Bitcoin Forum
December 07, 2016, 08:25:58 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 4 5 [6] 7 »  All
  Print  
Author Topic: Cracked Passwords List Leaked, were you cracked?  (Read 14824 times)
bcearl
Full Member
***
Offline Offline

Activity: 168



View Profile
June 29, 2011, 04:12:48 PM

my password is not on the list. it was seven rather random letters/caps/numbers and I did not use it anywhere else.

my mtgox balance has been: 0 btc / 0 usd

I think I did not log on to mtgox for a while before the incident.

I have used the mtgox claim website just for the fun of it.

these salted hashes/passwords match, I checked it.

2754,$1$ul1uYRLP$OX0qFAuT9wu78ZdAApIeB.
2754,K7mmI8lAsn1o0q

10253,$1$Pdz6SDbH$X3Nz7dxhG6/bXCpcHPrlg1
10253,yT#g1Srm123

13434,$1$vWDRQAo.$kH6Rc9E6unn80S.UK0RHa/
13434,djcnbimil99332k

it would be a waste to crack these PWs. you could make plenty of coins instead.

the hackers will laugh their asses off if they read this thread and find everyone wondering. give us a hint already!






Enough people were stupid and used weak passwords, and the same passwords in mybitcoin.

You don't make that much money with mining!

Misspelling protects against dictionary attacks NOT
1481142358
Hero Member
*
Offline Offline

Posts: 1481142358

View Profile Personal Message (Offline)

Ignore
1481142358
Reply with quote  #2

1481142358
Report to moderator
1481142358
Hero Member
*
Offline Offline

Posts: 1481142358

View Profile Personal Message (Offline)

Ignore
1481142358
Reply with quote  #2

1481142358
Report to moderator
1481142358
Hero Member
*
Offline Offline

Posts: 1481142358

View Profile Personal Message (Offline)

Ignore
1481142358
Reply with quote  #2

1481142358
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481142358
Hero Member
*
Offline Offline

Posts: 1481142358

View Profile Personal Message (Offline)

Ignore
1481142358
Reply with quote  #2

1481142358
Report to moderator
SgtSpike
Legendary
*
Offline Offline

Activity: 1344



View Profile
June 29, 2011, 04:14:29 PM

I recommend passwords at least 45 characters long with no character being the same.
At least a sextillion years to get half way through cracking something like that.


How many minutes to search the room where you use the computer to find the place where you've written it down?
Exactly.  If I can't remember it in my head, it's a useless password.
bcearl
Full Member
***
Offline Offline

Activity: 168



View Profile
June 29, 2011, 04:16:22 PM

I recommend passwords at least 45 characters long with no character being the same.
At least a sextillion years to get half way through cracking something like that.


How many minutes to search the room where you use the computer to find the place where you've written it down?
Exactly.  If I can't remember it in my head, it's a useless password.

Depends on the purpose. For an encryption passphrase it makes sense. For a login at mtgox it doesn't.

Misspelling protects against dictionary attacks NOT
fcmatt
Legendary
*
Offline Offline

Activity: 1106


View Profile
June 29, 2011, 04:24:25 PM

Man, I seriously underestimated the power of GPU password crackers!

I had an 11-character password which I thought was pretty good--b1Ackb0x3!1, and that was cracked.  I'm pretty sure I didn't succumb to any phishing attempts.

Good thing I use 20+ characters for passphrases. Smiley

leetspeak is no good.



EDIT:
My password was also weak, but fortunately it wasn't cracked yet. (I would like to tell you what the password is like, but maybe I should not give hints.)

the password above is not exactly l33tsp34k as i know it and if i had to configure a password cracker
config file to attempt leetspeak cracking styles... i would not have guessed to match his style up.

it seems someone actually ran a gpu(s) password cracker for days on end.. if i had to guess.
i wonder what the time line is for that file being first noticed versus the file being in the wild for
anyone to get? Two weeks? 5 days? hmm
phelix
Legendary
*
Offline Offline

Activity: 1680


nmc:id/phelix


View Profile
June 29, 2011, 04:32:07 PM

my password is not on the list. it was seven rather random letters/caps/numbers and I did not use it anywhere else.

my mtgox balance has been: 0 btc / 0 usd

I think I did not log on to mtgox for a while before the incident.

I have used the mtgox claim website just for the fun of it.

these salted hashes/passwords match, I checked it.

2754,$1$ul1uYRLP$OX0qFAuT9wu78ZdAApIeB.
2754,K7mmI8lAsn1o0q

10253,$1$Pdz6SDbH$X3Nz7dxhG6/bXCpcHPrlg1
10253,yT#g1Srm123

13434,$1$vWDRQAo.$kH6Rc9E6unn80S.UK0RHa/
13434,djcnbimil99332k

it would be a waste to crack these PWs. you could make plenty of coins instead.

the hackers will laugh their asses off if they read this thread and find everyone wondering. give us a hint already!




Enough people were stupid and used weak passwords, and the same passwords in mybitcoin.

You don't make that much money with mining!

according to the spreadsheet and crackrate bitcoin0918 posted above it would take more than 100years to crack K7mmI8lAsn1o0q on a mining rig of 4x 5870s.

and the chances to really find an account with money in it that (still) uses that password are rather low I think.


---correction---
probably that pw is more in the 5000years range on 4x 5870.


blockchained.com ■ bitcointalk top posts
fcmatt
Legendary
*
Offline Offline

Activity: 1106


View Profile
June 29, 2011, 04:39:53 PM

Man, I seriously underestimated the power of GPU password crackers!

I had an 11-character password which I thought was pretty good--b1Ackb0x3!1, and that was cracked.  I'm pretty sure I didn't succumb to any phishing attempts.

Good thing I use 20+ characters for passphrases. Smiley

leetspeak is no good.



EDIT:
My password was also weak, but fortunately it wasn't cracked yet. (I would like to tell you what the password is like, but maybe I should not give hints.)

the password above is not exactly l33tsp34k as i know it and if i had to configure a password cracker
config file to attempt leetspeak cracking styles... i would not have guessed to match his style up.

it seems someone actually ran a gpu(s) password cracker for days on end.. if i had to guess.
i wonder what the time line is for that file being first noticed versus the file being in the wild for
anyone to get? Two weeks? 5 days? hmm

You don't even need a dictionary, all you need is a histogram to dramatically reduce the search space. That is why random is the only way to go.

You are right. That would be an excellent method to reduce the amount of work. But random may not really
help unless it is spitting out some very very odd characters people normally never use and probably do not
even know how to type in the USA. Do they output characters like this? (which i found on a webpage about
a histogram of a rainbow table website).

 2 times the character
 2 times the character
 2 times the character
 2 times the character
 2 times the character ؔ

d.james
Sr. Member
****
Offline Offline

Activity: 280

Firstbits: 12pqwk


View Profile
June 29, 2011, 04:45:09 PM

 Roll Eyes How long would it take for our total mining power to bruteforce that 60,000 list?

You can not roll a BitCoin, but you can rollback some. Cheesy
Roll me back: 1NxMkvbYn8o7kKCWPsnWR4FDvH7L9TJqGG
bcearl
Full Member
***
Offline Offline

Activity: 168



View Profile
June 29, 2011, 05:50:46 PM

the password above is not exactly l33tsp34k as i know it and if i had to configure a password cracker
config file to attempt leetspeak cracking styles... i would not have guessed to match his style up.

it seems someone actually ran a gpu(s) password cracker for days on end.. if i had to guess.
i wonder what the time line is for that file being first noticed versus the file being in the wild for
anyone to get? Two weeks? 5 days? hmm

No, that's bullshit. That's the whole point I am trying to make here for weeks now. You should not assume that the attacker is stupid, if you want security.

Dictionary attack does not mean that the cracker uses the Oxford dictionary for English. They have password dictionaries, they are generated for that purpose and include much more than correctly spelled oxford words. And the tools can vary the words from the dictionary while testing by replacing letters by similar looking numbers and special chars.

Fact is: Your password was cracked within' a few days.

Misspelling protects against dictionary attacks NOT
dserrano5
Legendary
*
Offline Offline

Activity: 1638



View Profile
June 29, 2011, 06:40:38 PM

2 times the character
 2 times the character
 2 times the character
 2 times the character
 2 times the character ؔ

I would be using some of those fancy Unicode characters from some time now if I wasn't afraid that applications weren't able to handle them properly, thus locking myself out of websites. Coping with Unicode is hard.

Off the top of my head, and easily type'able with my actual keyboard setup/layout:

bcearl
Full Member
***
Offline Offline

Activity: 168



View Profile
June 29, 2011, 06:51:00 PM

With ASCII alone you have about 95 characters, that makes 6.5 bits of randomness per character.

If you have US international keyboard layout, you can make the following with the right ALT key:
Code:


fgh
朩b˙

with shift even more:
Code:
˝˘ ̣
֓
FGHόذ
ƌBѵˇ ̉

Misspelling protects against dictionary attacks NOT
nakowa
Member
**
Offline Offline

Activity: 82


View Profile
June 29, 2011, 06:51:26 PM

unfortunately, I was cracked, and lost 40 BTC...
phelix
Legendary
*
Offline Offline

Activity: 1680


nmc:id/phelix


View Profile
June 29, 2011, 07:47:08 PM

Roll Eyes How long would it take for our total mining power to bruteforce that 60,000 list?

quite a long time.

I calculated this one alone to take more than half a year: K7mmI8lAsn1o0q

well, a little shorter with network speed rising like crazy

(data from posts above and bitcoinwatch)

blockchained.com ■ bitcointalk top posts
Joise
Jr. Member
*
Offline Offline

Activity: 30


View Profile
June 29, 2011, 07:53:24 PM

There were other 8600 passwords from the database posted on Twitter...
Chick
Member
**
Offline Offline

Activity: 70


View Profile
June 29, 2011, 07:54:24 PM

There were other 8600 passwords from the database posted on Twitter...

Link?

bcearl
Full Member
***
Offline Offline

Activity: 168



View Profile
June 29, 2011, 08:06:49 PM

To crack mine in a year, if you assume lower letters only and know the two special characters (26+2), you need 161.6 THashes/sec.

After I tell you the exact set of characters, you still need 4.9 GHashes/sec for a year.




And I consider this one of my weakest passwords. Smiley

Misspelling protects against dictionary attacks NOT
FractalUniverse
Full Member
***
Offline Offline

Activity: 136



View Profile
June 29, 2011, 08:10:21 PM

yes, my password was cracked but i was just testing mtgox with no intention of trading at that time, so it was very weak.

BitFinex.com Leveraged BTC and LTC trading. Fee discount code: wm8ibCC9Ve
BEST bitcoin mining pool: https://bitcoin.triplemining.com
my ORBitcoin address: oRXnDBdL75vuTmWi45UX7GiscwaDmSRgLS
xenon481
Sr. Member
****
Offline Offline

Activity: 406



View Profile
June 29, 2011, 08:12:12 PM

I would also check https://shouldichangemypassword.com/ It correctly reports I've hade my password compromised once on June 19, 2011. I got an email from Chase about my account on June 20, so it seems pretty accurate.

I asked it if the following passwords had been compromised and it told me they were safe.

- password
- password1
- password123
- p@ssw0rd
- P@ssw0rd
- love
- hackers
- superman

Tips Appreciated: 171TQ2wJg7bxj2q68VNibU75YZB22b7ZDr
Jack of Diamonds
Sr. Member
****
Offline Offline

Activity: 252



View Profile
June 29, 2011, 08:17:25 PM

There are probably some kind of pattern in all the difficult looking passwords that the cracker happens to find through cleaver combinations of dictionary attacks, leet speek decoding, common combinations and brute forcing. For instance Ev3rL@NRDX11090821 = Everland (a place) RDX (an explosive) and a number. w@chtw00rdLanimret! = Watch word Lanimret!

I would also have thought some of these were safe, though.

Actually, "wachtwoord" means password in Dutch.

Yes, and Lanimret is terminal backwards.
Using an advanced dictionary attack that also takes in account the use of symbols and numbers as substitutes for words, passwords like that are easy to crack using multiple GPUs.

What you need to use is completely random, non-repeating ASCII characters that make zero logical sense.
Here I would agree with Vladimir; If you can remember your password then you're doing it wrong.

1f3gHNoBodYw1LLs3ndY0UanYB1tC0lnsBec4USeYoU9AREaCH34PBeGgAR67fx
phelix
Legendary
*
Offline Offline

Activity: 1680


nmc:id/phelix


View Profile
June 29, 2011, 08:23:43 PM

There were other 8600 passwords from the database posted on Twitter...

Link?
+1

blockchained.com ■ bitcointalk top posts
jgraham
Full Member
***
Offline Offline

Activity: 140


<Pretentious and poorly thought out latin phrase>


View Profile
June 29, 2011, 08:33:16 PM

Man, I seriously underestimated the power of GPU password crackers!

I had an 11-character password which I thought was pretty good--b1Ackb0x3!1, and that was cracked.  I'm pretty sure I didn't succumb to any phishing attempts.

Good thing I use 20+ characters for passphrases. Smiley

It depends.   IIRC in the broadcast Mt. Gox mentioned that some of the older accounts were MD5 unsalted.  In which case leetspeek pass isn't very good.  Yours interestingly enough was salted.
IMHO this was simply bad luck in one of two senses:

i) Your password happened to be in some wordlist or is a simple permute of some worklist
ii) They started multiple crackers bruting specific keyspaces and yours was close to whatever the startpoint was for 11 char passwords.


By contrast I ran oclHashcat on my 6990 for my password and it seemed to say it would take 4 years to exhaust the keyspace but hey if someone here wants to divert some of their mining software to the cause they're welcome to show me the error of my ways.  That would be pretty cool too....


Interesting side issue.   If your organization uses google as a mail system and they perform password synchronization.   They are shipping unsalted hashes to the big G (either SHA1 or MD5).  I don't know how many people have access to encrypted hashes at Google but the sample seems large enough that it's only a matter of time before someone sees the money making potential there.  (Password reset function + known gmail address + big ass hashing equipment = access to your Mt. Gox account).

I'm rather good with Linux.  If you're having problems with your mining rig I'll help you out remotely for 0.05.  You can also propose a flat-rate for some particular task.  PM me for details.
Pages: « 1 2 3 4 5 [6] 7 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!