Bitcoin Forum
December 07, 2016, 02:42:28 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: « 1 [2] 3 »  All
  Print  
Author Topic: Mt.Gox Accounts and passwords released, impact to BTC econ  (Read 9669 times)
icaci
Newbie
*
Offline Offline

Activity: 26


View Profile
June 19, 2011, 09:54:08 PM
 #21

I looked at that password list. Only around 1800 passwords were kept in regular md5, those are piss easy to crack (see http://www.md5decrypter.co.uk/ if you don't have a rainbow table setup already). The other 60000 were using some other format I did not recognize, though possibly by my own fault... they remind me of Wordpress passwords. It's probably some combined multiple md5 + hash, so I'd think that they are difficult if not impossible to crack, especially if you used a password that is long enough with a wide enough character set.

The danger for password reuse is very real though. It is in theory possible to find a less secure password from some site you signed up to, recover the password from there, and use it at mtgox with your username. So if you use the same password at mtgox or anywhere else, you'll NEED to change passwords. Otherwise you are fairly safe, provided your account is not one of those with regular md5 hashes (the ones not starting with $1$whatever are regular md5s).
$1$salt$hash is the standard FreeBSD MD5-based crypt() format. It was first developed for FreeBSD back in the days when export of DES code outside USA was forbidden. Then all major Unix variants switched to using it as it is much more secure than the original Unix DES-based crypt() and allows passwords longer than 8 symbols. It employs fixed number of salted MD5 rounds and is considered fairly secure given that lots of special symbols and combination of upper and lowercase letters are used. There is another Blowfish-based variant from OpenBSD that is clearly recognisable by the $2$ sentinel. It is much stronger as it takes a lot more CPU/GPU power to compute it compared to the MD5-based one.

1KaohAcY7Zjq7eVa8WvVGrVnry3CqgkcmH
1481121748
Hero Member
*
Offline Offline

Posts: 1481121748

View Profile Personal Message (Offline)

Ignore
1481121748
Reply with quote  #2

1481121748
Report to moderator
1481121748
Hero Member
*
Offline Offline

Posts: 1481121748

View Profile Personal Message (Offline)

Ignore
1481121748
Reply with quote  #2

1481121748
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
Bit_Happy
Legendary
*
Offline Offline

Activity: 1442


A Great Time to Start Something!


View Profile
June 19, 2011, 10:20:29 PM
 #22

I submitted my first coin to mtgox last night and now it's saying my account doesn't exist. I hope I get my account and my 1 BTC back.

The site is down, don't worry.

15DYJpWJe9H1YofsNQbP9JEWWNn7XPZgbS
TurboK
Full Member
***
Offline Offline

Activity: 137



View Profile
June 19, 2011, 10:37:50 PM
 #23

I looked at that password list. Only around 1800 passwords were kept in regular md5, those are piss easy to crack (see http://www.md5decrypter.co.uk/ if you don't have a rainbow table setup already). The other 60000 were using some other format I did not recognize, though possibly by my own fault... they remind me of Wordpress passwords. It's probably some combined multiple md5 + hash, so I'd think that they are difficult if not impossible to crack, especially if you used a password that is long enough with a wide enough character set.

The danger for password reuse is very real though. It is in theory possible to find a less secure password from some site you signed up to, recover the password from there, and use it at mtgox with your username. So if you use the same password at mtgox or anywhere else, you'll NEED to change passwords. Otherwise you are fairly safe, provided your account is not one of those with regular md5 hashes (the ones not starting with $1$whatever are regular md5s).
$1$salt$hash is the standard FreeBSD MD5-based crypt() format. It was first developed for FreeBSD back in the days when export of DES code outside USA was forbidden. Then all major Unix variants switched to using it as it is much more secure than the original Unix DES-based crypt() and allows passwords longer than 8 symbols. It employs fixed number of salted MD5 rounds and is considered fairly secure given that lots of special symbols and combination of upper and lowercase letters are used. There is another Blowfish-based variant from OpenBSD that is clearly recognizable by the $2$ sentinel. It is much stronger as it takes a lot more CPU/GPU power to compute it compared to the MD5-based one.
You learn something new every day.
So, the $1$salt$ part is the salt, and it is computed (roughly) by salt + password = hash, then hash + salt + password = hash 2, and so on, repeating 1000 times, and the result is then encoded into a unix DES hash? Doesn't sound too safe, since the salt is known, but I guess it means that bruteforcing takes, theoretically, 1000 times longer. This should knock off 2-3 letters from the length of password that is still viable to bruteforce. But it's true that even if someone cracks just 1 account with a weak password, they can get a killing.

The irony is, if someone has the processing power to bruteforce the majority of these passwords, they could already get money just by mining bitcoins.

12zJNWtM2HknS2EPLkT9QPSuSq1576aKx7

Tradehill viral bullshit code: TH-R114411
Philj
Sr. Member
****
Offline Offline

Activity: 386



View Profile
June 19, 2011, 10:52:32 PM
 #24

Checked, and mine was on the list  Cry

Went and changed other accounts even though the exact same PW wasn't used it was based on an algorithm.

Lets hope this doesn't totally crash the market when things come back on line.
frutza
Newbie
*
Offline Offline

Activity: 14


View Profile
June 19, 2011, 10:57:08 PM
 #25

Usernames and emails were released, indeed. Passwords were NOT, only the hashes.
Weak passwords can be obtained from the hashes. Strong ones - not really, it's kind of hard  Grin

My two BTcents: login to your account as soon as you can and change your password to something resembling a bitcoin address.
That should be hard enough to get from it's hash  Smiley
frutza
Newbie
*
Offline Offline

Activity: 14


View Profile
June 19, 2011, 11:01:33 PM
 #26

Oh, and expect some spam emails in the future! Maybe nigerian letters involving bitcoins?
TurboK
Full Member
***
Offline Offline

Activity: 137



View Profile
June 19, 2011, 11:07:16 PM
 #27

Oh, and expect some spam emails in the future! Maybe nigerian letters involving bitcoins?
greetings i am a Nigerian emperor and it appears that you are entitled to a part of my sacred golden lamb flock!! plese send me your name, address and secuirty of social number and i will have my unics contact you tomorw or at your best convience!
-Jalathalqualruaumqama

12zJNWtM2HknS2EPLkT9QPSuSq1576aKx7

Tradehill viral bullshit code: TH-R114411
Justsomeforumuser
Member
**
Offline Offline

Activity: 84


View Profile
June 19, 2011, 11:11:53 PM
 #28

There really isn't anything I could say or repeat on this subject that comes as close as what reality is doing to people right now.

Ho-Hum.
chungenhung
Legendary
*
Offline Offline

Activity: 1134


View Profile
June 20, 2011, 12:44:44 AM
 #29

and i bet there will be people switching their BTC mining operation to password cracking operation.

Trading MtGox USD for Dwolla/ACH deposit/Chase cash deposit
https://bitcointalk.org/index.php?topic=90115.0
Buy/Sell Call/Put Bitcoin options https://bitcointalk.org/index.php?topic=99853.0
chadqberry
Jr. Member
*
Offline Offline

Activity: 57


View Profile
June 20, 2011, 12:59:03 AM
 #30

The emails are already flooding.. MtGox scams to trick you into installing a new bitcoin client (which is infected) as well as some lame @ss trying to get you to register at Tradehill using his referral number.

15vKCFT2Xnot3RxWhEcyed91FZcf23CyTT
jgraham
Full Member
***
Offline Offline

Activity: 140


<Pretentious and poorly thought out latin phrase>


View Profile
June 20, 2011, 03:54:15 AM
 #31

Usernames and emails were released, indeed. Passwords were NOT, only the hashes.
Weak passwords can be obtained from the hashes. Strong ones - not really, it's kind of hard  Grin

Just ran oclHashcat on my hash and the 6990 gave an estimate of 100 years (both cores).  Not feeling so bad about that.

I'm rather good with Linux.  If you're having problems with your mining rig I'll help you out remotely for 0.05.  You can also propose a flat-rate for some particular task.  PM me for details.
frutza
Newbie
*
Offline Offline

Activity: 14


View Profile
June 20, 2011, 05:46:56 AM
 #32

Not bad, but what about those mining ops who have hundreds of cards? What if THEY turn to cracking?  Grin
Hail the emperor above!!!
frutza
Newbie
*
Offline Offline

Activity: 14


View Profile
June 20, 2011, 05:48:31 AM
 #33

Why won't you guys save the time, electricity and cracking/spamming effort, and send me all your bitcoins now? Oops, forgot I don't have an address in my signature...
unixdude
Jr. Member
*
Offline Offline

Activity: 46


Bitcoin .. and the INTERNET!


View Profile
June 20, 2011, 06:04:51 AM
 #34

It will impact them and for the worst. It highlights the fact that the exchanges are not secure and until they are, they should not be used or used with extreme caution.

 *Image Removed*
Grant
Full Member
***
Offline Offline

Activity: 168



View Profile
June 20, 2011, 06:07:16 AM
 #35

It highlights the fact that the exchanges are not secure and until they are, they should not be used or used with extreme caution.

I'm afraid extreme caution will be the result here, consequently that means: higher spreads, lower liquidity, lower price. Until confidence is restored.

hugolp
Hero Member
*****
Offline Offline

Activity: 742



View Profile
June 20, 2011, 06:13:33 AM
 #36

It highlights the fact that the exchanges are not secure and until they are, they should not be used or used with extreme caution.

I'm afraid extreme caution will be the result here, consequently that means: higher spreads, lower liquidity, lower price. Until confidence is restored.

Trading websites have been hacked. They have reverted the trades, and nothing big has happened. I dont see why it would be very different in this case. Hopefully this will make people go towards more serious exchanges.
klayus
Newbie
*
Offline Offline

Activity: 21


View Profile
June 20, 2011, 06:46:09 AM
 #37

I've got a problem. my account was on the list but when i try to login to change my password it says the account dosent exist. did that happen to everyone or just me? have I lost my bitcoins???

best regards
imperi
Full Member
***
Offline Offline

Activity: 196


View Profile
June 20, 2011, 06:48:01 AM
 #38

I've got a problem. my account was on the list but when i try to login to change my password it says the account dosent exist. did that happen to everyone or just me? have I lost my bitcoins???

best regards

You can't login yet. I think you are referring to the help forum which is a separate registration, I think.
LokeRundt
Member
**
Offline Offline

Activity: 98



View Profile
June 20, 2011, 12:10:58 PM
 #39

Quote from: Lameass
Dear Sir or Madam,


A few hours ago the Bitcoin trading website Mt Gox has been hacked. Malicious individuals have been able to obtain a database containing usernames, email address and encrypted passwords. This information has been posted publicly on the internet.

As a Bitcoin supporter I'm now sending a message to every email address contained in the hacked database. This is to warn you that your username, email address and password have been leaked. I therefore strongly advice you to change your passwords. If you have used the same passwo ???rd on different websites it's highly recommended to change your password on all of your accounts!

For a more secure alternative to Mt Gox, the community appears to be moving to TradeHill. So this is no reason to lose faith in Bitcoin itself. It must be seen as a warning that not every website can be trusted with your data however! Their link is http://www.tradehill.com/?r=TH-R15683 (Note: You can remove the Referral Code when registering if you want!) This is certainly not the only website where you can exchange Bitcoins, also check out http://www.thebitcoinlist.com/dp_bitcoin/bitcoin-exchange/


Sincerely,

A Bitcoin supporter
1CWSjov2N7ix41bZ8bJfHXkdLLbkUsG9Y7

So what I want to know is, how the fuck does this "sincere" bitcoin supporter get my email address?  I had an account with Mt.Gox, but didn't even trade with them.


Nm, didn't realize I had an active link to my email on this board.  *le sigh*

EDIT:  But to further thicken the plot, in my account-related settings, the box labeled "Hide email address from public" is checked. . . .hmmmmmmmmmmm *navigates over to the meta subforum*

Hippy Anarchy
*shrug*
DukeOfEarl
Newbie
*
Offline Offline

Activity: 28


View Profile
June 20, 2011, 01:22:09 PM
 #40

where is user of number 51190 in the file?!

This is the most brilliant insight I've read so far.  The hacker likely had a login on mtgox and probably deleted themselves before release.

That said, 51190 is in there:

51190   tgibbsz32   tgibbsz32@gmail.com   $1$9eZ.kSvA$fshZ6R1jkNtlllW10Sxpp/                     
Pages: « 1 [2] 3 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!