Bitcoin Forum
December 09, 2016, 09:50:08 AM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: « 1 [2] 3 4 »  All
  Print  
Author Topic: ALL mtgox password has been compromised, change asap, everywhere you used it  (Read 16677 times)
Bit_Happy
Legendary
*
Offline Offline

Activity: 1442


A Great Time to Start Something!


View Profile
June 19, 2011, 08:11:52 PM
 #21

Emails received, thanks all.

Bit_Happy, if you had an account on MtGox you could easily verify it. My account was on there.

Thanks guys for the info on the strength of the encryption.

I wasn't going to bother with Rapidshare.
Remember all the trolls a week ago. It was possible that, everyone screaming about this is phony, but now I know for certain.



15DYJpWJe9H1YofsNQbP9JEWWNn7XPZgbS
1481277008
Hero Member
*
Offline Offline

Posts: 1481277008

View Profile Personal Message (Offline)

Ignore
1481277008
Reply with quote  #2

1481277008
Report to moderator
1481277008
Hero Member
*
Offline Offline

Posts: 1481277008

View Profile Personal Message (Offline)

Ignore
1481277008
Reply with quote  #2

1481277008
Report to moderator
1481277008
Hero Member
*
Offline Offline

Posts: 1481277008

View Profile Personal Message (Offline)

Ignore
1481277008
Reply with quote  #2

1481277008
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
DamienBlack
Jr. Member
*
Offline Offline

Activity: 56


View Profile
June 19, 2011, 08:13:42 PM
 #22

They have my username and the email I signed up with. I cannot confirm that it is my password. The hash must be salted.

I trade bitcoin options at https://bitoption.org/ ... Join me.
I play poker at https://betco.in/ ... Join me.
Support the bitcoin economy, what do you do?
Tips: 1NfXhiTFEdKQTdLy49s6DYAP1K7MeFWyao
DamienBlack
Jr. Member
*
Offline Offline

Activity: 56


View Profile
June 19, 2011, 08:15:06 PM
 #23

They have my username and the email I signed up with. I cannot confirm that it is my password. The hash must be salted.

I trade bitcoin options at https://bitoption.org/ ... Join me.
I play poker at https://betco.in/ ... Join me.
Support the bitcoin economy, what do you do?
Tips: 1NfXhiTFEdKQTdLy49s6DYAP1K7MeFWyao
kokojie
Legendary
*
Offline Offline

Activity: 1498



View Profile WWW
June 19, 2011, 08:15:37 PM
 #24

It's not entirely clear if the attacker got access to the Mt.Gox source code, but at the moment it's probably safer to assume the salt was compromised as well.

It's definitely NOT safe, someone just showed me a big list of cracked mtgox passwords on IRC channels. It's likely that salt has already been discovered.

If my post has been helpful, send me some love -> BTC: 1kokojUapmWqCqPw3Ch2rjcVh57tJEzka | PPC: PDyXAgA8eH47gokVW6zVZPSuu15aao5nZF | Bitshares: kokojie
My reputation
justusranvier
Legendary
*
Offline Offline

Activity: 1400



View Profile WWW
June 19, 2011, 08:16:05 PM
 #25

Change them asap, anywhere you used it.
If anyone out there is still using the same password on more than one site then take this opportunity to stop doing that. Get some kind of password manager and use a different random password of the maximum length and complexity each web site you register on allows.
elggawf
Sr. Member
****
Offline Offline

Activity: 308



View Profile
June 19, 2011, 08:17:25 PM
 #26

Bit_Happy: PM sent. I'm 99% certain it's legit.

It's not entirely clear if the attacker got access to the Mt.Gox source code, but at the moment it's probably safer to assume the salt was compromised as well.

Exactly. When you see a DB leak for a site you're a member of, you don't sit around wondering how strong the hashing mechanism is you start changing your passwords. If you only used the password on MtGox, oh well you don't really have anything to do right now. If you reused the same password anywhere else, stop thinking about how strong the hash is and change your freakin' password - the effort required for the latter is much less than the former and then it's done... from your perspective the information that's leaked is no longer valid. Whether it takes 2 minutes or 2 years to crack your password is irrelevant if you've already changed it someplace else.

Password hashing isn't meant so that a bunch of fools can sit and think "I'm safe" - it's to buy you time between when the credentials are taken, and when they're useful... to give you a chance to make them not useful.

^_^
Man From The Future
Full Member
***
Offline Offline

Activity: 126


View Profile
June 19, 2011, 08:20:31 PM
 #27

It would appear that almost all the acounts are hashed with unique salts. The issue is, it is still easy to crack any of the weaker passwords with this, thanks to GPU MD5 crackers. Most bitcoin miners have soo much GPU power anyway...

Some passwords from earlier accounts appear to have NO SALT. That, or salt is derived from username. I don't know, sinc eI've not tried cracking any, and do not want to. Smiley
kjj
Legendary
*
Offline Offline

Activity: 1302



View Profile
June 19, 2011, 08:24:15 PM
 #28

Uh, the salt is right there in the file.  Look at line 1.  Password hash is $1$E1xAsgR1$vPt0d/L3f81Ys3SxJ7rIh/

The bold part is the salt for that hash.

The italic part is md5(password + salt)

p2pcoin: a USB/CD/PXE p2pool miner - 1N8ZXx2cuMzqBYSK72X4DAy1UdDbZQNPLf - todo
I routinely ignore posters with paid advertising in their sigs.  You should too.
Uzza
Jr. Member
*
Offline Offline

Activity: 35


View Profile
June 19, 2011, 08:24:58 PM
 #29

I'm not that worried, my password is quite long and secure.

Bitcoin Address: 1NuGyFgVsNk3pcbUcExvqhHxtLY6QTyHUd
carlerha
Sr. Member
****
Offline Offline

Activity: 252


View Profile
June 19, 2011, 08:26:22 PM
 #30

Looks like the kind of hashes that come out of phpass.
I guess that means if the attackers managed to get hold of the salt, I'm prone to change my password.

zerokwel
Sr. Member
****
Offline Offline

Activity: 466



View Profile
June 19, 2011, 08:28:20 PM
 #31

well look at what some of the users have in there rigs and there are programs like Extreme GPU Bruteforcer out there that can do up to 700million passwords a sec on a geforce 250 and with what people here have in there rigs it would not take long at all.

Anyway change ya passwords to be safe and if you use the same password on another site change that as well (use a different password this time)

theymos
Administrator
Legendary
*
Offline Offline

Activity: 2506


View Profile
June 19, 2011, 08:30:58 PM
 #32

I'm certainly never using MtGox again. Who uses MD5 for password hashing nowadays?

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
ghost
Jr. Member
*
Offline Offline

Activity: 34


View Profile
June 19, 2011, 08:38:17 PM
 #33

This is why all websites should be using bcrypt for password hashing. It's an adaptive hashing function that can be made to perform slower over time as computers get faster. Authentication on websites does not require a fast hashing function for just this reason.

I use 1Password for password management. It was Mac only until recently - there is now a Windows version out there. I had to double check whether I was following my own best practices but I did use a unique password for mtgox.
imperi
Full Member
***
Offline Offline

Activity: 196


View Profile
June 19, 2011, 08:40:37 PM
 #34

I'm certainly never using MtGox again. Who uses MD5 for password hashing nowadays?

User #8 is quitting?? Craziness.
gentakin
Member
**
Offline Offline

Activity: 98


View Profile
June 19, 2011, 08:43:03 PM
 #35

Some passwords appear to be without a salt.

For example, check user id #156. Google for the hash shown as "password" in accounts.csv. Find the password on a forum. (The forum post that comes up on the google search might shed some light on the guy who hacked mtgox?)

So... Anyone with a plain md5 hash (no $-signs) as password in accounts.csv should be worried.

1HNjbHnpu7S3UUNMF6J9yWTD597LgtUCxb
phelix
Legendary
*
Offline Offline

Activity: 1680


nmc:id/phelix


View Profile
June 19, 2011, 08:45:26 PM
 #36

it would have been nice to keep emails encoded mtgox...

blockchained.com ■ bitcointalk top posts
LeFBI
Member
**
Offline Offline

Activity: 98



View Profile
June 19, 2011, 08:52:53 PM
 #37

If the salt hasn't been compromised, then the passwords should be safe, no?
It's not entirely clear if the attacker got access to the Mt.Gox source code, but at the moment it's probably safer to assume the salt was compromised as well.
there is no >the salt< in this case it's 59231 password hashes with 59219 >different< salts. and ~1700 simple md5 hashes.

well look at what some of the users have in there rigs and there are programs like Extreme GPU Bruteforcer out there that can do up to 700million passwords a sec on a geforce 250 and with what people here have in there rigs it would not take long at all.
we're talking about md5crypt a.k.a MD5(Unix) a.k.a. FreeBSD MD5 ...not simple md5()!
with a decent gpu you'll be lucky to get ~1.5Mhash/s per gpu, not 700M. On a single HD4870 i get ~640.0k/s , that's nothing.
anything else than a wordlist attack is pretty useless on these hashes. so if you have a at least decent 8char pass, you should be fine.
if you're one of the poor guys, who's pass was encrypted with simple md5()...well good luck then. but the rest shouldn't worry too much.

however everyone still should change his password when they are back online
DamienBlack
Jr. Member
*
Offline Offline

Activity: 56


View Profile
June 19, 2011, 08:59:19 PM
 #38

Someone with a network should email everyone on the list and let them know.

I trade bitcoin options at https://bitoption.org/ ... Join me.
I play poker at https://betco.in/ ... Join me.
Support the bitcoin economy, what do you do?
Tips: 1NfXhiTFEdKQTdLy49s6DYAP1K7MeFWyao
Man From The Future
Full Member
***
Offline Offline

Activity: 126


View Profile
June 19, 2011, 09:00:15 PM
 #39

Someone with a network should email everyone on the list and let them know.

Issue is you'd probably en dup on spam blacklists. Sad
Durr
Newbie
*
Offline Offline

Activity: 28


View Profile
June 19, 2011, 09:04:00 PM
 #40

If the salt hasn't been compromised, then the passwords should be safe, no?
It's not entirely clear if the attacker got access to the Mt.Gox source code, but at the moment it's probably safer to assume the salt was compromised as well.
there is no >the salt< in this case it's 59231 password hashes with 59219 >different< salts. and ~1700 simple md5 hashes.

well look at what some of the users have in there rigs and there are programs like Extreme GPU Bruteforcer out there that can do up to 700million passwords a sec on a geforce 250 and with what people here have in there rigs it would not take long at all.
we're talking about md5crypt a.k.a MD5(Unix) a.k.a. FreeBSD MD5 ...not simple md5()!
with a decent gpu you'll be lucky to get ~1.5Mhash/s per gpu, not 700M. On a single HD4870 i'll get ~640.0k/s , that's nothing.
anything else than a wordlist attack is pretty useless on these hashes. so if you have a at least decent 8char pass, you should be fine.
if you're one of the poor guys, who's pass was encrypted with simple md5()...well good luck then. but the rest shouldn't worry too much.

however everyone still should change his password when they are back online

Except that an account with 500k and other accounts were hacked and it's true. So you're opinion that it's all ok is bs.

Help this puppy survive: http://larrycorreia.files.wordpress.com/2011/06/mr-snuggles.jpg

Donate to 1Gvzk3L3oLjeK5m6y4B82kFvLEZbqQnUWs
Pages: « 1 [2] 3 4 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!