Bitcoin Forum
November 03, 2024, 08:06:02 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 2 3 4 5 6 7 8 9 [10] 11 12 13 »  All
  Print  
Author Topic: About the recent server compromise  (Read 15376 times)
favdesu
Legendary
*
Offline Offline

Activity: 1764
Merit: 1000



View Profile WWW
May 26, 2015, 09:27:56 PM
 #181

Passwords are hashed with 7500 rounds of sha256crypt. This is pretty good, but certainly not beyond attack. Note that even though SHA-256 is used here, sha256crypt is different enough from Bitcoin's SHA-256d PoW algorithm that Bitcoin mining ASICs almost certainly cannot be modified to crack forum passwords.

How much does the password need to be changed, whould it be enough to change a letter or two.
Or would it be better to make a brand new long and complicated password.
Reason I ask is that it take some time to memories a long complicated password,
if only added or removing something will the learning time for the new password decrease.

no, make a fresh, and new password.

if you have issues remembering all passwords - check out KeePass 2 - it's a open source password vault. you only need one master password

Scamalert
Hero Member
*****
Offline Offline

Activity: 490
Merit: 500


Captain


View Profile
May 26, 2015, 09:38:53 PM
 #182

Passwords are hashed with 7500 rounds of sha256crypt. This is pretty good, but certainly not beyond attack. Note that even though SHA-256 is used here, sha256crypt is different enough from Bitcoin's SHA-256d PoW algorithm that Bitcoin mining ASICs almost certainly cannot be modified to crack forum passwords.

How much does the password need to be changed, whould it be enough to change a letter or two.
Or would it be better to make a brand new long and complicated password.
Reason I ask is that it take some time to memories a long complicated password,
if only added or removing something will the learning time for the new password decrease.

no, make a fresh, and new password.

if you have issues remembering all passwords - check out KeePass 2 - it's a open source password vault. you only need one master password

Yes, you are proberly right....... I need a brand new one, adding 8 letters is not good enough.
I look at that KeePass 2, it looks pretty good, just not sure I can trust it.....
But thank you anyways Smiley
readysalted89
Sr. Member
****
Offline Offline

Activity: 327
Merit: 250


View Profile
May 26, 2015, 10:31:04 PM
 #183

Passwords are hashed with 7500 rounds of sha256crypt. This is pretty good, but certainly not beyond attack. Note that even though SHA-256 is used here, sha256crypt is different enough from Bitcoin's SHA-256d PoW algorithm that Bitcoin mining ASICs almost certainly cannot be modified to crack forum passwords.

How much does the password need to be changed, whould it be enough to change a letter or two.
Or would it be better to make a brand new long and complicated password.
Reason I ask is that it take some time to memories a long complicated password,
if only added or removing something will the learning time for the new password decrease.

no, make a fresh, and new password.

if you have issues remembering all passwords - check out KeePass 2 - it's a open source password vault. you only need one master password

Are the passwords it generates by using mouse movements for additional entropy completely random? Does it only generate pseudo random passwords without using mouse movements or anything else to collect additional entropy?
Gisado
Full Member
***
Offline Offline

Activity: 168
Merit: 100

Yoohoo


View Profile
May 26, 2015, 11:21:59 PM
 #184

Compromise notification email said reset question was less brute-force resistant, so I wanted to remove it. Is blanking QnA form (and save) enough to disable it?
theymos_away
Member
**
Offline Offline

Activity: 82
Merit: 26


View Profile
May 26, 2015, 11:29:54 PM
 #185

Compromise notification email said reset question was less brute-force resistant, so I wanted to remove it. Is blanking QnA form (and save) enough to disable it?

Yes, make the secret question field empty.
Welsh
Staff
Legendary
*
Offline Offline

Activity: 3304
Merit: 4115


View Profile
May 26, 2015, 11:35:43 PM
 #186

Compromise notification email said reset question was less brute-force resistant, so I wanted to remove it. Is blanking QnA form (and save) enough to disable it?

You can always test it yourself by going to the "forgotten password" and selecting "Ask me my security question". It will tell you if it's not enabled on your account. That's if you want to double check.
shavers
Sr. Member
****
Offline Offline

Activity: 439
Merit: 288



View Profile
May 27, 2015, 12:06:08 AM
 #187

Good job on getting this up again lads! Hope next time you'll be ready and fully armed! Wink This downtime looked like an eternity, lot of us missed you.

Aber wie willst du denn einmal sterben, Narziß, wenn du doch keine Mutter hast?
Superhitech
Legendary
*
Offline Offline

Activity: 1064
Merit: 1000


View Profile
May 27, 2015, 03:20:27 AM
 #188

Thanks for the explanation theymos.  

On May 22 at 00:56 UTC, an attacker gained root access to the forum's server. He then proceeded to try to acquire a dump of the forum's database before I noticed this at around 1:08 and shut down the server. In the intervening time, it seems that he was able to collect some or all of the "members" table. You should assume that the following information about your account was leaked:

Does this mean that only people with the member rank were effected, or all forum members? Changing my password anyways, just curious.

Also, I found this interesting article: https://www.cryptocoinsnews.com/bitcoin-mining-figure-joshua-zipkin-responsible-bitcointalk-hack/

Opinions?
notlist3d
Legendary
*
Offline Offline

Activity: 1456
Merit: 1000



View Profile
May 27, 2015, 03:55:24 AM
 #189

Thanks for the explanation theymos.  

On May 22 at 00:56 UTC, an attacker gained root access to the forum's server. He then proceeded to try to acquire a dump of the forum's database before I noticed this at around 1:08 and shut down the server. In the intervening time, it seems that he was able to collect some or all of the "members" table. You should assume that the following information about your account was leaked:

Does this mean that only people with the member rank were effected, or all forum members? Changing my password anyways, just curious.

Also, I found this interesting article: https://www.cryptocoinsnews.com/bitcoin-mining-figure-joshua-zipkin-responsible-bitcointalk-hack/

Opinions?

I think the comments are pretty dated.  I do know AMT has no love here so I could see them having a reason.  But I don't know how much of a threat the owner is. 

I do wonder do we know besides password was other information also salted?  Or are we talking plain text?
freedomno1
Legendary
*
Offline Offline

Activity: 1806
Merit: 1090


Learning the troll avoidance button :)


View Profile
May 27, 2015, 04:23:35 AM
 #190

Off to change the password
It's good to know that a Bitcoin miner can't be used to break encryption
Thanks for the hard work theymos

Believing in Bitcoins and it's ability to change the world
hedgy73
Legendary
*
Offline Offline

Activity: 1414
Merit: 1077



View Profile
May 27, 2015, 06:12:45 AM
 #191

Thanks for your hard work getting the forum back up and running Theymos, it must have been a real headache.

Lets hope the reward your offering helps catch the lowlife scumbags.
Lauda
Legendary
*
Offline Offline

Activity: 2674
Merit: 2965


Terminated.


View Profile WWW
May 27, 2015, 07:02:52 AM
 #192

Yes, you are proberly right....... I need a brand new one, adding 8 letters is not good enough.
I look at that KeePass 2, it looks pretty good, just not sure I can trust it.....
But thank you anyways Smiley
There's no reason no to trust it. Since it is open source, and if coders have accepted it it should be fine. Also there is always the old school method of writing it down on a piece of paper.

Off to change the password
It's good to know that a Bitcoin miner can't be used to break encryption
Thanks for the hard work theymos
Although the majority of the passwords will still get broken.

"The Times 03/Jan/2009 Chancellor on brink of second bailout for banks"
😼 Bitcoin Core (onion)
itod
Legendary
*
Offline Offline

Activity: 1974
Merit: 1077


^ Will code for Bitcoins


View Profile
May 27, 2015, 08:31:53 AM
 #193

Although the majority of the passwords will still get broken.

I'm not so sure about this. It's hard to estimate how long passwords people used, but average 11-length alphanumeric password needs 3 months (estimated) to be cracked, and 12-length 3 years. Longer passwords probably won't get cracked. If majority of people here used shorter passwords then, yes, majority will get broken, but I think that is not the case, majority of people here new better then to use short passwords.
thebitcoinquiz.com
Sr. Member
****
Offline Offline

Activity: 280
Merit: 250



View Profile
May 27, 2015, 10:21:51 AM
 #194

Why is this news, "News: Change your password!" only showed on the index page?
I believe that right now this news is the like the most important thing for the forum and should be displayed on all the threads.

Stay hungry. Stay foolish.
BTCtalkScammerDetective
Newbie
*
Offline Offline

Activity: 17
Merit: 0


View Profile
May 27, 2015, 10:25:44 AM
 #195

Why is this news, "News: Change your password!" only showed on the index page?
I believe that right now this news is the like the most important thing for the forum and should be displayed on all the threads.

At least have it in bold so it's easier to see.
KarmaShark
Hero Member
*****
Offline Offline

Activity: 617
Merit: 559



View Profile
May 27, 2015, 11:10:21 AM
Last edit: July 29, 2016, 07:50:16 PM by KarmaShark
 #196

Happy to see that all is good now! I think it was 3rd hack attempt in last 2 months.
chrisvl
Legendary
*
Offline Offline

Activity: 1274
Merit: 1006

Trainman


View Profile WWW
May 27, 2015, 11:34:02 AM
 #197

404 security not found /\ Theymos protect the bitcointalk community there are to much ways

rishabh6115
Newbie
*
Offline Offline

Activity: 13
Merit: 0


View Profile
May 28, 2015, 05:20:11 AM
 #198

Do we have to change our passwords or it is fine to keep before one. Please answer fast.
MakingMoneyHoney
Hero Member
*****
Offline Offline

Activity: 504
Merit: 500



View Profile
May 28, 2015, 05:22:30 AM
 #199

Do we have to change our passwords or it is fine to keep before one. Please answer fast.

You should change it.
DiamondCardz
Legendary
*
Offline Offline

Activity: 1134
Merit: 1118



View Profile WWW
May 28, 2015, 05:25:15 AM
 #200

Ooh. That's a lot of kiloyears to break my password.

Thanks for the warning, I updated my password after the hack just to be safe and also to make it a little bit more secure compared to the password that I previously had on my account.

rishabh6115: Depends. If it's extremely secure you might not need to take action, if it's less secure you should, but in all fairness you probably should either way.

BA Computer Science, University of Oxford
Dissertation was about threat modelling on distributed ledgers.
Pages: « 1 2 3 4 5 6 7 8 9 [10] 11 12 13 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!