Cracking the passwords: Don't blame the MtGox, USERS ARE STUPID

[ZareliMan]

Nice to know, a little statistics for the curious

[1713586406]

1713586406

[1713586406]

1713586406

[1713586406]

1713586406

[enmaku]

I understand all too well that if people are allowed to choose ANY password at all, they will usually choose a weak one. The onus of security is not typically placed on the user, it is up to the institution to FORCE the user to choose a minimum acceptable level of security. This is why every major OS has systems built in to enforce password length, complexity and expiration requirements. Users cannot always be counted on to choose methods and systems which are in their best interests.

It's yet another extension of that classic rule of programming: "Always assume your user is an idiot (even if your only user is yourself)"

That principle is wrong from the very basics.
You can't increase security through forcing a human being. Idiots are particularly clever to circumvent a foolproof design.
If you force arbitrary formatting of a password, they WILL write it down and paste it on the monitor, making it available to anyone who walks by by the office.

We must break the paradigm of "strong=difficult passwords". You shouldn't force anyone, you must invite them to adopt it.
We must make "strong=easy passwords" for the users, that is easy for the user to remember and computationally difficult to crack.
The first two examples I give in my previous post are damn easy once you "get it" and it is a nightmare for the cracker.

A password like this: "De345tgfr." it's a nightmare for a cracker.
Try typing it in the keyboard (go ahead, type it with one finger).
As you can see, forms a determined and easy to remember pattern on the keyboard.
It is damn easy to remember because I exploit the "procedural memory" (your "finger memory").
That is the first method I discuss in my previous post.

The RSA SecureID type of security is the ideal one for the end user... there are more experimental and sophisticated methods of authetications based on the fingerprinting of your typing rhythm: you type a text in a particular way, and that becomes a very precise biometric data.
I tested a few solutions (web based) and they are really amazing in their accuracy.

But until those solutions become standarized and open to the public, the people should be security conscious.
Forcing them is not the solution, educating them is.
Regards,

It may end up on a sticky note on the monitor but that leads to a single user having their account stolen for their own stupidity. Failing to enforce a strong password policy leads to MANY users having their accounts compromised for the SITE'S stupidity.

Not every individual user is perhaps best served by strong password policies, but the user-base as a whole certainly is and for a site with some 60,000 users, a utilitarian approach that protected 59,900 of them would have been preferred and in fact would likely have stopped this attack, provided the compromised account was not one of the few old enough to have an un-salted hash. Even if Mr (or Mrs?) 500,000 BTC had written their forcibly-made-stronger password on a post-it next to their mousepad that would be meaningless to an attacker with a database dump who would not have physical access to said post-it.

[supaction]

Ahahah
http://img28.imageshack.us/img28/1282/mymtgoxpassword.jpg
http://twitter.com/BitcoinHumor

[btyako]

i'm sorry but not storing passwords without decent salts as well as decent hashes is the fault of mtgox.

getting access to a database that isn't salted is like hitting a goldmine because of the fact that so many people use the same passwords (iloveyou, password etc) when you get access to an unsalted hash user databaseit would look like this (sort by password, or whatever they call their password column):
8e6c488d2eb01fc691470ceb3a6f700c
8e6c488d2eb01fc691470ceb3a6f700c
8e6c488d2eb01fc691470ceb3a6f700c
746dd6c349cb2e97923be477e8d96423
746dd6c349cb2e97923be477e8d96423
(insert tons of other random md5's)
since they aren't salted you instantly see that there are multiple passwords that have the exact same hash (and therefore the exact same password) so if you crack one of them, you've cracked all of them..

with salted hashes you have a random salt combined with the hash up there to create a new salted hash, which generally means that every 'password' that a person who has access to the database sees is 100% unique (since each user gets a random salt and that salt is added to their password to create a salted password)

so if for example you have a database of 100,000 users all salted and hashed passwords, no 2 passwords will be cracked at the exact same time, it would take more time to crack a decent amount of passwords unlike with what happened to a bunch of mtgox accounts (which they admitted were there, but claim they are older accounts and their passwords are salted and hashed properly)

not only that but not requiring more advanced passwords is the fault of the site, not of the user.

[dennis_sweden]

Can someone please enlighten me of the dangers of keeping passdwords in word.doc files on the harddisk, and is it safer to keep them on usb flashdrives, even if they are regularly connected to the computer?

It's not that I can't remember a complicated password; however IF one were to forget it at some critical point of time...under duress

[bitsalame]

i'm sorry but not storing passwords without decent salts as well as decent hashes is the fault of mtgox.

getting access to a database that isn't salted is like hitting a goldmine because of the fact that so many people use the same passwords (iloveyou, password etc) when you get access to an unsalted hash user databaseit would look like this (sort by password, or whatever they call their password column):
8e6c488d2eb01fc691470ceb3a6f700c
8e6c488d2eb01fc691470ceb3a6f700c
8e6c488d2eb01fc691470ceb3a6f700c
746dd6c349cb2e97923be477e8d96423
746dd6c349cb2e97923be477e8d96423
(insert tons of other random md5's)
since they aren't salted you instantly see that there are multiple passwords that have the exact same hash (and therefore the exact same password) so if you crack one of them, you've cracked all of them..

with salted hashes you have a random salt combined with the hash up there to create a new salted hash, which generally means that every 'password' that a person who has access to the database sees is 100% unique (since each user gets a random salt and that salt is added to their password to create a salted password)

so if for example you have a database of 100,000 users all salted and hashed passwords, no 2 passwords will be cracked at the exact same time, it would take more time to crack a decent amount of passwords unlike with what happened to a bunch of mtgox accounts (which they admitted were there, but claim they are older accounts and their passwords are salted and hashed properly)

not only that but not requiring more advanced passwords is the fault of the site, not of the user.

The thousands of passwords that I ALREADY CRACKED are all salted ones.
It doesn't matter if it is Blowfish, SHA-1 or whatever algorithm, if you are using 123456 as your password, you'll be more more fuckable than a horny bitch.

[KFed]

Mt. Gox is a joke and so are you for valiantly defending them as they take you to the cleaners. Enjoy!

[btyako]

i'm sorry but not storing passwords without decent salts as well as decent hashes is the fault of mtgox.

getting access to a database that isn't salted is like hitting a goldmine because of the fact that so many people use the same passwords (iloveyou, password etc) when you get access to an unsalted hash user databaseit would look like this (sort by password, or whatever they call their password column):
8e6c488d2eb01fc691470ceb3a6f700c
8e6c488d2eb01fc691470ceb3a6f700c
8e6c488d2eb01fc691470ceb3a6f700c
746dd6c349cb2e97923be477e8d96423
746dd6c349cb2e97923be477e8d96423
(insert tons of other random md5's)
since they aren't salted you instantly see that there are multiple passwords that have the exact same hash (and therefore the exact same password) so if you crack one of them, you've cracked all of them..

with salted hashes you have a random salt combined with the hash up there to create a new salted hash, which generally means that every 'password' that a person who has access to the database sees is 100% unique (since each user gets a random salt and that salt is added to their password to create a salted password)

so if for example you have a database of 100,000 users all salted and hashed passwords, no 2 passwords will be cracked at the exact same time, it would take more time to crack a decent amount of passwords unlike with what happened to a bunch of mtgox accounts (which they admitted were there, but claim they are older accounts and their passwords are salted and hashed properly)

not only that but not requiring more advanced passwords is the fault of the site, not of the user.

The thousands of passwords that I ALREADY CRACKED are all salted ones.
It doesn't matter if it is Blowfish, SHA-1 or whatever algorithm, if you are using 123456 as your password, you'll be more more fuckable than a horny bitch.

you do understand the difference between cracking 1 password and unlocking 500 of them because they are the exact same password and being forced to crack all of them right?
thats my point.

[bitsalame]

Can someone please enlighten me of the dangers of keeping passdwords in word.doc files on the harddisk, and is it safer to keep them on usb flashdrives, even if they are regularly connected to the computer?

It's not that I can't remember a complicated password; however IF one were to forget it at some critical point of time...under duress

It is better to forget and generate a new one through the "recover password" options that all site offer.
I forgot my banking password a several times, but I created new ones later.
I keep relying on my forgetfulness as a measure to keep changing the passwords. Whenever I forget about it, I just create a new one.

Regarding to storing the passwords in a text/doc file, it is horrible. That is the digital version of postits.
Follow the advises of the previous posters: 1password or any password management program would be infinitely better.

In these password management programs, you just have to memorize one password, the pass management program's. There you store all the passwords you want securely and randomly generated.
It has its strong and weak points theoretically, but in practice it enhances your security tenfold.

Cheers

[KFed]

i'm sorry but not storing passwords without decent salts as well as decent hashes is the fault of mtgox.

getting access to a database that isn't salted is like hitting a goldmine because of the fact that so many people use the same passwords (iloveyou, password etc) when you get access to an unsalted hash user databaseit would look like this (sort by password, or whatever they call their password column):
8e6c488d2eb01fc691470ceb3a6f700c
8e6c488d2eb01fc691470ceb3a6f700c
8e6c488d2eb01fc691470ceb3a6f700c
746dd6c349cb2e97923be477e8d96423
746dd6c349cb2e97923be477e8d96423
(insert tons of other random md5's)
since they aren't salted you instantly see that there are multiple passwords that have the exact same hash (and therefore the exact same password) so if you crack one of them, you've cracked all of them..

with salted hashes you have a random salt combined with the hash up there to create a new salted hash, which generally means that every 'password' that a person who has access to the database sees is 100% unique (since each user gets a random salt and that salt is added to their password to create a salted password)

so if for example you have a database of 100,000 users all salted and hashed passwords, no 2 passwords will be cracked at the exact same time, it would take more time to crack a decent amount of passwords unlike with what happened to a bunch of mtgox accounts (which they admitted were there, but claim they are older accounts and their passwords are salted and hashed properly)

not only that but not requiring more advanced passwords is the fault of the site, not of the user.

The thousands of passwords that I ALREADY CRACKED are all salted ones.
It doesn't matter if it is Blowfish, SHA-1 or whatever algorithm, if you are using 123456 as your password, you'll be more more fuckable than a horny bitch.

you do understand the difference between cracking 1 password and unlocking 500 of them because they are the exact same password and being forced to crack all of them right?
thats my point.

Of course not, if he did he would be shouting down mt. gox like any other reasonable human being.

[InsertButtcoin]

i'm sorry but not storing passwords without decent salts as well as decent hashes is the fault of mtgox.

getting access to a database that isn't salted is like hitting a goldmine because of the fact that so many people use the same passwords (iloveyou, password etc) when you get access to an unsalted hash user databaseit would look like this (sort by password, or whatever they call their password column):
8e6c488d2eb01fc691470ceb3a6f700c
8e6c488d2eb01fc691470ceb3a6f700c
8e6c488d2eb01fc691470ceb3a6f700c
746dd6c349cb2e97923be477e8d96423
746dd6c349cb2e97923be477e8d96423
(insert tons of other random md5's)
since they aren't salted you instantly see that there are multiple passwords that have the exact same hash (and therefore the exact same password) so if you crack one of them, you've cracked all of them..

with salted hashes you have a random salt combined with the hash up there to create a new salted hash, which generally means that every 'password' that a person who has access to the database sees is 100% unique (since each user gets a random salt and that salt is added to their password to create a salted password)

so if for example you have a database of 100,000 users all salted and hashed passwords, no 2 passwords will be cracked at the exact same time, it would take more time to crack a decent amount of passwords unlike with what happened to a bunch of mtgox accounts (which they admitted were there, but claim they are older accounts and their passwords are salted and hashed properly)

not only that but not requiring more advanced passwords is the fault of the site, not of the user.

The thousands of passwords that I ALREADY CRACKED are all salted ones.
It doesn't matter if it is Blowfish, SHA-1 or whatever algorithm, if you are using 123456 as your password, you'll be more more fuckable than a horny bitch.

you do understand the difference between cracking 1 password and unlocking 500 of them because they are the exact same password and being forced to crack all of them right?
thats my point.

Of course not, if he did he would be shouting down mt. gox like any other reasonable human being.

Exactly!

[bitsalame]

i'm sorry but not storing passwords without decent salts as well as decent hashes is the fault of mtgox.

getting access to a database that isn't salted is like hitting a goldmine because of the fact that so many people use the same passwords (iloveyou, password etc) when you get access to an unsalted hash user databaseit would look like this (sort by password, or whatever they call their password column):
8e6c488d2eb01fc691470ceb3a6f700c
8e6c488d2eb01fc691470ceb3a6f700c
8e6c488d2eb01fc691470ceb3a6f700c
746dd6c349cb2e97923be477e8d96423
746dd6c349cb2e97923be477e8d96423
(insert tons of other random md5's)
since they aren't salted you instantly see that there are multiple passwords that have the exact same hash (and therefore the exact same password) so if you crack one of them, you've cracked all of them..

with salted hashes you have a random salt combined with the hash up there to create a new salted hash, which generally means that every 'password' that a person who has access to the database sees is 100% unique (since each user gets a random salt and that salt is added to their password to create a salted password)

so if for example you have a database of 100,000 users all salted and hashed passwords, no 2 passwords will be cracked at the exact same time, it would take more time to crack a decent amount of passwords unlike with what happened to a bunch of mtgox accounts (which they admitted were there, but claim they are older accounts and their passwords are salted and hashed properly)

not only that but not requiring more advanced passwords is the fault of the site, not of the user.

The thousands of passwords that I ALREADY CRACKED are all salted ones.
It doesn't matter if it is Blowfish, SHA-1 or whatever algorithm, if you are using 123456 as your password, you'll be more more fuckable than a horny bitch.

you do understand the difference between cracking 1 password and unlocking 500 of them because they are the exact same password and being forced to crack all of them right?
thats my point.

Of course not, if he did he would be shouting down mt. gox like any other reasonable human being.

Check my post history, you newbie.
I was the first bringing the news of Mt.Gox being hacked to this newbie forum, and I was one of the first ones bitching about Mt.Gox.
Mt.Gox was lame, but the users are lamer. I am reaching 1000 cracked passwords, all of them salted, and I am just beginning.

Last cracked account:
User: Musashi6
Pass: Hackworth6

L O L

[KFed]

And why are you wasting CPU cycles to do that when it's already been done a thousand times over by a thousand more talented, better informed individuals than yourself?


Edit: I've got to admit, you are FANTASTIC at running a password cracking program. Really gettin in there and executin them .exe's!

[dennis_sweden]

It is better to forget and generate a new one through the "recover password" options that all site offer.
I forgot my banking password a several times, but I created new ones later.
I keep relying on my forgetfulness as a measure to keep changing the passwords. Whenever I forget about it, I just create a new one.

Regarding to storing the passwords in a text/doc file, it is horrible. That is the digital version of postits.
Follow the advises of the previous posters: 1password or any password management program would be infinitely better.

In these password management programs, you just have to memorize one password, the pass management program's. There you store all the passwords you want securely and randomly generated.
It has its strong and weak points theoretically, but in practice it enhances your security tenfold.

Thanks, bitsalame. I shall have to think through a different strategy.

[bitsalame]

And why are you wasting CPU cycles to do that when it's already been done a thousand times over by a thousand more talented, better informed individuals than yourself?


Edit: I've got to admit, you are FANTASTIC at running a password cracking program. Really gettin in there and executin them .exe's!

You get bad grades at school don't you? Do you need some Ritalin?
The point here is not showing any kind of technical prowess, you dimwit.
The point is to show how stupid people are choosing weak passwords.

MtGox isn't a forum, isn't a social network. MTGox is a eWallet, you store your money and bitcoins there.
Choosing 123456 as your password is plainly braindead.
Neither salting nor strong algorithms will help you in any way if your password SUCKS.

Btw, who said I am wasting CPU cycles? You are a waste of proteins.
Cheers

[BitCoinBarter]

I have said it before and I will say it again. Plug your ears.

GET AND USE A RELIABLE PASSWORD MANAGER!!!

I suggest LastPass, it is easy to use.
You can have it automatically input your user ID and password to a site as soon as you get to the page.

Still to hard? You can get it to log in for you.

Want to know the first part of the password that I use for this forum?  It is A&Vyg followed by at least 5 more letters.  I had to look it up through LastPass.

I can not tell you the passwords of any site that I use, because I don't know them (LastPass does). I can tell you that it is a strong password.

I can also tell you that birds are going to fly, fish are going to swim and hackers are going to hack.

Can I get an Amen.

[bitsalame]

I have said it before and I will say it again. Plug your ears.

GET AND USE A RELIABLE PASSWORD MANAGER!!!

I suggest LastPass, it is easy to use.
You can have it automatically input your user ID and password to a site as soon as you get to the page.

Still to hard? You can get it to log in for you.

Want to know the first part of the password that I use for this forum?  It is A&Vyg followed by at least 5 more letters.  I had to look it up through LastPass.

I can not tell you the passwords of any site that I use, because I don't know them (LastPass does). I can tell you that it is a strong password.

I can also tell you that birds are going to fly, fish are going to swim and hackers are going to hack.

Can I get an Amen.

Amen.

[nikkuchan]

I have said it before and I will say it again. Plug your ears.

GET AND USE A RELIABLE PASSWORD MANAGER!!!

I suggest LastPass, it is easy to use.
You can have it automatically input your user ID and password to a site as soon as you get to the page.

Still to hard? You can get it to log in for you.

Want to know the first part of the password that I use for this forum?  It is A&Vyg followed by at least 5 more letters.  I had to look it up through LastPass.

I can not tell you the passwords of any site that I use, because I don't know them (LastPass does). I can tell you that it is a strong password.

I can also tell you that birds are going to fly, fish are going to swim and hackers are going to hack.

Can I get an Amen.

Amen.

AMEN!!

[Karen Palen]

Can someone please enlighten me of the dangers of keeping passdwords in word.doc files on the harddisk, and is it safer to keep them on usb flashdrives, even if they are regularly connected to the computer?

It's not that I can't remember a complicated password; however IF one were to forget it at some critical point of time...under duress

Well lets see, it seems that UNIX went through this same debate 30+ years ago - the conclusion was (pay attention now): "IF IT IS ON YOUR HARD DRIVE IT CAN BE STOLEN!"

Of course you can keep a password list on your desktop (or posted in the cafeteria see http://thedailywtf.com/ ), but that really is the same as wearing a "kick me" sign on your butt and whining when you get kicked!

That is why ALL passwords on EVERY system today (even Win 7  ) are encrypted!

USB drives are ONLY safer if you keep them in your pocket until they are needed.

HINT: carefully read Symantec's superb STUXNET analysis - then ask the Iranian government about "secure" USB drives. NO I will not give you citations - do your own homework!

[JoelKatz]

The many small bitcoin businesses are going to have to go through the painful learning curve of acquiring information the banks already know. (We already went through that pain.) Transactions have to be analyzed for suspicious patterns. Users will do very dumb things if the system lets them. And blaming the problems on the users is only fair if there was nothing you reasonably could have done to protect them.

Banks analyze transactions for suspicious patterns and have 24/7 monitoring centers with trained staff who can lock a system down if it appears to be doing things it shouldn't be doing. I don't think every little Bitcoin mom&pop needs that. But automated transactions with nobody minding the store is scary. Perhaps these businesses could take some lessons from the inherent security in bitcoins themselves.