Entered  |
|
|
|
Could oyu postpone reset because of downtime?  |
|
|
|
Y'know, those < 3100 are all easily crackable?  |
|
|
|
|
* [tgsNothinG] idle 33:38:32, signon: Fri Jun 17 09:00:16
;?
|
|
|
|
well ... i know companies that don't give sequential numbers starting at 1 just to hide real numbers.
You mean companies that care about their customers and don't use amateur college-level PHP coding full of security holes? Is that message implying that PHP is insecure, or am I misreading it? PS: College-level? I was 13 and I released a perfectly secure Club Penguin Private Server, with multi-pass SHA256... PPS: Don't do the above unless you like angry Disney lawyers |
|
|
|
If you can use multiple SHA512 hashes with each different unique salts form different sections of passwords... do it! If you can run that same thing 5 passes... do it! We, at BitMarket.eu, had this from the very beginning. It's just a few lines of code people. And the benefit in security is huge. I congratulate you on this! I'mma release a small hashing class for secure passwords? |
|
|
|
Someone with a network should email everyone on the list and let them know.
+1 Issue is you'd probably en dup on spam blacklists. nowadays you can't even send a sixty thousand emails any more... I've had too many issues to want to risk it, if you're being sarcastic. I don't want my VPS blocked from emails, it needs to do ones for the services on it! |
|
|
|
Someone with a network should email everyone on the list and let them know.
Issue is you'd probably en dup on spam blacklists. |
|
|
|
Please, service providers... Use the best possible solution available! If you can use multiple SHA512 hashes with each different unique salts form different sections of passwords... do it! If you can run that same thing 5 passes... do it! Don't just go with MD5 + usalt because "no-one will ever get the database". Always prepare for the worst case scenario. HAve graceful hash updates! If a better hashing method becomes available, make users reset their password! (Or have it be done automatically on log in using submitted password for 30 days, and after that time, require reset.) Thanks for listening, do shout at me if you think this is stupid advice! Of course users should: 1) Have a 15+ character password. 2) Have that password contain a minimum of 2 digits, 2 upper, 2 lower, 2 symbols, none repeating 3) Have that password be unique to that site Then you have very little to worry about, unless of course it is stored in clear text. If only people didn't get annoyed when you try to enforce restrictions. |
|
|
|
Please, service providers... Use the best possible solution available! If you can use multiple SHA512 hashes with each different unique salts form different sections of passwords... do it! If you can run that same thing 5 passes... do it! Don't just go with MD5 + usalt because "no-one will ever get the database". Always prepare for the worst case scenario. HAve graceful hash updates! If a better hashing method becomes available, make users reset their password! (Or have it be done automatically on log in using submitted password for 30 days, and after that time, require reset.) Thanks for listening, do shout at me if you think this is stupid advice! |
|
|
|
It would appear that almost all the acounts are hashed with unique salts. The issue is, it is still easy to crack any of the weaker passwords with this, thanks to GPU MD5 crackers. Most bitcoin miners have soo much GPU power anyway... Some passwords from earlier accounts appear to have NO SALT. That, or salt is derived from username. I don't know, sinc eI've not tried cracking any, and do not want to. |
|
|
|
I wrote an MMOG backend with better password security than MtGox. (Two times SHA512 hashes needed to be cracked to find a user's password) |
|
|
|
i think you should add a minimum bitcoin value like 0.5 or even 1. some people get in with 0.2btc and IMO that's too low.
great website!
0.1 is the minimum, what's wrong with that? :s |
|
|
|
If I knew a site was using encryption, I wouldn't use it. Why use something reversible by the owners/anyone who gets access to the server... (Since if they have DB, they probably now have the key). |
|
|
|
|
Hey, Diablo-D3, this needs moved!
|
|
|
|
|
Noitev, why use weaker security when better security is available? As mentioned before, if someone was to rent out power from Amazon ECC... :?
|
|
|
|
|
Do you think this sort of service will help to stabilise BTC?
|
|
|
|
The fact that it uses MD5 is an issue. It should definitely have been set up using SHA256/SHA512, and at least a per user salt(You haven't clarified as to whether it's the same for all, unless I've misread something). Or even double SHA512 two-unique-salts halved. Where was MD5 mentioned? It must be in the thread ocnfirming the existence of the CSRF vulnerability. |
|
|
|
|
Show Posts
