Cracking the passwords: Don't blame the MtGox, USERS ARE STUPID

[bitsalame]

I am currently cracking the leaked password file just for fun and because I am curious.
Guess what?

1) Hundreds of accounts with their usernames as passwords.
2) Hundreds of accounts with the password "123456"
3) Hundreds of accounts with the password "testtest"
4) Hundreds of accounts with the password "bitcoin"

Are you guys STUPID?

TO THE THOUSANDS OF USERS WHO ARE THIS DUMB:
YOU DESERVE TO LOSE YOUR BITCOINS, IDIOTS.

[1713450800]

1713450800

[1713450800]

1713450800

[1713450800]

1713450800

[1713450800]

1713450800

[tlan]

It seems like it doesn't matter what the username/password combination is supposed to be protecting, it's the same every time.  A lot of users just use silly passwords because they don't manage to remember something more advanced, and don't give much thought into what would happen if someone can access the data you're sitting on now.

I used to work as a sys.admin at a university with 30k students, and we used to crack passwords every now and then, our average was 500 passwords found by the first day every time.

[BTC Economist]

Another thread clearly demonstrating the lack of understanding of how to achieve wide adoption.  The attitude of many bitcoin users is another reason to bet against it long term.

[csshih]

1) Hundreds of accounts with their usernames as passwords.
2) Hundreds of accounts with the password "123456"
3) Hundreds of accounts with the password "testtest"
4) Hundreds of accounts with the password "bitcoin"

you realize that a ton of people create test accounts?

[BTCrow]

I am currently cracking the leaked password file just for fun and because I am curious.
Guess what?

1) Hundreds of accounts with their usernames as passwords.
2) Hundreds of accounts with the password "123456"
3) Hundreds of accounts with the password "testtest"
4) Hundreds of accounts with the password "bitcoin"

Are you guys STUPID?

TO THE THOUSANDS OF USERS WHO ARE THIS DUMB:
YOU DESERVE TO LOSE YOUR BITCOINS, IDIOTS.

This is the MAJOR problem of password mechanism. Users aren't able or too lazy to remember something more complex. Even if you force them using something complex, they will bypass this security measure by writing it down into a .txt or a paper on their desktop. Got a good conf at hackfest 2010 talking about weakness of password mechanism. Cause if you check that the password strenght is only measured by the brain.

How a brain can remember a password, for a lot of people if you're able to remember a 9 char password with letter / numbers / only one special caracter the most recent hardware and technics including GPU cracking won't ever be able to crack your brain.

We need to educate people in order to have good security but this is impossible to educate everyone.
Passwords, encrypted or not are really not a good authentification mecanism.

[BitcoinPorn]

Users, while stupid, are not as stupid as systems that allow you to put in a user name as the password.  I thought that was not allowed 'these days'

[bitsalame]

Another thread clearly demonstrating the lack of understanding of how to achieve wide adoption.  The attitude of many bitcoin users is another reason to bet against it long term.

Wide adoption with weak security is suicidal, sir.
Before trying to adopt demagogic methods to achieve wide adoption, lets teach them a lesson: this is money, better be safe than sorry.

I still don't understand this psychological barrier: if it is about tangible money, they buy the heaviest safe.
If it is untangible, they use straws to cover it.

And for the other user who talks about "test accounts", there is an awful amount of "test accounts".
No, sir, these users show a very very high degree of mental laziness:
user : cracked pwd
-------------------
jazy510 : mtgox1
joevm3 : mtgox1
wwwhatup : mtgox1
bitcoin.jstar : mtgox1
mglbt1 : mglbt1
ronello : ronello1
jonashuckestein : jonas1
jaydrum : jaydrum1
etc... (so far 581 passwords cracked)

I MEAN, SERIOUSLY?

I wrote a small tutorial to make very strong passwords and very easy to remember them:
http://forum.bitcoin.org/index.php?topic=19913.msg248514#msg248514

But still lazy people will be lazy enough to not even try to read it.

[bitsalame]

Users, while stupid, are not as stupid as systems that allow you to put in a user name as the password.  I thought that was not allowed 'these days'

Yeah, I burned my lips because it didn't say that the coffee was hot! It is the system's fault, they should have put a label on the cup!
The hair drier should say that it is not waterproof!
Do you really need to put stop signs in a wall to stop your car?
This society is becoming more moronic than ever.

Common sense + Ignorance = Stupid sense
This really makes me feel that we are towards an Idiocracy

[BTCrow]

I wrote a small tutorial to make very strong passwords and very easy to remember them:
http://forum.bitcoin.org/index.php?topic=19913.msg248514#msg248514

But still lazy people will be lazy enough to not even try to read it.

Good post man, keep up the good work!

[Drifter]

I know this happens on every site, but I'd guess a large number of these people are just testing out the exchange and didn't really give a shit if they were hacked because they didn't have anything in there.

[Karen Palen]

I am currently cracking the leaked password file just for fun and because I am curious.
Guess what?

1) Hundreds of accounts with their usernames as passwords.
2) Hundreds of accounts with the password "123456"
3) Hundreds of accounts with the password "testtest"
4) Hundreds of accounts with the password "bitcoin"

Are you guys STUPID?

TO THE THOUSANDS OF USERS WHO ARE THIS DUMB:
YOU DESERVE TO LOSE YOUR BITCOINS, IDIOTS.

And your point is???

Deal with the real word, not what you wish it were!

"In theory there is no difference between theory and practice, in practice there is!" - I said this some time ago look it up if you care! 

[tlan]

Another thread clearly demonstrating the lack of understanding of how to achieve wide adoption.  The attitude of many bitcoin users is another reason to bet against it long term.

You're stating that since someone is calling out names, it will hinder wide adoption?  I find that very hard to believe, and also, after reaching out to enough users, what is said in these forums won't matter to the regular user, as they won't be active on the forums anyway.

[bitsalame]

I am currently cracking the leaked password file just for fun and because I am curious.
Guess what?

1) Hundreds of accounts with their usernames as passwords.
2) Hundreds of accounts with the password "123456"
3) Hundreds of accounts with the password "testtest"
4) Hundreds of accounts with the password "bitcoin"

Are you guys STUPID?

TO THE THOUSANDS OF USERS WHO ARE THIS DUMB:
YOU DESERVE TO LOSE YOUR BITCOINS, IDIOTS.

And your point is???

Deal with the real word, not hwat you wish it were!

My point is that for the betterment of humanity, they should die.
Haha, I am kidding.
The message is clear: remember you are dealing with money here. Be security aware, or don't cry later when someone steals all your stash.

I have no worries for myself, my password would take two millenniums to be cracked (in a Class F, in a home PC it would take EONs).
But the problem is that if such a great amount of users are insecure, actually indirectly they would affect the stability of the whole market... like what just happened in MtGox.
Such unsafety wouldn't facilitate the wide adoption of the currency.

I don't care if a dumb fool loses his/her bitcoins.
But if a great percentage of it are dumb people, it may harm the bitcoin economy seriously in the long run.
So YES, it matters to me... my message can be summarized as: "SECURE YOURSELF OR GTFO"

[ShaggyB (BitCoinWorldMarket)]

There are lots of users out there who have weak passwords. It stands to reason that there will be some user accounts on Mt. Gox that would also have weak passwords.

This is why experts in the field suggest using a password manager like LastPass or 1Password.

[BitcoinPorn]

I wrote a small tutorial to make very strong passwords and very easy to remember them:
http://forum.bitcoin.org/index.php?topic=19913.msg248514#msg248514

But still lazy people will be lazy enough to not even try to read it.

I know I read it earlier.  But after re-reading and seeing the influx of users and blah blah, it should be a damn sticky and people shouldn't be allowed to reply to it unless they add content to it.

[BTC Economist]

Another thread clearly demonstrating the lack of understanding of how to achieve wide adoption.  The attitude of many bitcoin users is another reason to bet against it long term.

You're stating that since someone is calling out names, it will hinder wide adoption?  I find that very hard to believe, and also, after reaching out to enough users, what is said in these forums won't matter to the regular user, as they won't be active on the forums anyway.

My point was that people are going to use easy passwords....always, no matter what. 

[nikkuchan]

People are just plain dumb, cheap, and lazy. Use a password generator that can generate a password using letters, numbers, and symbol. Then use those password managers (1password or whatever) and that's it. It's that simple.

And when the people who use simple password gets hacked, they blame on the site that got hacked. People need to understand that there's nothing in this world that can't be hacked. It only takes time for one to be able to hack something. A site can only take precautions and implement firewalls to prevent one from hacking.

It's just super annoying that one would just blame someone that their user account got stolen because of their stupid password like 123456.

[enmaku]

I understand all too well that if people are allowed to choose ANY password at all, they will usually choose a weak one. The onus of security is not typically placed on the user, it is up to the institution to FORCE the user to choose a minimum acceptable level of security. This is why every major OS has systems built in to enforce password length, complexity and expiration requirements. Users cannot always be counted on to choose methods and systems which are in their best interests.

It's yet another extension of that classic rule of programming: "Always assume your user is an idiot (even if your only user is yourself)"

[nikkuchan]

I understand all too well that if people are allowed to choose ANY password at all, they will usually choose a weak one. The onus of security is not typically placed on the user, it is up to the institution to FORCE the user to choose a minimum acceptable level of security. This is why every major OS has systems built in to enforce password length, complexity and expiration requirements. Users cannot always be counted on to choose methods and systems which are in their best interests.

It's yet another extension of that classic rule of programming: "Always assume your user is an idiot (even if your only user is yourself)"

True that.

But then on the other hand programmers should implement rules where password should at least consist 2 lower case letters, 2 upper case letters, 2 numbers, 2 symbols, and a minimum of 8 characters as a requirement for password. But then again people would just make their passwords simple like qqWW11@@ or maybe even qwER12#$.

[bitsalame]

I understand all too well that if people are allowed to choose ANY password at all, they will usually choose a weak one. The onus of security is not typically placed on the user, it is up to the institution to FORCE the user to choose a minimum acceptable level of security. This is why every major OS has systems built in to enforce password length, complexity and expiration requirements. Users cannot always be counted on to choose methods and systems which are in their best interests.

It's yet another extension of that classic rule of programming: "Always assume your user is an idiot (even if your only user is yourself)"

That principle is wrong from the very basics.
You can't increase security through forcing a human being. Idiots are particularly clever to circumvent a foolproof design.
If you force arbitrary formatting of a password, they WILL write it down and paste it on the monitor, making it available to anyone who walks by by the office.

We must break the paradigm of "strong=difficult passwords". You shouldn't force anyone, you must invite them to adopt it.
We must make "strong=easy passwords" for the users, that is easy for the user to remember and computationally difficult to crack.
The first two examples I give in my previous post are damn easy once you "get it" and it is a nightmare for the cracker.

A password like this: "De345tgfr." it's a nightmare for a cracker.
Try typing it in the keyboard (go ahead, type it with one finger).
As you can see, forms a determined and easy to remember pattern on the keyboard.
It is damn easy to remember because I exploit the "procedural memory" (your "finger memory").
That is the first method I discuss in my previous post.

The RSA SecureID type of security is the ideal one for the end user... there are more experimental and sophisticated methods of authetications based on the fingerprinting of your typing rhythm: you type a text in a particular way, and that becomes a very precise biometric data.
I tested a few solutions (web based) and they are really amazing in their accuracy.

But until those solutions become standarized and open to the public, the people should be security conscious.
Forcing them is not the solution, educating them is.
Regards,