Cracking the passwords: Don't blame the MtGox, USERS ARE STUPID

[FRK]

I have said it before and I will say it again. Plug your ears.

GET AND USE A RELIABLE PASSWORD MANAGER!!!

I suggest LastPass, it is easy to use.
You can have it automatically input your user ID and password to a site as soon as you get to the page.

Still to hard? You can get it to log in for you.

Want to know the first part of the password that I use for this forum?  It is A&Vyg followed by at least 5 more letters.  I had to look it up through LastPass.

I can not tell you the passwords of any site that I use, because I don't know them (LastPass does). I can tell you that it is a strong password.

I can also tell you that birds are going to fly, fish are going to swim and hackers are going to hack.

Can I get an Amen.

LastPass +1 here.
Even generates amazingly strong passwords for you, using upper/lower/number/special characters. Should take forever to bruteforce

[1714970845]

1714970845

[1714970845]

1714970845

[1714970845]

1714970845

[Bitter Ender]

I am currently cracking the leaked password file just for fun and because I am curious.
Guess what?

1) Hundreds of accounts with their usernames as passwords.
2) Hundreds of accounts with the password "123456"
3) Hundreds of accounts with the password "testtest"
4) Hundreds of accounts with the password "bitcoin"

Are you guys STUPID?

TO THE THOUSANDS OF USERS WHO ARE THIS DUMB:
YOU DESERVE TO LOSE YOUR BITCOINS, IDIOTS.

As pointed out by others up-thread real financial institutions like banks have multi-layered security procedures. I haven't used Mt Gox yet so I'm not going to trash-talk their log-in security; but if it is anything like any of the banks I've used a weak password would not be an open-sesame to a hacker.

First the hacker bot would have to guess a user-name. "A" Not recognized. "B" not recognized. "C" not recognized. At what point should the log-in system cut off the bot and direct it to call customer service? Suppose it gets lucky at "AA" So now it has to provide a password. Perhaps it has a list of common passwords to try first. "Password" not it. "password" nope. "PASSWORD" -- Message from system: "Too many log-in attempts. Please call customer service." If Mt Gox allowed password cracking bots to run wild on their system (and I doubt that they did) they need to be shut down now.

Modern banking systems work fine with ordinary everyday people, if Bitcoins require computer security geeks to use them safely, while "idiots" lose their life savings, Bitcoins are going back to zero.

[eramus]

As pointed out by others up-thread real financial institutions like banks have multi-layered security procedures. I haven't used Mt Gox yet so I'm not going to trash-talk their log-in security; but if it is anything like any of the banks I've used a weak password would not be an open-sesame to a hacker.

First the hacker bot would have to guess a user-name. "A" Not recognized. "B" not recognized. "C" not recognized. At what point should the log-in system cut off the bot and direct it to call customer service? Suppose it gets lucky at "AA" So now it has to provide a password. Perhaps it has a list of common passwords to try first. "Password" not it. "password" nope. "PASSWORD" -- Message from system: "Too many log-in attempts. Please call customer service." If Mt Gox allowed password cracking bots to run wild on their system (and I doubt that they did) they need to be shut down now.

Modern banking systems work fine with ordinary everyday people, if Bitcoins require computer security geeks to use them safely, while "idiots" lose their life savings, Bitcoins are going back to zero.

This system would be completely ineffective against someone that seriously wanted to get in. All they would need to do is keep changing proxies, not store cookies, etc. It is nice that some software enforces password strength, but in reality, password strength is up to the user. Software can enforce password strength all they want, but if a user is constantly using the same "strong" password, it eventually becomes weak in the grand scheme of things. Look at the users complaining about their mybitcoin accounts being drained. What was the issue? Yep, they reused the same password. The only liability on the software (and software provider) is to secure their software. This entire mtgox explosion never would have happened if it werent for poor security practices -- same with every other exploit we have seen during the past couple of months.

[Precog]

How safe is lastpass?

[bitsalame]

As pointed out by others up-thread real financial institutions like banks have multi-layered security procedures. I haven't used Mt Gox yet so I'm not going to trash-talk their log-in security; but if it is anything like any of the banks I've used a weak password would not be an open-sesame to a hacker.

First the hacker bot would have to guess a user-name. "A" Not recognized. "B" not recognized. "C" not recognized. At what point should the log-in system cut off the bot and direct it to call customer service? Suppose it gets lucky at "AA" So now it has to provide a password. Perhaps it has a list of common passwords to try first. "Password" not it. "password" nope. "PASSWORD" -- Message from system: "Too many log-in attempts. Please call customer service." If Mt Gox allowed password cracking bots to run wild on their system (and I doubt that they did) they need to be shut down now.

Modern banking systems work fine with ordinary everyday people, if Bitcoins require computer security geeks to use them safely, while "idiots" lose their life savings, Bitcoins are going back to zero.

This system would be completely ineffective against someone that seriously wanted to get in. All they would need to do is keep changing proxies, not store cookies, etc. It is nice that some software enforces password strength, but in reality, password strength is up to the user. Software can enforce password strength all they want, but if a user is constantly using the same "strong" password, it eventually becomes weak in the grand scheme of things. Look at the users complaining about their mybitcoin accounts being drained. What was the issue? Yep, they reused the same password. The only liability on the software (and software provider) is to secure their software. This entire mtgox explosion never would have happened if it werent for poor security practices -- same with every other exploit we have seen during the past couple of months.

There is the fundamental economical factor in security: the more security the higher the cost for the attacker/criminal.
The fundamental question is: Is all the time and effort really worth it?
By keep adding layers of security we are elevating the costs of obtaining their reward, and once the costs are higher than the reward, the interest dissipates.
As soon as it is perceived that "it isn't worth it", the attention of the attackers will drift towards less secured sites with similar rewards (other exchanges, maybe) with lower costs (Vulnerable sites)

The potential rewards from a bitcoin exchange makes it really worth the attempt of hacking it.
But a dedicated attacker will always find a way to penetrate it if the costs are disregarded (ie. if the challenge itself is their reward/have a personal vendetta against the site/etc...)

This happens with all kind of security: both real world (locks, safes, buildings) and digital (websites, servers, networks).
As financial institution/organizations where the moolas are flowing security should be the number one priority.
You wouldn't expect a bank transporting money on bicycles, right? Or a bank depositing money in baskets instead of a safe.
It is evident that the investment on security measures are of the utmost importance in a financial institution.

That's why it is unforgivable the gross negligence of MtGox. They were focused on doing business, amassing millions of dollars and their security was a joke. They were too focused on the functionality of the site: Websockets? Great, we all appreciate it. Dwolla? Great, that is awesome. API?, bravo, excellent job. But they ignored the most vital thing: security.

What "Bitter Ender" suggests is actually pretty much standard in everywhere.
Although bruteforcing through HTTP is not really common these days, it is a very basic feature that has to be taken care of, because if you don't do it, some asshole will certainly try it. And a percentage of those assholes might succeed at it.
Using captcha to filter out simple automation is a must these days, even if there are sophisticated OCR bots out there.
Temporally suspending accounts/notifying repeated incorrect login trials, are also a very basic standard protocol in most financial sites.
Requesting a PIN number (even if you are logged in) to confirm transactions are also a standard procedure.

These measures are not really that hard to implement.
MtGox can't say that this attack wasn't preventable, it was fully preventable.
I don't bitch about their negligence, shit happens and rapid growth is hard to manage. I get that.
But to keep lying to us, making STUPID and PATHETIC excuses (Force Majeure? SRSLY?) IS UNACCEPTABLE.

A new spokesperson won't fix it, as someone suggested before.
With this move we can see their moral integrity: they are willing to keep lying to save face instead of being upfront and honest.
How can they ever expect us to trust them?

[eramus]

There is the fundamental economical factor in security: the more security the higher the cost for the attacker/criminal.
The fundamental question is: Is all the time and effort really worth it?
By keep adding layers of security we are elevating the costs of obtaining their reward, and once the costs are higher than the reward, the interest dissipates.
As soon as it is perceived that "it isn't worth it", the attention of the attackers will drift towards less secured sites with similar rewards (other exchanges, maybe) with lower costs (Vulnerable sites)

The potential rewards from a bitcoin exchange makes it really worth the attempt of hacking it.
But a dedicated attacker will always find a way to penetrate it if the costs are disregarded (ie. if the challenge itself is their reward/have a personal vendetta against the site/etc...)

This happens with all kind of security: both real world (locks, safes, buildings) and digital (websites, servers, networks).
As financial institution/organizations where the moolas are flowing security should be the number one priority.
You wouldn't expect a bank transporting money on bicycles, right? Or a bank depositing money in baskets instead of a safe.
It is evident that the investment on security measures are of the utmost importance in a financial institution.

That's why it is unforgivable the gross negligence of MtGox. They were focused on doing business, amassing millions of dollars and their security was a joke. They were too focused on the functionality of the site: Websockets? Great, we all appreciate it. Dwolla? Great, that is awesome. API?, bravo, excellent job. But they ignored the most vital thing: security.

What "Bitter Ender" suggests is actually pretty much standard in everywhere.
Although bruteforcing through HTTP is not really common these days, it is a very basic feature that has to be taken care of, because if you don't do it, some asshole will certainly try it. And a percentage of those assholes might succeed at it.
Using captcha to filter out simple automation is a must these days, even if there are sophisticated OCR bots out there.
Temporally suspending accounts/notifying repeated incorrect login trials, are also a very basic standard protocol in most financial sites.
Requesting a PIN number (even if you are logged in) to confirm transactions are also a standard procedure.

These measures are not really that hard to implement.
MtGox can't say that this attack wasn't preventable, it was fully preventable.
I don't bitch about their negligence, shit happens and rapid growth is hard to manage. I get that.
But to keep lying to us, making STUPID and PATHETIC excuses (Force Majeure? SRSLY?) IS UNACCEPTABLE.

A new spokesperson won't fix it, as someone suggested before.
With this move we can see their moral integrity: they are willing to keep lying to save face instead of being upfront and honest.
How can they ever expect us to trust them?

I couldnt agree more! The entire mtgox fiasco is getting ridiculous, and I really feel sorry for the users stuck in the middle

Unfortunately, Im still a "newbie" so I cant join the discussion in the proper thread, but I thought I was going a bit crazy when I read this.

We had no intention of getting this to happen, and we have followed every industry standard to make this secure. Despite this it happened. We have learnt new things (especially that lots of people want Bitcoin to disappear).

I seriously find it hard to believe that MagicalTux was running his operation by following every industry standard. First, industry standard under whos jurisdiction? As far as I have been able to tell for the past 6 months, bitcoin is not operating under anybody's jurisidiction and mtgox certainly is not either. Second, I guarantee this kind of leak of data would not have occurred under any "industry standard" exchange. I actually really appreciate that an audit was occurring. It provides confidence to the users and bitcoin as a whole, but why was it occurring against live data? And if live data, why was access to personal user data left available. This could have been restricted without impacting a software audit. Third, no "industry standard" exchange would ever hire a security company that cannot secure itself. What background check did MagicalTux perform on this company? I would have a hard time believing this was a fluke, a first time occurrance for this "security" company. Has this company been named public? Hopefully so! I hope none of my software gets anywhere near them. Fourth, how was trading even still occurring if there were known SQL injections that were possible on the site even before the "hack" happened? How could MagicalTux allow a trusted exchange to continue running with this kind of information? Fifth, excusing a potential injection vulnerability and and trusting an "industry standard" seal of approval, how did this massive selloff continue for so long? 30mins+? Why were big flashing alarms not going off? Why was there no automated mechanism to automatically halt trading?

Im not calling for a witchhunt or that there is some massive conspiracy, but MagicalTux needs to stop saying things like "no funds were stolen" and "followed every industry standard." These things are clearly not the case based on what everybody saw happen. I also think the community deserves actual, definitive answers and somebody needs to own up to it. If MagicalTux did everything in his power to secure mtgox, to insure that mtgox was secure and provided without a doubt an industry standard platofrm for the users, roll it back(!!), but if MagicalTux allowed trading to continue (which is what happened) because of negligence, all of those transactions should stick. It doesnt matter that a single person bought so much at such a low price. Every user before 'Kevin' was in on the same exact ride. $20..15..2..1...0101. If the platform allowed the trades, they should be valid. It was the negligence of the owner, maybe even the firm performing the audit, that allowed every bit of this to happen. Im not 100% clear on the timeline of the exploits and leak; were databases leaked before the audit firm? But one of two parties are responsible. I hope for MagicalTux's sake that it was the audit firm so that he can sue the pants off of them, but if this enormous account was listed in an earlier leak, I think MagicalTux is the only party responsible and has to accept because there was plenty of talk prior to the crash occurring.

[Jessica]

Lol, users aren't very smart
My password is longer than yours. ^^