calista (OP)
Newbie
 Offline
Activity: 28
Merit: 0
|
 |
June 24, 2011, 02:54:14 AM |
|
i have submitted only one ofcourse, but maybe because i didn't use a strong password for my account (10 characters and numbers, no upper case), it was probably hacked by people from the open database.
and now so many people are trying to claim my $1300 in my account, what should i do to prove myself among 8 people?!
|
|
|
|
|
|
|
|
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
|
|
|
|
alishawkat
Newbie
Offline
Activity: 16
Merit: 0
|
|
June 24, 2011, 03:01:57 AM |
|
Holy crap, try sending them id, I'd contact them asap.
|
|
|
|
|
|
|
coinage
Member
Offline
Activity: 60
Merit: 10
|
|
June 24, 2011, 03:09:59 AM |
|
i have submitted only one ofcourse, but maybe because i didn't use a strong password for my account (10 characters and numbers, no upper case), it was probably hacked by people from the open database.
and now so many people are trying to claim my $1300 in my account, what should i do to prove myself among 8 people?!
If you read the various updates at the MtGox support site, plus some emails that people posted on the forums here, as I recall you'll see them mention they may ask you about previous transactions or your balance. Therefore it's not wise to tell everybody here you have $XYZ in your account, if anyone here might be able to guess your MtGox userid from your forum userid ! Perhaps you should edit your post to remove specifics about the length and type of password you used, too, because those things might not be visible to someone looking at just the hashed & salted user & password list, even though it was leaked webwide. (Once something's hashed, its length & other qualities can be completely obscured. However, MtGox implied they could determine the strength of the old passwords, which is a little perplexing unless they stored additional information beyond hashes or actually bothered to try cracking each one themselves. I haven't seen the leaked document so can't comment further on what's in it.) In any event, you could try preemptively contacting MtGox directly saying whatever you can remember about your account, when you opened it, what transactions you did, what your balance was, what IP address or ISP you use... That's your best and maybe only way to show you're the rightful owner. |
|
|
|
|
kjj
Legendary
Offline
Activity: 1302
Merit: 1024
|
|
June 24, 2011, 03:53:22 AM |
|
You have to type your old password to reclaim your account. The password you enter has to match the one that formed the hash. Most likely, they inspect the password for complexity when you send it to the reclaim form.
|
17Np17BSrpnHCZ2pgtiMNnhjnsWJ2TMqq8
I routinely ignore posters with paid advertising in their sigs. You should too.
|
|
|
R3V0LU710N
Newbie
Offline
Activity: 1
Merit: 0
|
|
June 24, 2011, 03:53:59 AM |
|
I would say you are not the only one to receive an email like that one. I also bet a lot of people didn't keep good enough records to prove ownership of the accounts.
|
|
|
|
|
kjj
Legendary
Offline
Activity: 1302
Merit: 1024
|
|
June 24, 2011, 04:03:13 AM |
|
By the way, did you check the file for your account info? Did your password hash start with $1$?
|
17Np17BSrpnHCZ2pgtiMNnhjnsWJ2TMqq8
I routinely ignore posters with paid advertising in their sigs. You should too.
|
|
|
bananaphone
Newbie
Offline
Activity: 1
Merit: 0
|
|
June 24, 2011, 04:11:04 AM |
|
By the way, did you check the file for your account info? Did your password hash start with $1$?
$1$ doesn't help. FreeBSD MD5 doesn't protect weak passwords. With a simple dictionary attack, I cracked more than 500 passwords in one blow. Total amount of cracked passwords I got so far are now over 2000. |
|
|
|
|
kjj
Legendary
Offline
Activity: 1302
Merit: 1024
|
|
June 24, 2011, 04:43:54 AM |
|
By the way, did you check the file for your account info? Did your password hash start with $1$?
$1$ doesn't help. FreeBSD MD5 doesn't protect weak passwords. With a simple dictionary attack, I cracked more than 500 passwords in one blow. Total amount of cracked passwords I got so far are now over 2000. What is the longest so far? |
17Np17BSrpnHCZ2pgtiMNnhjnsWJ2TMqq8
I routinely ignore posters with paid advertising in their sigs. You should too.
|
|
|
Lord F(r)og
Donator
Sr. Member
Offline
Activity: 477
Merit: 250
|
|
June 24, 2011, 05:04:12 AM |
|
@calista
can u please copynpaste the email? of cause after deleting important information! I wanna see a proof.
Maybe u can give a thank to bananaphone, possible that he's one of the other 7 competitors of your account.
|
|
|
|
|
rob80
Newbie
Offline
Activity: 12
Merit: 0
|
|
June 24, 2011, 05:05:35 AM |
|
By the way, did you check the file for your account info? Did your password hash start with $1$?
$1$ doesn't help. FreeBSD MD5 doesn't protect weak passwords. With a simple dictionary attack, I cracked more than 500 passwords in one blow. Total amount of cracked passwords I got so far are now over 2000. What is the longest so far? When the csv was released I was interested in what kind of passwords people used for 'financial' institutions. This is what I got: $ for i in `cat .john/john.pot | cut -d : -f 2` ; do echo ${#i} ; done | sort | uniq -c 98 10 36 11 46 12 4 13 4 14 5 15 1 4 111 5 864 6 454 7 640 8 182 9 5 15 char passwords. |
|
|
|
|
kjj
Legendary
Offline
Activity: 1302
Merit: 1024
|
|
June 24, 2011, 05:10:07 AM |
|
By the way, did you check the file for your account info? Did your password hash start with $1$?
$1$ doesn't help. FreeBSD MD5 doesn't protect weak passwords. With a simple dictionary attack, I cracked more than 500 passwords in one blow. Total amount of cracked passwords I got so far are now over 2000. What is the longest so far? When the csv was released I was interested in what kind of passwords people used for 'financial' institutions. This is what I got: $ for i in `cat .john/john.pot | cut -d : -f 2` ; do echo ${#i} ; done | sort | uniq -c 98 10 36 11 46 12 4 13 4 14 5 15 1 4 111 5 864 6 454 7 640 8 182 9 5 15 char passwords. Nice. How about the longest including at least one digit? |
17Np17BSrpnHCZ2pgtiMNnhjnsWJ2TMqq8
I routinely ignore posters with paid advertising in their sigs. You should too.
|
|
|
Agorista
Member
Offline
Activity: 65
Merit: 10
a29hbGFibGFzdA==
|
|
June 24, 2011, 05:12:27 AM |
|
You can copy a credit card or government ID to send them, but then you run the risk that the people currently in charge of mtgox are not the original owners or that there communication system is not secure.
5 15 char? I wonder how many of those were English words.
|
Mike
Member since June 2011 - watching BTC since $0.25
|
|
|
rob80
Newbie
Offline
Activity: 12
Merit: 0
|
|
June 24, 2011, 05:14:01 AM |
|
By the way, did you check the file for your account info? Did your password hash start with $1$?
$1$ doesn't help. FreeBSD MD5 doesn't protect weak passwords. With a simple dictionary attack, I cracked more than 500 passwords in one blow. Total amount of cracked passwords I got so far are now over 2000. What is the longest so far? When the csv was released I was interested in what kind of passwords people used for 'financial' institutions. This is what I got: $ for i in `cat .john/john.pot | cut -d : -f 2` ; do echo ${#i} ; done | sort | uniq -c 98 10 36 11 46 12 4 13 4 14 5 15 1 4 111 5 864 6 454 7 640 8 182 9 5 15 char passwords. Nice. How about the longest including at least one digit? There were 3 at 15, all of them were variants of their email address and/or username (or combination) |
|
|
|
|
rob80
Newbie
Offline
Activity: 12
Merit: 0
|
|
June 24, 2011, 05:21:31 AM |
|
And conversely, all 4 of the 14 char passwords were also variants of username/email address/domain. Same with both 13 char passwords.
I'd wager most of the 2500 or so passwords cracked were variants of the email/username/domain. I think there is a pretty important lesson there.
|
|
|
|
|
contingencyplan
Newbie
Offline
Activity: 7
Merit: 0
|
|
June 24, 2011, 10:27:22 AM |
|
And conversely, all 4 of the 14 char passwords were also variants of username/email address/domain. Same with both 13 char passwords.
I'd wager most of the 2500 or so passwords cracked were variants of the email/username/domain. I think there is a pretty important lesson there.
Namely, don't trust sites that "encrypt" your password with MD5 or anything similar? Don't trust sites that do not understand the fundamentals of encryption? Read this. Bear in mind that the $2000 CUDA systems he's referring to are the same sorts of systems that are described in the BTC mining threads. Then consider how much having a "strong" password, by any definition of "strong" you'd like, would save you under those circumstances. |
|
|
|
|
deepceleron
Legendary
Offline
Activity: 1512
Merit: 1025
|
|
June 24, 2011, 11:49:06 AM
Last edit: August 21, 2011, 04:42:55 AM by deepceleron |
|
What is pretty spooky is how quick the hacking sites were to crack post passwords 8 digits and more. It just takes something like this for me to review every non-inconsequential site I use for password length and uniqueness.
|
|
|
|
|
apidya
Newbie
Offline
Activity: 5
Merit: 0
|
|
June 24, 2011, 12:45:08 PM |
|
What email address did you use to register? If it's an email address that was offered to you through a trusted internet service provider, ask them if it would be sufficient to provide contract details, maybe a copy of an identity card. There are still many ways to authenticate yourself.
|
|
|
|
|
|
Clipse
|
|
June 24, 2011, 12:49:40 PM |
|
Just claim again and add additional information like previous deposit methods/withdrawal methods and transaction details from your banking/ewallet.
That will suffice since its next to impossible that potential hacker could have those details aswell.
|
...In the land of the stale, the man with one share is king... >> ClipseWe pay miners at 130% PPS | Signup here : Bonus PPS Pool (Please read OP to understand the current process)
|
|
|
rob80
Newbie
Offline
Activity: 12
Merit: 0
|
|
June 24, 2011, 04:29:32 PM |
|
And conversely, all 4 of the 14 char passwords were also variants of username/email address/domain. Same with both 13 char passwords.
I'd wager most of the 2500 or so passwords cracked were variants of the email/username/domain. I think there is a pretty important lesson there.
Namely, don't trust sites that "encrypt" your password with MD5 or anything similar? Don't trust sites that do not understand the fundamentals of encryption? Read this. Bear in mind that the $2000 CUDA systems he's referring to are the same sorts of systems that are described in the BTC mining threads. Then consider how much having a "strong" password, by any definition of "strong" you'd like, would save you under those circumstances. Even if they used 4096 bit encryption, if your email address is awesomedude@vanitydomain.com, and your password is 4w3s0m3dud3v4n1tyd0m41n, it will take any semi-intelligent cracking system (like john) a few minutes to guess. A 23 char password will be impossible to brute force, but if it is a variant on your name, there is a good chance to crack it in minutes rather than the expected lifetime of the sun. |
|
|
|
|
|
