Bitcoin Forum
December 08, 2016, 12:07:35 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 [4]  All
  Print  
Author Topic: ALL mtgox password has been compromised, change asap, everywhere you used it  (Read 16675 times)
bcearl
Full Member
***
Offline Offline

Activity: 168



View Profile
June 19, 2011, 10:06:31 PM
 #61

Don't trust e-mails now. Your address is public, it's the perfect opportunity to fool you.

Misspelling protects against dictionary attacks NOT
1481198855
Hero Member
*
Offline Offline

Posts: 1481198855

View Profile Personal Message (Offline)

Ignore
1481198855
Reply with quote  #2

1481198855
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481198855
Hero Member
*
Offline Offline

Posts: 1481198855

View Profile Personal Message (Offline)

Ignore
1481198855
Reply with quote  #2

1481198855
Report to moderator
1481198855
Hero Member
*
Offline Offline

Posts: 1481198855

View Profile Personal Message (Offline)

Ignore
1481198855
Reply with quote  #2

1481198855
Report to moderator
1481198855
Hero Member
*
Offline Offline

Posts: 1481198855

View Profile Personal Message (Offline)

Ignore
1481198855
Reply with quote  #2

1481198855
Report to moderator
Houdini
Member
**
Offline Offline

Activity: 84



View Profile
June 19, 2011, 10:10:49 PM
 #62

https://uloadr.com/u/CF.txt

Apparently cracked in 3 mins with a gpu.
Is this the whole list or not ? I would really like to know if my password is out there or not...


Don't trust e-mails now. Your address is public, it's the perfect opportunity to fool you.
Oh I never do...
kjj
Legendary
*
Offline Offline

Activity: 1302



View Profile
June 19, 2011, 10:17:16 PM
 #63

No, the vast majority of the passwords were done properly with md5_crypt().  They will probably never be cracked in any serious number.

The few that have been cracked were all passwords stored using the old unsalted DES based crypt().  Everyone knew that the old school crypt() was unsafe, which was the whole reason for switching to salted md5_crypt().

Could you explain to a layman how we can tell the difference? Looking at the string next my email I'd like to feel a little more secure if I know it was a more secure encryption.

Crypt

If it starts with $, it is probably pretty safe.

Without a $, the field is calculated by taking 25 rounds of DES on a 56 bit key field derived from the first 8 characters of the password.  This is very easy to crack.

If it starts with $1$, the next part is a random salt, ending with the next $.  The password and this random salt are hashed with MD5.  Then this hash, the password and the salt are all hashed again.  Then there are 1000 rounds of hashing using the password and the previous hash.  This value is what is finally stored in the file after the last $.

There are other schemes, such as $2$ and $2a$ that are based on blowfish, $3$ which blows, $5$ and $6$ which are based on SHA.  But I don't think any of those were used here.

By looking at the password file, I think the problem is that they upgraded the password hashing code to switch from DES to MD5, but didn't force changes of old passwords.  Looks like this was months ago.  The newest account I can find with the old style password is #3045 (out of ~60,000).

p2pcoin: a USB/CD/PXE p2pool miner - 1N8ZXx2cuMzqBYSK72X4DAy1UdDbZQNPLf - todo
I routinely ignore posters with paid advertising in their sigs.  You should too.
LeFBI
Member
**
Offline Offline

Activity: 98



View Profile
June 19, 2011, 10:52:57 PM
 #64

Except that an account with 500k and other accounts were hacked and it's true. So you're opinion that it's all ok is bs.
that's because he most likely used a very weak password and not because of md5(unix). it has barely to do with the algorithm, more with too lazy people. these are just....weak passes:
https://uloadr.com/u/CF.txt

Apparently cracked in 3 mins with a gpu.
lazy people, even when it comes to protect an account that holds real money.
chihlidog
Newbie
*
Offline Offline

Activity: 28


View Profile
June 19, 2011, 10:54:22 PM
 #65

No, the vast majority of the passwords were done properly with md5_crypt().  They will probably never be cracked in any serious number.

The few that have been cracked were all passwords stored using the old unsalted DES based crypt().  Everyone knew that the old school crypt() was unsafe, which was the whole reason for switching to salted md5_crypt().

Could you explain to a layman how we can tell the difference? Looking at the string next my email I'd like to feel a little more secure if I know it was a more secure encryption.

Crypt

If it starts with $, it is probably pretty safe.

Without a $, the field is calculated by taking 25 rounds of DES on a 56 bit key field derived from the first 8 characters of the password.  This is very easy to crack.

If it starts with $1$, the next part is a random salt, ending with the next $.  The password and this random salt are hashed with MD5.  Then this hash, the password and the salt are all hashed again.  Then there are 1000 rounds of hashing using the password and the previous hash.  This value is what is finally stored in the file after the last $.

There are other schemes, such as $2$ and $2a$ that are based on blowfish, $3$ which blows, $5$ and $6$ which are based on SHA.  But I don't think any of those were used here.

By looking at the password file, I think the problem is that they upgraded the password hashing code to switch from DES to MD5, but didn't force changes of old passwords.  Looks like this was months ago.  The newest account I can find with the old style password is #3045 (out of ~60,000).

Thank you very much for that explanation. I do feel better now. I dont remember even signing up for Mt. Gox, let alone what password I used, but I use a bunch of different passwords for different sites. I've changed them all, and all of them are very long, strong passwords. Hopefully I am safe. Thank you.

Im not sure why anyone would want to, but just in case, I humbly and very gratefully accept donations at: 1Kn6NFFE4EqrhN1pgBDoBQEvSA5c3tdqhi
ixne
Full Member
***
Offline Offline

Activity: 208


View Profile
June 19, 2011, 10:58:44 PM
 #66

If you can remember your password, it probably isn't strong enough.  Get a password manager, I've never been so glad to have a different 18-character random ASCII password for every online account I have.
skull88
Hero Member
*****
Offline Offline

Activity: 684



View Profile
June 19, 2011, 11:31:55 PM
 #67

If you can remember your password, it probably isn't strong enough.  Get a password manager, I've never been so glad to have a different 18-character random ASCII password for every online account I have.
I'm not that stupid to use something like "password" (really it is a few times in that file) and luckily the password I used on mtgox is a unique pass not to simple but easy enough for me to remember.
I always use unique passes that are harder to crack for things that involve money or other important things and I have a few common passes for not so important things that wouldn't really bother me to much if they got hacked.

I know it is far from waterproof my system and I'm interested in using a password manager, the only problem I have with a password manager, how can I than log in to my accounts on other computers? And if your computer is hacked they have all your passwords even the ones for the important sites, while nobody can crack into my head. Or am I missing something and is there a manager that gives me the ease of passwords I can remember so I can log in on different computers and the security that nobody can get my passwords from the manager.

BTC: 1MifMqtqqwMMAbb6zr8u6qEzWqq3CQeGUr
LTC: LhvMYEngkKS2B8FAcbnzHb2dvW8n9eHkdp
opticbit
Hero Member
*****
Offline Offline

Activity: 677


PGP: 6EBEBCE1E0507C38


View Profile WWW
June 20, 2011, 02:01:46 AM
 #68

We don't know which accounts were really used. For example, do you really think "testuser" has a lot of BTC floating around? I would love to know the account balance to each of these now compromised accounts.

A great lesson in web security!

So, MtGox does not us salt... It's really bad. The only good thing they can do is to reset all passwords and revalidate accounts through emails. But in case of passwords that match email ones situation becomes even worse...

No, that list is a list of cracked passwords that were salted but were so stupidly easy that they got bruteforced in no time!

don't see mine in there.

I'm still wondering if the DB contains my old pw or new one.

Set up the same thing..
http://bit.ly/btcrefs
Get more bitcoins.
Pages: « 1 2 3 [4]  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!