Bitcoin Forum
December 08, 2016, 04:33:09 AM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Poll
Question: Did you claim your account at MtGox?
I claimed
I didnt!

Pages: « 1 [2] 3 4 5 6 »  All
  Print  
Author Topic: MtGox claim site is up! Everyone who claimed say haaaay ...  (Read 10506 times)
Valalvax
Sr. Member
****
Offline Offline

Activity: 439


View Profile
June 21, 2011, 05:35:12 PM
 #21

Brute forcing is so much more possible now-a-days due to GPUs, but Brute forcing SHOULD also be impossible because any site worth a shit should be locking out after 5 or so failed attempts (personally I think 10 is plenty, it gives you a couple attempts to realize "oh wait I'm typing the wrong password, not typing it wrong, then a couple more to figure out which password you used)
1481171589
Hero Member
*
Offline Offline

Posts: 1481171589

View Profile Personal Message (Offline)

Ignore
1481171589
Reply with quote  #2

1481171589
Report to moderator
1481171589
Hero Member
*
Offline Offline

Posts: 1481171589

View Profile Personal Message (Offline)

Ignore
1481171589
Reply with quote  #2

1481171589
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481171589
Hero Member
*
Offline Offline

Posts: 1481171589

View Profile Personal Message (Offline)

Ignore
1481171589
Reply with quote  #2

1481171589
Report to moderator
Reno
Jr. Member
*
Offline Offline

Activity: 42


View Profile
June 21, 2011, 05:38:17 PM
 #22

I used a 15 letter PW generated on this website http://strongpasswordgenerator.com/
worked. Smiley
Reno
Jr. Member
*
Offline Offline

Activity: 42


View Profile
June 21, 2011, 05:40:24 PM
 #23

Brute forcing is so much more possible now-a-days due to GPUs, but Brute forcing SHOULD also be impossible because any site worth a shit should be locking out after 5 or so failed attempts (personally I think 10 is plenty, it gives you a couple attempts to realize "oh wait I'm typing the wrong password, not typing it wrong, then a couple more to figure out which password you used)

Bruteforcing won't work that way, just post sending random values till something matches, this is too limited due to traffic. MD5 Hashes have to be leaked first, they get brutefroced and THEN the plain passwords can be used to login Smiley
d.james
Sr. Member
****
Offline Offline

Activity: 280

Firstbits: 12pqwk


View Profile
June 21, 2011, 05:41:02 PM
 #24

The problem obviously wasn't the password length, how about NOT LEAKING my damn hash to begin with.

If I wanted my password to be "123" then let it be, as long as I don't brag about it, the chance of that account gets broken is still fairly low, with limited login attempts and all. And, if my account gets stolen I won't blame gox for it, as I don't have an 500k account anyways.

You can not roll a BitCoin, but you can rollback some. Cheesy
Roll me back: 1NxMkvbYn8o7kKCWPsnWR4FDvH7L9TJqGG
Mark Oates
Full Member
***
Offline Offline

Activity: 168



View Profile
June 21, 2011, 05:41:13 PM
 #25

Anyone have any thoughts on Steve Gibson's recent stuff on length vs entropy?  Per his Haystack page:

Quote
Which of the following two passwords is stronger,
more secure, and more difficult to crack?

D0g.....................

PrXyc.N(n4k77#L!eVdAfp9

You probably know this is a trick question, but the answer is: Despite the fact that the first password is HUGELY easier to use and more memorable, it is also the stronger of the two! In fact, since it is one character longer and contains uppercase, lowercase, a number and special characters, that first password would take an attacker approximately 95 times longer to find by searching than the second impossible-to-remember-or-type password!

My guess is that doesn't take the human element into account.  I'll exaggerate to make the point clearer - which one is more secure?:

PasswordPasswordPassword1!
PrXyc.N(n4k77#L!eVdAfp9

The one above has 26 characters, the one below has 23.  If I were a hacker, I would prioritize the first one as part of an algorithm of well-known words/characters (even though it matches the criteria of a secure password) before leaping into the random character abyss.

I could be wrong, though.
Dude65535
Full Member
***
Offline Offline

Activity: 126


View Profile
June 21, 2011, 05:43:07 PM
 #26

If you don't want to use a password manager, write down part of your password but keep a portion of it just in your head.

1DCj8ZwGZXQqQhgv6eUEnWgsxo8BTMj3mT
Valalvax
Sr. Member
****
Offline Offline

Activity: 439


View Profile
June 21, 2011, 05:43:33 PM
 #27

Brute forcing is so much more possible now-a-days due to GPUs, but Brute forcing SHOULD also be impossible because any site worth a shit should be locking out after 5 or so failed attempts (personally I think 10 is plenty, it gives you a couple attempts to realize "oh wait I'm typing the wrong password, not typing it wrong, then a couple more to figure out which password you used)

Bruteforcing won't work that way, just post sending random values till something matches, this is too limited due to traffic. MD5 Hashes have to be leaked first, they get brutefroced and THEN the plain passwords can be used to login Smiley

Oh yea... >.> didn't think about that :/ really guess I should have...
Astro
Sr. Member
****
Offline Offline

Activity: 242



View Profile
June 21, 2011, 05:46:19 PM
 #28

To get an idea of how "easy" it is to crack a simple password, you can go to this site:

http://howsecureismypassword.net/

Ahh yeah.. Come at me.

"It would take
About 4 sextillion years
for a desktop PC to crack your password"
WhyAskY
Newbie
*
Offline Offline

Activity: 8


View Profile
June 21, 2011, 05:47:44 PM
 #29

I used password generator that came with LastPass an MtGox accepted it with no problem.  According to http://howsecureismypassword.net/  It would take
About 81 octillion years for a desktop PC to crack your password.
tavi
Newbie
*
Offline Offline

Activity: 14



View Profile
June 21, 2011, 05:48:44 PM
 #30

Brute forcing is so much more possible now-a-days due to GPUs, but Brute forcing SHOULD also be impossible because any site worth a shit should be locking out after 5 or so failed attempts (personally I think 10 is plenty, it gives you a couple attempts to realize "oh wait I'm typing the wrong password, not typing it wrong, then a couple more to figure out which password you used)

Bruteforcing won't work that way, just post sending random values till something matches, this is too limited due to traffic. MD5 Hashes have to be leaked first, they get brutefroced and THEN the plain passwords can be used to login Smiley
Makes sense.

As part of preparation for a new password database leak they wanna ensure that only GPU-farmers will be unhashing stolen passwords. Smiley

I'm just a poor boy, from a poor family:
123KpsTMDNDYGBp4wgqmoLjCBW9sezvA3D
blendergasket
Newbie
*
Offline Offline

Activity: 28


View Profile
June 21, 2011, 05:54:15 PM
 #31

I couldn't claim. Or rather, I'm not sure if I claimed or not. The website timed out processing my request. Sad
tunatime
Member
**
Offline Offline

Activity: 75


View Profile
June 21, 2011, 06:04:32 PM
 #32

ok this is stupid i tyed to use a pw that was 15 charterers including symbols upper and lower case and  number and the pos site said The new password is not secure enough. Security tips include using special characters, make the password longer, etc...    does any on know how long it has to be i even tried adding 8 number to the end of  a already long 9 charterers pw and it still carped it out yall guys that have gotten it to take it how long was your pw?

just tried my pw i was going use and  that site said It would take

About 6 trillion years.....
mmortal03
Legendary
*
Offline Offline

Activity: 1395


View Profile
June 21, 2011, 06:07:11 PM
 #33


Below is an example of a hard to brute force pw. Not very user friendly is it?

Kt#*8t487C9cV;F7C*^8c(*vexlk7dsYry%$C6E5

Hey! How'd you guess my password?  Cheesy

Edit: Damn, carbonc beat me to the punch!
mmortal03
Legendary
*
Offline Offline

Activity: 1395


View Profile
June 21, 2011, 06:13:37 PM
 #34

About 717 quattuorvigintillion years.

Shocked

I love password managers. Every account with a new random 50 char password. Cheesy

Exactly!  I just started using LastPass, and it's great for that.
Seraphim401
Full Member
***
Offline Offline

Activity: 215


Live Long and Prosper


View Profile
June 21, 2011, 06:14:48 PM
 #35

Glad I didn't need to provide additional proof.
Thanks to all of you who advised on security.


mmortal03
Legendary
*
Offline Offline

Activity: 1395


View Profile
June 21, 2011, 06:16:49 PM
 #36

I claimed.

I came... er, claimed.
imperi
Full Member
***
Offline Offline

Activity: 196


View Profile
June 21, 2011, 06:17:30 PM
 #37


What are you, 32 or something?
Freakin
Full Member
***
Offline Offline

Activity: 140


View Profile
June 21, 2011, 06:21:58 PM
 #38

The problem obviously wasn't the password length, how about NOT LEAKING my damn hash to begin with.

If I wanted my password to be "123" then let it be, as long as I don't brag about it, the chance of that account gets broken is still fairly low, with limited login attempts and all. And, if my account gets stolen I won't blame gox for it, as I don't have an 500k account anyways.

Unfortunately, hacks happen to the biggest and smallest of sites and are never 100% preventable.  Proper security steps are like roadblocks that stand in the way of a hacker and your account

1) Security of the actual database
2) hashing passwords
3) Salting before hashing
4) using a robust hash algo
5) using secure passwords

There is no credible excuse for not using a secure password.  Some of the passwords in that table were just a joke.  I think I found several hundred 6-char or less passwords in 2 seconds.

dinker
Member
**
Offline Offline

Activity: 102



View Profile
June 21, 2011, 06:29:21 PM
 #39

so, how did you manage to get hundreds of password in 6 seconds?

OH YOU HAD THAT LEAKED HASH LIST!!

Now how long would it take you to get those hundreds of passwords / account combos w/out that list?


Help Me Help You Donations:
14kP6tNtrz3woESs9nEE5aDB81QTybGyyZ
NO_SLAVE
Jr. Member
*
Offline Offline

Activity: 56


DEBT IS SLAVERY


View Profile
June 21, 2011, 06:36:23 PM
 #40

Wow, guys  I dont think Id be using an online password generator. 
Call me paranoid, but any generated password could be going into a database somewhere and possibly used later for hack attempts.

Pages: « 1 [2] 3 4 5 6 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!