|
June 21, 2011, 03:55:03 AM |
|
The thing to realize is that because the passwords were salted with different salt, except for some of the early ones on the list, a person using a mining rig to hash them can't go against the entire list at once.
Google password salting for more details, but basically, your password had some random characters, called salt, added to them before hashing to make these type of attacks more difficult. The leaked userid/password db includes the salt, so if someone wanted to target your password and it wasn't 10+ characters with more than just the alphabet, cracking it is possible.
The challenge for the attacker is to know which passwords to hack. If the leaked db the hacker used included balance data, then it's easy. You look at who has the largest balance, point a couple of mining rigs at the hashes of the biggest targets and hope that someone had a shorter password.
To me this makes the most sense, and I am doubtful that Kevin was the hacker, if only because I find it hard to believe that someone sophisticated enough to accomplish this hack would be unsophisticated enough to make it easy to find his e-mail address, home address and phone number. Not that I think the attack necessarily has the hallmarks of real finesse, just that it has enough that I find it hard to believe Kevin was in collusion.
By the same token, I also find it difficult to believe that one or a few users had over 500K bitcoins sitting in their accounts at MtGox, particularly when the 400K transactions that have been discussed were supposed to be MtGox moving stuff around.
But, I've gotten off-topic. To answer your question, if your password is less than 10+ characters and someone wanted to determine your password, it is probably doable with bitcoin mining equipment.
|