back-end flaws that resulted in that. yes, so you please try and login to one of those websites with same password and you tell me if you can crack any of them please. So you are alleging that there is some superbug that will let anyone compromise accounts? I don't know what you're trying to accomplish here. There are other ways you could have been compromised as well such as phishing/scripts/bots. I asked you to investigate this issue for me. To try to find out how I got robbed. It's you who took me in the direction of 'weak password, not unique password, anybody can guess it'. Now that you know that's not true, this is another direction - phishing, scripts, bot. You tell me, did I use scripts ? you'd be able to differentiate between manual betting and a script betting on your website I suppose ? no ? Phishing ? have you been following my concerns ? the account got hacked in less than 10 minutes. This story would make for one heck of a blog post I believe. |
|
|
|
Out of interest, for a couple of days I logged peoples username/password and tried to look them or crack them myself. I think my success rate was about 20-30%.
and this coming from the owner of bustabit! WOW!! speechless! can anybody feel more naked around these websites ? |
|
|
|
Ryan, seriously ? you are asking me to share my password here ?
I mean, is the question really about how strong my password is ? Shouldn't the question be, why did they let me choose a weak password if at all I chose a weak password ?
Sure, why not? My password was yMrND9DpHD9T (but I just changed it). Your account has already been hacked, so it presumedly doesn't even have money in it. I don't see the harm in sharing a password as unique and strong as you claim I can tell you that my password is stronger than yours with more than alphanumeric. That's simply untrue, I can google the password you supplied me and get plenty of results of it being used as a mysql password. Note when you google "yMrND9DpHD9T" you get no results. If you want a full refund feel free to post it here (after changing it on primedice) and close this discussion. I also have strong doubts you only used it on primedice which is why I imagine you are hesitant. You took 4 days to respond to me and now you say that I'm wasting your time. I never wanted to sound harsh but you called me a liar and make me sound like a beggar. It's upto users of this forum to judge you I suppose. My password was pP@$$w0rd and it's definitely unique to this site. you tell me that this a password that could be guessed by a random guy in less than 10 minutes, I have nothing to say to you. and guys, do google it and tell me if you find it. I was able to find pp@$$w0rd in plaintext and MD5 in a leaked password list. People use rules that change letters from lowercase to uppercase using Hashcat meaning that the password isn't exactly 100% unique but yeah the chance of someone guessing it... or brute forcing it.... hell nah Fair, the username of his account is widely used on a bunch of other bitcoin websites though. And regarding Robert, that really is terrible but there were no back-end flaws that resulted in that. yes, so you please try and login to one of those websites with same password and you tell me if you can crack any of them please. |
|
|
|
How much did you lose?
About $60. but I've always put emphasis more on the site's security than my losses. for which I'm being called a beggar. |
|
|
|
Ryan, seriously ? you are asking me to share my password here ?
I mean, is the question really about how strong my password is ? Shouldn't the question be, why did they let me choose a weak password if at all I chose a weak password ?
Sure, why not? My password was yMrND9DpHD9T (but I just changed it). Your account has already been hacked, so it presumedly doesn't even have money in it. I don't see the harm in sharing a password as unique and strong as you claim I can tell you that my password is stronger than yours with more than alphanumeric. That's simply untrue, I can google the password you supplied me and get plenty of results of it being used as a mysql password. Note when you google "yMrND9DpHD9T" you get no results. If you want a full refund feel free to post it here (after changing it on primedice) and close this discussion. I also have strong doubts you only used it on primedice which is why I imagine you are hesitant. You took 4 days to respond to me and now you say that I'm wasting your time. I never wanted to sound harsh but you called me a liar and make me sound like a beggar. It's upto users of this forum to judge you I suppose. My password was pP@$$w0rd and it's definitely unique to this site. you tell me that this a password that could be guessed by a random guy in less than 10 minutes, I have nothing to say to you. and guys, do google it and tell me if you find it. I was able to find pp@$$w0rd in plaintext and MD5 in a leaked password list. People use rules that change letters from lowercase to uppercase using Hashcat meaning that the password isn't exactly 100% unique but yeah the chance of someone guessing it... or brute forcing it.... hell nah yep. Also, why are we talking about a bruteforce attack on a login page of a website, isn't that funny ? It's probably the first thing you do when you setup a website - to avoid bruteforce/ddos attacks. The fact that these guys are up and running for more than 3 years, that's pretty disappointing security in place. |
|
|
|
Ryan, seriously ? you are asking me to share my password here ?
I mean, is the question really about how strong my password is ? Shouldn't the question be, why did they let me choose a weak password if at all I chose a weak password ?
Sure, why not? My password was yMrND9DpHD9T (but I just changed it). Your account has already been hacked, so it presumedly doesn't even have money in it. I don't see the harm in sharing a password as unique and strong as you claim hah good point. If you post your password convertekk, I'll refund you for the loss. Also, we'll look into setting tighter requirements for passwords and maybe offer a 2fa on cashout option. A password is a password is a password that simply cannot be shared on a public forum even if it is unique to this site. Let's just say I don't want to share it with you here in public. I shared it with Stunna anyways.
So.. this isn't a unique password? okay. I posted my password. May be you should refund my losses and also the other two guys who raised their issues in this thread if you are too considerate about your users' losses. You talk about wasting your time, do you realize how much time of mine did you waste ? Your time is equally valuable just as mine. |
|
|
|
Stunna I'm still not sure why after 8(?) months, you're still ignoring the fact that I lost 13 BTC.
I was not infected and I believe that the site security is to be blamed. Why would you allow two IPs to be logged in simultaneously? (And that's assuming I was even "hacked")
Finally!! someone to my rescue!! It's like I'm fighting a war against an army for pointing out potential loopholes on this website. phew!! |
|
|
|
Ryan, seriously ? you are asking me to share my password here ?
I mean, is the question really about how strong my password is ? Shouldn't the question be, why did they let me choose a weak password if at all I chose a weak password ?
Sure, why not? My password was yMrND9DpHD9T (but I just changed it). Your account has already been hacked, so it presumedly doesn't even have money in it. I don't see the harm in sharing a password as unique and strong as you claim I can tell you that my password is stronger than yours with more than alphanumeric. That's simply untrue, I can google the password you supplied me and get plenty of results of it being used as a mysql password. Note when you google "yMrND9DpHD9T" you get no results. If you want a full refund feel free to post it here (after changing it on primedice) and close this discussion. I also have strong doubts you only used it on primedice which is why I imagine you are hesitant. You took 4 days to respond to me and now you say that I'm wasting your time. I never wanted to sound harsh but you called me a liar and make me sound like a beggar. It's upto users of this forum to judge you I suppose. My password was pP@$$w0rd and it's definitely unique to this site. you tell me that this a password that could be guessed by a random guy in less than 10 minutes, I have nothing to say to you. and guys, do google it and tell me if you find it. |
|
|
|
Ryan, seriously ? you are asking me to share my password here ?
I mean, is the question really about how strong my password is ? Shouldn't the question be, why did they let me choose a weak password if at all I chose a weak password ?
Sure, why not? My password was yMrND9DpHD9T (but I just changed it). Your account has already been hacked, so it presumedly doesn't even have money in it. I don't see the harm in sharing a password as unique and strong as you claim I can tell you that my password is stronger than yours with more than alphanumeric. |
|
|
|
You would expect a website at a scale of PD to detect a suspicious behavior when user is repetitively entering wrong passwords.
What would you suggest they did? Lock your account? Let's assume my password was weak. So, it took hacker 10 minutes to steal my BTC. Why would you let someone choose a weak password on your website and then allow hackers to explore that loophole.
Because it's not the website's responsibility to make sure the user has good password security. I trust that PD does all it can to secure user's passwords, although it cannot do everything. It also isn't a loophole, it's logic. If your password is 'password123' people will guess it easily. That's not a problem with PrimeDice, it's a problem with you. Now, THIS starts sounding more fishy than it actually is. You'd expect them to restrict the user to that particular IP when you are letting users to play without passwords.
And what about if a user has a dynamic IP? Should they just get locked out of their own account? I'm still skeptic about sharing my password but I had to do it anyways hoping it would help your investigation.
If you're telling the truth and it is a completely unique password it won't matter. You are asking the right questions. Just to the wrong person. You tell me, what should your bank do when you enter an atm pin wrongly for more than 3 times ? Well if someone is as dumb as setting his password as password123, he deserves to be hacked but unfortunately that's not my password. May be Stunna can answer how a user can login without a password if he is using dynamic IP. I have no idea how anybody can do it. A password is a password is a password that simply cannot be shared on a public forum even if it is unique to this site. Let's just say I don't want to share it with you here in public. I shared it with Stunna anyways. |
|
|
|
|
and can I know where exactly did you encourage your users to set a strong password ? Nowhere in the signup flow as I recall.
|
|
|
|
how can a weak password be cracked Stunna ? you have a captcha on your website right ?
Captchas can be bypassed by bots through the use of external services. If a person knew that you had a weak password and enough balance to make it worth their time the captcha wouldn't be an issue. User should have guessed my password in like 3 or 4 attemps to be able to crack my password under 10 minutes. or am I missing something ?
Not at all. Depending on how fast PD loads he could have tried it hundreds/thousands of times in that 10 minute period. If there is rate limiting it could be less, however that could possibly be bypassed unless it was applied per account. Either way, it would be significantly more than 3 or 4 attempts in that time frame. You would expect a website at a scale of PD to detect a suspicious behavior when user is repetitively entering wrong passwords. Guys, Seriously! isn't that a basic security that should be in place ? Let's assume my password was weak. So, it took hacker 10 minutes to steal my BTC. Why would you let someone choose a weak password on your website and then allow hackers to explore that loophole. Now, THIS starts sounding more fishy than it actually is. You'd expect them to restrict the user to that particular IP when you are letting users to play without passwords. None of this in place and they defend their security. wow! It's scarier than I thought it is. You've re-used that username on a handful of different websites including dodgier sites like blackhatworld. If that password is indeed unique it would be helpful if you privately shared it with me, it shouldn't matter since you aren't re-using it elsewhere right? I mean, is the question really about how strong my password is ? Shouldn't the question be, why did they let me choose a weak password if at all I chose a weak password ?
We encourage users to set strong passwords and have very basic length requirements. I'll explore making our requirements much stronger this week. I'm not even sure which username you are referring to. I have multiple accounts with PD. The one that got robbed is definitely not registered with blackhatworld. Please read your emails to get my username and I've PMed you my password. I'm still skeptic about sharing my password but I had to do it anyways hoping it would help your investigation. |
|
|
|
BTW what was your username and password (after you changed it)? As you used a unique password to the site, so it shouldn't matter saying it here. It'll likely help primedice as they can check it against the hashed version in the database, and allow people here help you out by checking it against some combo-list sites to make sure it hasn't been leaked somewhere else
Ryan, seriously ? you are asking me to share my password here ? I mean, is the question really about how strong my password is ? Shouldn't the question be, why did they let me choose a weak password if at all I chose a weak password ? |
|
|
|
how can a weak password be cracked Stunna ? you have a captcha on your website right ?
Captchas can be bypassed by bots through the use of external services. If a person knew that you had a weak password and enough balance to make it worth their time the captcha wouldn't be an issue. User should have guessed my password in like 3 or 4 attemps to be able to crack my password under 10 minutes. or am I missing something ?
Not at all. Depending on how fast PD loads he could have tried it hundreds/thousands of times in that 10 minute period. If there is rate limiting it could be less, however that could possibly be bypassed unless it was applied per account. Either way, it would be significantly more than 3 or 4 attempts in that time frame. You would expect a website at a scale of PD to detect a suspicious behavior when user is repetitively entering wrong passwords. Guys, Seriously! isn't that a basic security that should be in place ? Let's assume my password was weak. So, it took hacker 10 minutes to steal my BTC. Why would you let someone choose a weak password on your website and then allow hackers to explore that loophole. Now, THIS starts sounding more fishy than it actually is. You'd expect them to restrict the user to that particular IP when you are letting users to play without passwords. None of this in place and they defend their security. wow! It's scarier than I thought it is. |
|
|
|
|
Locked. which I guess I should have done a lot earlier. Thanks.
|
|
|
|
Horrible post quality ? care to explain ?
Most of your posts are one liners with faulty English. Only a few of these could be actually considered *worth* reading. 2 examples: The guy is on an amazing run. witnessed it myself.
so, Arsenal fucked everyone today ? hard luck guys! bet on Chelsea and win tomorrow.
The time between some of your posts also shows that you don't tend to put much thought nor effort behind them.
I highly recommend spending more time reading than replying, in addition to putting a lot more effort into every single post before you continue to participate in signature campaigns. I made 50+ posts over the last one week and you choose to pick those two particular posts to defend your claim and go to the extent of talking about a ban ? I'm disappointed. Those two posts would make a lot of sense if you've read them in the context rather than picking them out of context. Not every post has to be purposeful and full of quality. This is a "forum" and you "discuss" on a forum. I read and I write where it's necessary. I guess it's up to the signature campaigners to decide if I'm spamming. It's ok if they choose to exclude me. I'm here to share bitcoin experiences and knowledge. Signature campaign is only an add on, not the main purpose of this forum. |
|
|
|
I'm not even sure why you bother attempting to join signature campaigns with that horrible posting quality. It's pretty obvious that you're either a blatant spammer or part of some account farming / alt ring.
You're likely not only going to get banned from the campaign but also from the forum.
Horrible post quality ? care to explain ? I'm already waging a war on one of the threads. I don't want to start another one here. You seem to be a Very senior member here. I'm willing to accept constructive criticism. So, don't disappoint me. |
|
|
|
Shouldn't you have gotten the withdrawal window popped on your screen at that exact moment if someone else was trying to withdraw funds while you were playing? Can 2 people even be logged into the same account at the same time?
According to the OP,the process seems to have happened from the back-end.That is funds have been transferred through the database I believe. If this indeed happened on the back end all the high-rollers would have been fleeced and Primedice's hot wallet would have been emptied while Stunna was sleeping, wouldn't they? Indeed, there's no reason for us to believe this was a fault within our security. If I had to guess, weak password that got cracked or some sort of script/bot. Plenty of users hold much larger balances on primedice without issue (including myself). As always I'm happy to investigate this further for you if you provide me as much information as possible beyond just your username via email. how can a weak password be cracked Stunna ? you have a captcha on your website right ? User should have guessed my password in like 3 or 4 attemps to be able to crack my password under 10 minutes. or am I missing something ? |
|
|
|
Shouldn't you have gotten the withdrawal window popped on your screen at that exact moment if someone else was trying to withdraw funds while you were playing? Can 2 people even be logged into the same account at the same time?
This is a very interesting point that you have raised. Firstly, they shouldn't have let two users login from different locations, especially when a player is actively playing on one IP. Isn't that a big security loop in itself ? Secondly, no withdrawal window popped up on my account when the hacker was trying to steal my money. Stunna, I'm sure you can reproduce this above case and please be elegant in accepting the blame for your loopholes than blaming me. I don't have any reason to cry about 55$ when I myself have wagered 100BTC on your site. What more information do you need other than my username and email ? wouldn't you have all the information about my bets and transactions on your database ? you want my physical address and dob or what ? |
|
|
|
It good to have a thread which talk about Premier League Prediction and I hope we've a lot of good soccer forecast on here so we can all work together in other to make some through sport betting  Lots of good forecast. If somehow, we could keep the tips and winning stats of each predictor on this thread away from the discussion, that would be a great piece of information. |
|
|
|
|
Show Posts
