PRIMEDICE COMPROMISED [RESOLVED]

[Stunna]

Ryan, seriously ? you are asking me to share my password here ?

I mean, is the question really about how strong my password is ? Shouldn't the question be, why did they let me choose a weak password if at all I chose a weak password ?

Sure, why not? My password was yMrND9DpHD9T   (but I just changed it). Your account has already been hacked, so it presumedly doesn't even have money in it. I don't see the harm in sharing a password as unique and strong as you claim  

I can tell you that my password is stronger than yours with more than alphanumeric.

That's simply untrue, I can google the password you supplied me and get plenty of results of it being used as a mysql password. Note when you google "yMrND9DpHD9T" you get no results. If you want a full refund feel free to post it here (after changing it on primedice) and close this discussion. I also have strong doubts you only used it on primedice which is why I imagine you are hesitant. 

[robert05210]

Stunna I'm still not sure why after 8(?) months, you're still ignoring the fact that I lost 13 BTC.

I was not infected and I believe that the site security is to be blamed. Why would you allow two IPs to be logged in simultaneously? (And that's assuming I was even "hacked")

[Stunna]

Stunna I'm still not sure why after 8(?) months, you're still ignoring the fact that I lost 13 BTC.

I was not infected and I believe that the site security is to be blamed. Why would you allow two IPs to be logged in simultaneously? (And that's assuming I was even "hacked")

How many websites force usage restrictions to one ip address, if we offered that option would you have enabled it considering you did not have 2fa? Further, someone can login via API/Site/Mobile simultaneously. We have measures in place like 2FA which allow you to have the weakest password possible and still not get hacked.

I'm happy this discussion is being had and we're happy to add in more optional security measures, but they will be pointless if users don't want to use them. I still think this is constructive

[convertekk]

Ryan, seriously ? you are asking me to share my password here ?

I mean, is the question really about how strong my password is ? Shouldn't the question be, why did they let me choose a weak password if at all I chose a weak password ?

Sure, why not? My password was yMrND9DpHD9T   (but I just changed it). Your account has already been hacked, so it presumedly doesn't even have money in it. I don't see the harm in sharing a password as unique and strong as you claim  

I can tell you that my password is stronger than yours with more than alphanumeric.

That's simply untrue, I can google the password you supplied me and get plenty of results of it being used as a mysql password. Note when you google "yMrND9DpHD9T" you get no results. If you want a full refund feel free to post it here (after changing it on primedice) and close this discussion. I also have strong doubts you only used it on primedice which is why I imagine you are hesitant. 

You took 4 days to respond to me and now you say that I'm wasting your time. I never wanted to sound harsh but you called me a liar and make me sound like a beggar. It's upto users of this forum to judge you I suppose.

My password was pP@$$w0rd and it's definitely unique to this site. you tell me that this a password that could be guessed by a random guy in less than 10 minutes, I have nothing to say to you. and guys, do google it and tell me if you find it.

[RHavar]

Also, we'll look into setting tighter requirements for passwords and maybe offer a 2fa on cashout option.

There's a good library for that by dropbox:  https://github.com/dropbox/zxcvbn

I used it for a while, but it ended up making almost no difference. Pretty much every hacked account I saw wasn't hacked through brute forcing (as we had a recaptcha, and logged failed attempts) but was hacked by people using sites like leakedsource.com  Even when people used unique usernames, a nasty trick some scammers were doing was luring people into other mediums (email, skype, etc) so they could see their other usernames to look them up.


Out of interest, for a couple of days I logged peoples username/password and tried to look them or crack them myself. I think my success rate was about 20-30%.


I've come to the conclusion that passwords are pretty useless by themselves, unless tied to a bunch of other stuff (probably the easiest being email 2FA).  So what I now do is just not let users pick their own passwords (and force them to use a random securely generated one).

Of course users absolutely hate it, but I figure the users who hate it the most are the same ones who don't use password managers and reuse the same password for every site, and they're the exact people who would otherwise get hacked. I think since doing that, claims of hacked accounts have dropped about 10 fold (although forgot password claims have gone up by a similar amount).

It unfortunately doesn't protect against phishing attacks. Something that 2FA tends to do a better job at preventing

[convertekk]

Stunna I'm still not sure why after 8(?) months, you're still ignoring the fact that I lost 13 BTC.

I was not infected and I believe that the site security is to be blamed. Why would you allow two IPs to be logged in simultaneously? (And that's assuming I was even "hacked")

Finally!! someone to my rescue!! It's like I'm fighting a war against an army for pointing out potential loopholes on this website. phew!!

[convertekk]

Ryan, seriously ? you are asking me to share my password here ?

I mean, is the question really about how strong my password is ? Shouldn't the question be, why did they let me choose a weak password if at all I chose a weak password ?

Sure, why not? My password was yMrND9DpHD9T   (but I just changed it). Your account has already been hacked, so it presumedly doesn't even have money in it. I don't see the harm in sharing a password as unique and strong as you claim  

hah good point.

If you post your password convertekk, I'll refund you for the loss. Also, we'll look into setting tighter requirements for passwords and maybe offer a 2fa on cashout option.

A password is a password is a password that simply cannot be shared on a public forum even if it is unique to this site. Let's just say I don't want to share it with you here in public. I shared it with Stunna anyways.

So.. this isn't a unique password? okay.

I posted my password. May be you should refund my losses and also the other two guys who raised their issues in this thread if you are too considerate about your users' losses. You talk about wasting your time, do you realize how much time of mine did you waste ? Your time is equally valuable just as mine.

[eule]

Ryan, seriously ? you are asking me to share my password here ?

I mean, is the question really about how strong my password is ? Shouldn't the question be, why did they let me choose a weak password if at all I chose a weak password ?

Sure, why not? My password was yMrND9DpHD9T   (but I just changed it). Your account has already been hacked, so it presumedly doesn't even have money in it. I don't see the harm in sharing a password as unique and strong as you claim  

I can tell you that my password is stronger than yours with more than alphanumeric.

That's simply untrue, I can google the password you supplied me and get plenty of results of it being used as a mysql password. Note when you google "yMrND9DpHD9T" you get no results. If you want a full refund feel free to post it here (after changing it on primedice) and close this discussion. I also have strong doubts you only used it on primedice which is why I imagine you are hesitant. 

You took 4 days to respond to me and now you say that I'm wasting your time. I never wanted to sound harsh but you called me a liar and make me sound like a beggar. It's upto users of this forum to judge you I suppose.

My password was pP@$$w0rd and it's definitely unique to this site. you tell me that this a password that could be guessed by a random guy in less than 10 minutes, I have nothing to say to you. and guys, do google it and tell me if you find it.

I was able to find pp@$$w0rd in plaintext and MD5 in a leaked password list.

People use rules that change letters from lowercase to uppercase using Hashcat meaning that the password isn't exactly 100% unique but yeah the chance of someone guessing it... or brute forcing it.... hell nah

[convertekk]

Ryan, seriously ? you are asking me to share my password here ?

I mean, is the question really about how strong my password is ? Shouldn't the question be, why did they let me choose a weak password if at all I chose a weak password ?

Sure, why not? My password was yMrND9DpHD9T   (but I just changed it). Your account has already been hacked, so it presumedly doesn't even have money in it. I don't see the harm in sharing a password as unique and strong as you claim  

I can tell you that my password is stronger than yours with more than alphanumeric.

That's simply untrue, I can google the password you supplied me and get plenty of results of it being used as a mysql password. Note when you google "yMrND9DpHD9T" you get no results. If you want a full refund feel free to post it here (after changing it on primedice) and close this discussion. I also have strong doubts you only used it on primedice which is why I imagine you are hesitant. 

You took 4 days to respond to me and now you say that I'm wasting your time. I never wanted to sound harsh but you called me a liar and make me sound like a beggar. It's upto users of this forum to judge you I suppose.

My password was pP@$$w0rd and it's definitely unique to this site. you tell me that this a password that could be guessed by a random guy in less than 10 minutes, I have nothing to say to you. and guys, do google it and tell me if you find it.

I was able to find pp@$$w0rd in plaintext and MD5 in a leaked password list.

People use rules that change letters from lowercase to uppercase using Hashcat meaning that the password isn't exactly 100% unique but yeah the chance of someone guessing it... or brute forcing it.... hell nah

yep. Also, why are we talking about a bruteforce attack on a login page of a website, isn't that funny ? It's probably the first thing you do when you setup a website - to avoid bruteforce/ddos attacks. The fact that these guys are up and running for more than 3 years, that's pretty disappointing security in place.

[eule]

How much did you lose?

[convertekk]

How much did you lose?

About $60. but I've always put emphasis more on the site's security than my losses. for which I'm being called a beggar.

[Stunna]

Also, we'll look into setting tighter requirements for passwords and maybe offer a 2fa on cashout option.

There's a good library for that by dropbox:  https://github.com/dropbox/zxcvbn

I used it for a while, but it ended up making almost no difference. Pretty much every hacked account I saw wasn't hacked through brute forcing (as we had a recaptcha, and logged failed attempts) but was hacked by people using sites like leakedsource.com  Even when people used unique usernames, a nasty trick some scammers were doing was luring people into other mediums (email, skype, etc) so they could see their other usernames to look them up.


Out of interest, for a couple of days I logged peoples username/password and tried to look them or crack them myself. I think my success rate was about 20-30%.


I've come to the conclusion that passwords are pretty useless by themselves, unless tied to a bunch of other stuff (probably the easiest being email 2FA).  So what I now do is just not let users pick their own passwords (and force them to use a random securely generated one).

Of course users absolutely hate it, but I figure the users who hate it the most are the same ones who don't use password managers and reuse the same password for every site, and they're the exact people who would otherwise get hacked. I think since doing that, claims of hacked accounts have dropped about 10 fold (although forgot password claims have gone up by a similar amount).

It still doesn't protect against phishing attacks, unfortunately. Something that 2FA tends to do a better job at preventing

Thanks for that library, we might just start forcing some sort of 2FA/email confirmation at the least for larger cashouts.

[robert05210]

How much did you lose?

About $60. but I've always put emphasis more on the site's security than my losses. for which I'm being called a beggar.

Hope you get compensated.


Ugh all I want is a partial amount back so I can buy a laptop and be able to actually work again to make back the losses. Seems that won't be happening :/

[Stunna]

Ryan, seriously ? you are asking me to share my password here ?

I mean, is the question really about how strong my password is ? Shouldn't the question be, why did they let me choose a weak password if at all I chose a weak password ?

Sure, why not? My password was yMrND9DpHD9T   (but I just changed it). Your account has already been hacked, so it presumedly doesn't even have money in it. I don't see the harm in sharing a password as unique and strong as you claim  

I can tell you that my password is stronger than yours with more than alphanumeric.

That's simply untrue, I can google the password you supplied me and get plenty of results of it being used as a mysql password. Note when you google "yMrND9DpHD9T" you get no results. If you want a full refund feel free to post it here (after changing it on primedice) and close this discussion. I also have strong doubts you only used it on primedice which is why I imagine you are hesitant.  

You took 4 days to respond to me and now you say that I'm wasting your time. I never wanted to sound harsh but you called me a liar and make me sound like a beggar. It's upto users of this forum to judge you I suppose.

My password was pP@$$w0rd and it's definitely unique to this site. you tell me that this a password that could be guessed by a random guy in less than 10 minutes, I have nothing to say to you. and guys, do google it and tell me if you find it.

I was able to find pp@$$w0rd in plaintext and MD5 in a leaked password list.

People use rules that change letters from lowercase to uppercase using Hashcat meaning that the password isn't exactly 100% unique but yeah the chance of someone guessing it... or brute forcing it.... hell nah

Fair, the username of his account is widely used on a bunch of other bitcoin websites though. And regarding Robert, that really is terrible but there were no back-end flaws that resulted in that. There are around 1.5 Million primedice accounts right now, a very very very small fraction of a % of users experience these types of issues which could be prevented by enabling 2FA, or using a password manager.

[convertekk]

Ryan, seriously ? you are asking me to share my password here ?

I mean, is the question really about how strong my password is ? Shouldn't the question be, why did they let me choose a weak password if at all I chose a weak password ?

Sure, why not? My password was yMrND9DpHD9T   (but I just changed it). Your account has already been hacked, so it presumedly doesn't even have money in it. I don't see the harm in sharing a password as unique and strong as you claim  

I can tell you that my password is stronger than yours with more than alphanumeric.

That's simply untrue, I can google the password you supplied me and get plenty of results of it being used as a mysql password. Note when you google "yMrND9DpHD9T" you get no results. If you want a full refund feel free to post it here (after changing it on primedice) and close this discussion. I also have strong doubts you only used it on primedice which is why I imagine you are hesitant.  

You took 4 days to respond to me and now you say that I'm wasting your time. I never wanted to sound harsh but you called me a liar and make me sound like a beggar. It's upto users of this forum to judge you I suppose.

My password was pP@$$w0rd and it's definitely unique to this site. you tell me that this a password that could be guessed by a random guy in less than 10 minutes, I have nothing to say to you. and guys, do google it and tell me if you find it.

I was able to find pp@$$w0rd in plaintext and MD5 in a leaked password list.

People use rules that change letters from lowercase to uppercase using Hashcat meaning that the password isn't exactly 100% unique but yeah the chance of someone guessing it... or brute forcing it.... hell nah

Fair, the username of his account is widely used on a bunch of other bitcoin websites though. And regarding Robert, that really is terrible but there were no back-end flaws that resulted in that.

yes, so you please try and login to one of those websites with same password and you tell me if you can crack any of them please.

[convertekk]

Out of interest, for a couple of days I logged peoples username/password and tried to look them or crack them myself. I think my success rate was about 20-30%.

and this coming from the owner of bustabit! WOW!! speechless! can anybody feel more naked around these websites ?

[robert05210]

Okay Stunna, but here's one more thing that I just can't get over.

When my deposit was confirmed, I wasn't credited. So I posted in the chat asking why.

According to the logs, the withdrawal was made at around 6 minutes after my deposit was apparently "credited".

If that's the case why did I not see a single thing in my balance throughout the whole time?

And if it's not too much to ask, could you please give my PM a read?
 
Thank you.

[Stunna]

Ryan, seriously ? you are asking me to share my password here ?

I mean, is the question really about how strong my password is ? Shouldn't the question be, why did they let me choose a weak password if at all I chose a weak password ?

Sure, why not? My password was yMrND9DpHD9T   (but I just changed it). Your account has already been hacked, so it presumedly doesn't even have money in it. I don't see the harm in sharing a password as unique and strong as you claim  

I can tell you that my password is stronger than yours with more than alphanumeric.

That's simply untrue, I can google the password you supplied me and get plenty of results of it being used as a mysql password. Note when you google "yMrND9DpHD9T" you get no results. If you want a full refund feel free to post it here (after changing it on primedice) and close this discussion. I also have strong doubts you only used it on primedice which is why I imagine you are hesitant.  

You took 4 days to respond to me and now you say that I'm wasting your time. I never wanted to sound harsh but you called me a liar and make me sound like a beggar. It's upto users of this forum to judge you I suppose.

My password was pP@$$w0rd and it's definitely unique to this site. you tell me that this a password that could be guessed by a random guy in less than 10 minutes, I have nothing to say to you. and guys, do google it and tell me if you find it.

I was able to find pp@$$w0rd in plaintext and MD5 in a leaked password list.

People use rules that change letters from lowercase to uppercase using Hashcat meaning that the password isn't exactly 100% unique but yeah the chance of someone guessing it... or brute forcing it.... hell nah

Fair, the username of his account is widely used on a bunch of other bitcoin websites though. And regarding Robert, that really is terrible but there were no back-end flaws that resulted in that.

yes, so you please try and login to one of those websites with same password and you tell me if you can crack any of them please.

So you are alleging that there is some superbug that will let anyone compromise accounts? I don't know what you're trying to accomplish here. There are other ways you could have been compromised as well such as phishing/scripts/bots.

I don't have much else to add to this, we'll explore tighter requirements or pre-generated passwords but I think this might upset the majority of users.

[RHavar]

Out of interest, for a couple of days I logged peoples username/password and tried to look them or crack them myself. I think my success rate was about 20-30%.

and this coming from the owner of bustabit! WOW!! speechless! can anybody feel more naked around these websites ?

Just to be very clear, I was only trying to crack their bustabit password (based on information I could find online), I obviously wasn't attempting to crack their other accounts based on the password used at bustabit.  And that risk is now 0, because bustabit doesn't even let users pick their own password.

[mOgliE]

Damn can I have the same refund or the same investigation Stunna? ^^

Well not sure of when all this happened though... So probably couldn't find the password again.

Anyway it's already good that there is a 2FA for authentication I didn't understand that! It wasn't the case when I lost everything xD
Fact is that there doesn't seem to be someone with full security (unique password + 2FA) who lost his balance. Then I guess it's hard to conclude anything against PD, didn't know 2FA was implemented.