MTGox security was flawed

[harmen]

MTGox security was flawed: the API instructions where send using cleartext passwords in the URL.

With such security sense it was a matter of time.

Some unusual tips for creating very strong and very easily to remember passwords from grc.com:

https://www.grc.com/%5Chaystack.htm

It is not about randomness, it is about length and potential complexity.

Cheers!

[1715263363]

1715263363

[1715263363]

1715263363

[1715263363]

1715263363

[adamncsu]

thanks. there can never be too many posts about password security. so many people are under-educated in the subject.

[ribuck]

...the API instructions where send using cleartext passwords in the URL...

Over https.

[SomeoneWeird]

...the API instructions where send using cleartext passwords in the URL...

Over https.

HTTPS Doesn't mean squat.

[dan_a]

...the API instructions where send using cleartext passwords in the URL...

Over https.

HTTPS Doesn't mean squat.

That attack will only work if you have control of a network between MTGOX and their customers.

[zzyyxx]

http://forum.bitcoin.org/index.php?topic=15364.msg231115#msg231115

am I the only one who finds the Mt Gox hack, and this site going up/coming down... on top of that the whole process in general, to be suspect?

[vampire]

Mt. Gox looked like an amateur site, for some reason I question why should an auditor get a copy of their database?

[EyeRis]

...the API instructions where send using cleartext passwords in the URL...

Over https.

So that means the data is encrypted the URL is not.

[dan_a]

http://forum.bitcoin.org/index.php?topic=15364.msg231115#msg231115

am I the only one who finds the Mt Gox hack, and this site going up/coming down... on top of that the whole process in general, to be suspect?

There's been a big jump in interest in bitcoin in a very short time - it's not surprising that some sites would go up and down as they sort out an appropriate level of hosting.

[Xenland]

HTTPS Doesn't mean squat.

This attack does not apply as long as you browse completely over HTTPS. So just bookmark the https://www.mtgox.com/ url, use only that bookmark, and you'll be fine.

So that means the data is encrypted the URL is not.

HTTPS encrypts also the URL and other request details.

I agree, to my understanding HTTPS sends a signal that we are doing a secure connection(with no data besides IP) and then after the key's have been exchanged it will then proceed to send necessary data after a secure connection has been established.