ripple account hacked

[BRules]

About a month ago I received 30000 ripples from the giveaway thread, did some tests and never touched my account again. But today I entered my account again and I saw that 11 days ago someone hacked into my account and transfered all my ripples to another addresses. I just want to know if this happened to someone else (security breach in ripple server) or was just my account that was hacked (8 characters password).

[Chuck]

About a month ago I received 30000 ripples from the giveaway thread, did some tests and never touched my account again. But today I entered my account again and I saw that 11 days ago someone hacked into my account and transfered all my ripples to another addresses. I just want to know if this happened to someone else (security breach in ripple server) or was just my account that was hacked (8 characters password).

Did you use the same name (BRules) as your ripple wallet's name?

[markm]

Pass phrase, isn't it, for Ripple?

So, an eight character phrase?

Hmm...

-MarkM-

[BRules]

Did you use the same name (BRules) as your ripple wallet's name?

yes

Pass phrase, isn't it, for Ripple?

So, an eight character phrase?

Hmm...

-MarkM-

I know this is weak, but as it was a online password I think it will take a while to crack this password

[Trading]

Search for the ripple address to where the XRPs were send on the forum and on Google, you might find the nick of the user on the giveaway thread or other place. To get a new ripple address you need to open another account and he might have been too lazy to do that.  If you find nothing, check if the money is still on his account, by entering his address at https://ripple.com/graph/. If the money was sent to another account, try to search that one (but he could have sell them to an innocent person).
If you find the username, try to get him a scammer tag and to get his email and IP from the mods and google the email and nickname, you might end up finding his social network account and private information or another email linked to the previous one that leads to the social account. Then, use your imagination: write him and say if he doesn't give back the XRPs you will email his family and friends about what he done; complain to any available authority with evidence, etc..

[markm]

I know this is weak, but as it was a online password I think it will take a while to crack this password

I didn't think it *was* "an online password".

I thought what it is is a private key, like in bitcoin, and used for things like encrypting your data blob that you can store at a blob storage facility. Or, if not the private key, then, like a brainwallet, a seed used to deterministically generate one or more private keys.

Thus, I had always thought that hackers could spend as much computer power as they wish, for as long as they wish, cracking it, just like any private key controlling any bitcoin address or any brainwallet phrase used to deterministically generate a deterministic wallet.

-MarkM-

[BRules]

Search for the ripple address to where the XRPs were send on the forum and on Google, you might find the nick of the user on the giveaway thread or other place. To get a new ripple address you need to open another account and he might have been too lazy to do that.  If you find nothing, check if the money is still on his account, by entering his address at https://ripple.com/graph/. If the money was sent to another account, try to search that one (but he could have sell them to an innocent person).
If you find the username, try to get him a scammer tag and to get his email and IP from the mods and google the email and nickname, you might end up finding his social network account and private information or another email linked to the previous one that leads to the social account. Then, use your imagination: write him and say if he doesn't give back the XRPs you will email his family and friends about what he done; complain to any available authority with evidence, etc..

none of the addresses showed something. I'm not too worried about my ripples, I only wanna know the scenario that my accout was compromised. I don't think it was a trojan in my computer as my bitcoins are still in my address, and a 8 characters password is kinda hard to crack on a online service.

[BRules]

well, looks like the password I choose for my ripples was a common password as it was in this list:

http://www.isdpodcast.com/resources/62k-common-passwords/

that's the beaty of bitcoin, the wallet is in your computer, so even if I choose a weak password, my computer needs to be compromised before they can try to crack the password.

[odolvlobo]

I was about to write, "what fool uses a password that would be in that list?", but then I discovered that 2 of my many passwords are in the list.

[loudpete]

So what were you using for passwords?  now that you wont be using them anymore...

Still, seems like they'd have to try 62,000 passwords per user account, wouldn't the ripple servers block more then 5 attemps (for like an hour) making this impossible?

[scintill]

well, looks like the password I choose for my ripples was a common password as it was in this list:

http://www.isdpodcast.com/resources/62k-common-passwords/

that's the beaty of bitcoin, the wallet is in your computer, so even if I choose a weak password, my computer needs to be compromised before they can try to crack the password.

Well, you've learned your lesson the hard way, sorry about that.  For what it's worth, from what I understand there are supposed to eventually be alternate clients that could be kept fully local like Bitcoin is (source).  The current lack of diversification and openness is a common complaint against Ripple as it is today though.

[scintill]

So what were you using for passwords?  now that you wont be using them anymore...

Still, seems like they'd have to try 62,000 passwords per user account, wouldn't the ripple servers block more then 5 attemps (for like an hour) making this impossible?

No, the Ripple webclient wallet is decrypted client-side in the user's browser.  So they just grabbed the encrypted wallet and cracked it locally.  Blockchain.info wallets works the same way, so they can also be cracked like this.

It's possible they grabbed a bunch of wallets around the same time that maybe should have tripped an alarm on the Ripple wallet server, but we don't know, and there's nothing Ripple can really do to perfectly prevent this.  The user has to pick a good passphrase and ideally also a non-obvious wallet ID as well.

Edit: Most of this is wrong, as I realized after seeing this thread.  The Ripple wallet is indeed decrypted locally, but the blob vault (wallet server) requires a hash of username+password (not just a plaintext username as I had assumed), so in order to try 62k passwords on BRules' wallet they would indeed have to make that many requests to the server.  Sorry for spreading false information.

I did just try blockchain.info MyWallet, and, for a simple (no extra security enabled) wallet, I could decrypt with only data obtained from https://blockchain.info/wallet/<guid>?format=json&resend_code=false and a local decrypt.  If you enable more security I think you would be safer than this though.

[Vladimir]

Sorry to hear about this.

This is still not too late to start using best practices as relevant to passwords and aimed for a regular internet user. I am not even talking about really sensitive stuff here.

1. Never use the same password in more than one place.
2. Use passwords managers like keepass and lastpass.
3. Encrypt all or most sensitive parts of your hard drives using software such as truecrypt etc...
4. Use very strong and long pass phrases (6-10 words plus some padding at least) that you can remember for few important passwords like for keepass, truecrypt, lastpass, your main email, bitcoin wallets.
5. Use auto generated passwords for everything else (keepass,lastpass will help ya)
6. If you can remember a password it is a bad password. With a few exceptions as in 4. Here is an example of a password that is good: nbJbvrTXgWZDSYl15jT6jgnk
7. And finally:

- Doctor, how do I make sure that I do not get pregnant?
- Drink lots of milk.
- ... before or after?
- Instead of.

Think about the above when you download stuff from the net and go to bad neighborhoods.

Sorry that I cannot help you with this any more than by typing this stuff again.




 

[Badabing]

Do you use the same username here with your ripple account? If you use the same,  62k passwords to try doesn't take an hour IMO. Do you share your secret key?

[BBQKorv]

well, looks like the password I choose for my ripples was a common password as it was in this list:

http://www.isdpodcast.com/resources/62k-common-passwords/

that's the beaty of bitcoin, the wallet is in your computer, so even if I choose a weak password, my computer needs to be compromised before they can try to crack the password.

Hopefully you learned a lesson in here, how is your bitcoin wallets encryption key?

[BRules]

Do you use the same username here with your ripple account? If you use the same,  62k passwords to try doesn't take an hour IMO. Do you share your secret key?

no, I didn't share anything about my ripples account.

Hopefully you learned a lesson in here, how is your bitcoin wallets encryption key?

The password I chose for my ripple account is the password I use for all "I don't care" stuff. it was my password here before I understand the potencial of the bitcoin and now I use a more secure password in the forum.

about my wallet password, as it has a substantial amount in bitcoins, it is a 16 characters unique password involving lower and upper case letters, numbers and symbols. I'm not that crazy to use a weak password to protect a considerable amount of money.