MtGox claim site is up! Everyone who claimed say haaaay ...

[Valalvax]

Brute forcing is so much more possible now-a-days due to GPUs, but Brute forcing SHOULD also be impossible because any site worth a shit should be locking out after 5 or so failed attempts (personally I think 10 is plenty, it gives you a couple attempts to realize "oh wait I'm typing the wrong password, not typing it wrong, then a couple more to figure out which password you used)

[Reno]

I used a 15 letter PW generated on this website http://strongpasswordgenerator.com/
worked.

[Reno]

Brute forcing is so much more possible now-a-days due to GPUs, but Brute forcing SHOULD also be impossible because any site worth a shit should be locking out after 5 or so failed attempts (personally I think 10 is plenty, it gives you a couple attempts to realize "oh wait I'm typing the wrong password, not typing it wrong, then a couple more to figure out which password you used)

Bruteforcing won't work that way, just post sending random values till something matches, this is too limited due to traffic. MD5 Hashes have to be leaked first, they get brutefroced and THEN the plain passwords can be used to login

[d.james]

The problem obviously wasn't the password length, how about NOT LEAKING my damn hash to begin with.

If I wanted my password to be "123" then let it be, as long as I don't brag about it, the chance of that account gets broken is still fairly low, with limited login attempts and all. And, if my account gets stolen I won't blame gox for it, as I don't have an 500k account anyways.

[Mark Oates]

Anyone have any thoughts on Steve Gibson's recent stuff on length vs entropy?  Per his Haystack page:

Which of the following two passwords is stronger,
more secure, and more difficult to crack?

D0g.....................

PrXyc.N(n4k77#L!eVdAfp9

You probably know this is a trick question, but the answer is: Despite the fact that the first password is HUGELY easier to use and more memorable, it is also the stronger of the two! In fact, since it is one character longer and contains uppercase, lowercase, a number and special characters, that first password would take an attacker approximately 95 times longer to find by searching than the second impossible-to-remember-or-type password!

My guess is that doesn't take the human element into account.  I'll exaggerate to make the point clearer - which one is more secure?:

PasswordPasswordPassword1!
PrXyc.N(n4k77#L!eVdAfp9

The one above has 26 characters, the one below has 23.  If I were a hacker, I would prioritize the first one as part of an algorithm of well-known words/characters (even though it matches the criteria of a secure password) before leaping into the random character abyss.

I could be wrong, though.

[Dude65535]

If you don't want to use a password manager, write down part of your password but keep a portion of it just in your head.

[Valalvax]

Brute forcing is so much more possible now-a-days due to GPUs, but Brute forcing SHOULD also be impossible because any site worth a shit should be locking out after 5 or so failed attempts (personally I think 10 is plenty, it gives you a couple attempts to realize "oh wait I'm typing the wrong password, not typing it wrong, then a couple more to figure out which password you used)

Bruteforcing won't work that way, just post sending random values till something matches, this is too limited due to traffic. MD5 Hashes have to be leaked first, they get brutefroced and THEN the plain passwords can be used to login

Oh yea... >.> didn't think about that :/ really guess I should have...

[Astro]

To get an idea of how "easy" it is to crack a simple password, you can go to this site:

http://howsecureismypassword.net/

Ahh yeah.. Come at me.

"It would take
About 4 sextillion years
for a desktop PC to crack your password"

[WhyAskY]

I used password generator that came with LastPass an MtGox accepted it with no problem.  According to http://howsecureismypassword.net/  It would take
About 81 octillion years for a desktop PC to crack your password.

[tavi]

Brute forcing is so much more possible now-a-days due to GPUs, but Brute forcing SHOULD also be impossible because any site worth a shit should be locking out after 5 or so failed attempts (personally I think 10 is plenty, it gives you a couple attempts to realize "oh wait I'm typing the wrong password, not typing it wrong, then a couple more to figure out which password you used)

Bruteforcing won't work that way, just post sending random values till something matches, this is too limited due to traffic. MD5 Hashes have to be leaked first, they get brutefroced and THEN the plain passwords can be used to login

Makes sense.

As part of preparation for a new password database leak they wanna ensure that only GPU-farmers will be unhashing stolen passwords.

[blendergasket]

I couldn't claim. Or rather, I'm not sure if I claimed or not. The website timed out processing my request.

[tunatime]

ok this is stupid i tyed to use a pw that was 15 charterers including symbols upper and lower case and  number and the pos site said The new password is not secure enough. Security tips include using special characters, make the password longer, etc...    does any on know how long it has to be i even tried adding 8 number to the end of  a already long 9 charterers pw and it still carped it out yall guys that have gotten it to take it how long was your pw?

just tried my pw i was going use and  that site said It would take

About 6 trillion years.....

[mmortal03]

Below is an example of a hard to brute force pw. Not very user friendly is it?

Kt#*8t487C9cV;F7C*^8c(*vexlk7dsYry%$C6E5

Hey! How'd you guess my password?  

Edit: Damn, carbonc beat me to the punch!

[mmortal03]

About 717 quattuorvigintillion years.



I love password managers. Every account with a new random 50 char password.

Exactly!  I just started using LastPass, and it's great for that.

[Seraphim401]

Glad I didn't need to provide additional proof.
Thanks to all of you who advised on security.

[mmortal03]

I claimed.

I came... er, claimed.

[imperi]

I claimed.

I came... er, claimed.

What are you, 32 or something?

[Freakin]

The problem obviously wasn't the password length, how about NOT LEAKING my damn hash to begin with.

If I wanted my password to be "123" then let it be, as long as I don't brag about it, the chance of that account gets broken is still fairly low, with limited login attempts and all. And, if my account gets stolen I won't blame gox for it, as I don't have an 500k account anyways.

Unfortunately, hacks happen to the biggest and smallest of sites and are never 100% preventable.  Proper security steps are like roadblocks that stand in the way of a hacker and your account

1) Security of the actual database
2) hashing passwords
3) Salting before hashing
4) using a robust hash algo
5) using secure passwords

There is no credible excuse for not using a secure password.  Some of the passwords in that table were just a joke.  I think I found several hundred 6-char or less passwords in 2 seconds.

[dinker]

so, how did you manage to get hundreds of password in 6 seconds?

OH YOU HAD THAT LEAKED HASH LIST!!

Now how long would it take you to get those hundreds of passwords / account combos w/out that list?

[NO_SLAVE]

Wow, guys  I dont think Id be using an online password generator. 
Call me paranoid, but any generated password could be going into a database somewhere and possibly used later for hack attempts.