Bitcoin Forum
December 08, 2016, 02:12:24 AM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 [3] 4 5 6 7 »  All
  Print  
Author Topic: Cracked Passwords List Leaked, were you cracked?  (Read 14826 times)
darbsllim
Sr. Member
****
Offline Offline

Activity: 294


Founder, Filmmaker, Fun Guy


View Profile WWW
June 28, 2011, 04:55:15 PM
 #41

Some of these people with complex passwords could have fallen for the fake mtgox emails

Brad Mills
Former miner - Former Bitcoin Business Owner - Victim of the Great Bitcoin Crashes of 2011 and 2012
1481163144
Hero Member
*
Offline Offline

Posts: 1481163144

View Profile Personal Message (Offline)

Ignore
1481163144
Reply with quote  #2

1481163144
Report to moderator
1481163144
Hero Member
*
Offline Offline

Posts: 1481163144

View Profile Personal Message (Offline)

Ignore
1481163144
Reply with quote  #2

1481163144
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481163144
Hero Member
*
Offline Offline

Posts: 1481163144

View Profile Personal Message (Offline)

Ignore
1481163144
Reply with quote  #2

1481163144
Report to moderator
1481163144
Hero Member
*
Offline Offline

Posts: 1481163144

View Profile Personal Message (Offline)

Ignore
1481163144
Reply with quote  #2

1481163144
Report to moderator
bitcon
Legendary
*
Offline Offline

Activity: 1050


www.bit-exo.com


View Profile WWW
June 28, 2011, 04:57:45 PM
 #42

they got mine too..  wonder what percentage of this list even realize that their passwords are floating around on the internet for everyone to see..  thats a lot of passwords.

bitcoin0918
Jr. Member
*
Offline Offline

Activity: 56



View Profile
June 28, 2011, 05:04:20 PM
 #43

I set my password to my bitcoin address. What could be more secure than that?! Grin

"So you think that money is the root of all evil?" said Francisco d'Aconia. "Have you ever asked what is the root of money?" [contd.]
gentakin
Member
**
Offline Offline

Activity: 98


View Profile
June 28, 2011, 05:10:02 PM
 #44

I set my password to my bitcoin address. What could be more secure than that?! Grin

Now that you've publicly stated this, it should be trivial to get a tool up that searches the block chain for bitcoin addresses and attempts to crack your password with each of them. Wink

1HNjbHnpu7S3UUNMF6J9yWTD597LgtUCxb
Isepick
Full Member
***
Offline Offline

Activity: 181


View Profile
June 28, 2011, 05:12:51 PM
 #45

I can verify that 7XiBKeJe5ochSqVW is in fact the correct password, he was unsalted, and using "simple" md5. I cannot verify the salted passwords, they seem to be a different type of md5 then I am using. Why are there two different types of md5, and what do I call the second one?

http://www.insidepro.com/hashes.php?lang=eng

MD5(unix)

Edit: And the salted passwords match, too, at least the 3 I've checked:
60x8760b6k328vc3v24kw8y1
acy7zkprddv2k3iFd&
8W3G7Pds9712++

Curioser and curioser
bitcoin0918
Jr. Member
*
Offline Offline

Activity: 56



View Profile
June 28, 2011, 05:15:07 PM
 #46

Now that you've publicly stated this, it should be trivial to get a tool up that searches the block chain for bitcoin addresses and attempts to crack your password with each of them. Wink

Yeah, but look how many characters it has - there's just NO WAY any cracking program could guess this: 1GryC1TD9bXdwrV1YbDX3RnJrS2Ak87Vbw. It's perfect! Cheesy

"So you think that money is the root of all evil?" said Francisco d'Aconia. "Have you ever asked what is the root of money?" [contd.]
tsvekric
Sr. Member
****
Offline Offline

Activity: 246


View Profile
June 28, 2011, 05:30:37 PM
 #47

how could saab9000aeroskodafabiavrs or 7XiBKeJe5ochSqVW be cracked in such a short amount of time?  Even unsalted...

And the uncracked password list that was released had the salts along with each password, so being 'salted' or 'unsalted' shouldn't matter...
Bitcoin Swami
Full Member
***
Offline Offline

Activity: 168


View Profile
June 28, 2011, 05:34:06 PM
 #48

I guess i dont understand how password cracking works.  I don't understand how they get multiple chances figuring out a password.  

 
sturle
Legendary
*
Offline Offline

Activity: 1418

http://bitmynt.no


View Profile WWW
June 28, 2011, 05:39:32 PM
 #49

And the uncracked password list that was released had the salts along with each password, so being 'salted' or 'unsalted' shouldn't matter...
Yes, it matters.  A lot.  Salted means you have to crack each password individually.  You have to run through the entire list of candidates (until a match) for each and every salted password (given unique salts).  With unsalted passwords you can run through the wordlist once, and get all matching passwords with a single MD5 run for each word in your wordlist.  It doesn't matter for one single password, but for 60000 salting means 60000 times more work.  And salting renders rainbow tables useless, because you'd have to build one rainbow table for each possible salt.

Sjå http://bitmynt.no for veksling av bitcoin mot norske kroner.  Trygt, billig, raskt og enkelt sidan 2010.
I buy with EUR and other currencies at a fair market price when you want to sell.  See http://bitmynt.no/eurprice.pl
I support the roadmap.  If a majority of miners ever try to forcefully take control of Bitcoin through a hard fork without 100% consensus, I will immediately split out and dump all my forkcoins, and buy more real Bitcoin.
BTC Economist
Member
**
Offline Offline

Activity: 112


View Profile
June 28, 2011, 05:46:45 PM
 #50

I'm surprised I'm not on the list.

When BTC soars, you need to be READY!  PM me to learn more about my new e-book, How to Create and Profit from the Second Bitcoin Bubble available exclusively to BTC forum members!

17JzkreEBYNHQM9tMTiUKCHANofwzHRLhP
o
Member
**
Offline Offline

Activity: 76


View Profile
June 28, 2011, 05:46:54 PM
 #51

What is the possibility of the hash collision? There is no such need those long characters number combination to be the true user password, as far as those hash match the users true hash, then the server will consider them to be the same. Though I would expect the collision password should be much uglier than the one shown in the file.

As written in wikipedia, there is already methods to generate collision 5 years before with some requirements, so it is not surprise that there is a generic method to find collision particular for the password.
sgravina
Sr. Member
****
Offline Offline

Activity: 442



View Profile
June 28, 2011, 05:54:27 PM
 #52

My password is not on the list.  It was 'password1'.  I read somewhere that 'password1' is the most common password so I figured it must be good.

Could somebody find the source of this list.  I would really like to know how this was done.  Is it really possible?  I suspect this list is at least partially fake.  My real password should have been easy to crack but is not on the list.

Sam
DukeOfEarl
Newbie
*
Offline Offline

Activity: 28


View Profile
June 28, 2011, 05:55:26 PM
 #53

Yes, it matters.  A lot.  Salted means you have to crack each password individually.  You have to run through the entire list of candidates (until a match) for each and every salted password (given unique salts).  With unsalted passwords you can run through the wordlist once, and get all matching passwords with a single MD5 run for each word in your wordlist.  It doesn't matter for one single password, but for 60000 salting means 60000 times more work.  And salting renders rainbow tables useless, because you'd have to build one rainbow table for each possible salt.

Thanks for this explanation.  For implementation purposes, how would a website use a unique salt?  For example, when the username types in a password it must be joined to the salt and then an MD5 algorithm ran over the product to compare with the database stored hash.

Somewhere then the salt must be stored, right?
kjj
Legendary
*
Offline Offline

Activity: 1302



View Profile
June 28, 2011, 07:10:44 PM
 #54

Yes, it matters.  A lot.  Salted means you have to crack each password individually.  You have to run through the entire list of candidates (until a match) for each and every salted password (given unique salts).  With unsalted passwords you can run through the wordlist once, and get all matching passwords with a single MD5 run for each word in your wordlist.  It doesn't matter for one single password, but for 60000 salting means 60000 times more work.  And salting renders rainbow tables useless, because you'd have to build one rainbow table for each possible salt.

Thanks for this explanation.  For implementation purposes, how would a website use a unique salt?  For example, when the username types in a password it must be joined to the salt and then an MD5 algorithm ran over the product to compare with the database stored hash.

Somewhere then the salt must be stored, right?

Random, and yes, it is stored.

If the hash started with $, it follows this format:  $<scheme, always 1 here>$<salt>$<hash>.  Scheme 1 means about 1001 rounds of MD5 with complex combinations of the previous round, the password, and the salt.

Other schemes are available for SHA, blowfish, and (try not to laugh) NT.

If it doesn't start with $, it is just a simple unsalted MD5 hash of the input.

p2pcoin: a USB/CD/PXE p2pool miner - 1N8ZXx2cuMzqBYSK72X4DAy1UdDbZQNPLf - todo
I routinely ignore posters with paid advertising in their sigs.  You should too.
justusranvier
Legendary
*
Offline Offline

Activity: 1400



View Profile WWW
June 28, 2011, 07:22:34 PM
 #55

I doubt that these and the many more that are on there 1) got phished and 2)wound up on this particular list at the same time. Well, except for the last guy. Though I do suppose that is an upgrade to using 'password' for a password Tongue
Well, aside from *MAGIC*, by what other method do you believe those passwords were determined?
I can think of three possibilities:
Password reuse
Malware
Hash collisions
bitcoin0918
Jr. Member
*
Offline Offline

Activity: 56



View Profile
June 28, 2011, 07:27:33 PM
 #56

I doubt that these and the many more that are on there 1) got phished and 2)wound up on this particular list at the same time. Well, except for the last guy. Though I do suppose that is an upgrade to using 'password' for a password Tongue
Well, aside from *MAGIC*, by what other method do you believe those passwords were determined?
I can think of three possibilities:
Password reuse
Malware
Hash collisions
Oh certainly, there are other methods (though password reuse alone doesn't cause this). I was just making the point that the *least likely* method was brute force cracking.

"So you think that money is the root of all evil?" said Francisco d'Aconia. "Have you ever asked what is the root of money?" [contd.]
ErgoOne
Full Member
***
Offline Offline

Activity: 126


View Profile
June 28, 2011, 07:31:37 PM
 #57

Not sure if any of you have seen this or not, but here it is:

https://www.nanaimogold.com/microlionsec.txt

If you haven't changed your passwords yet...do it.

If you wanted to see whether or not your password was safe, feel free to check if it was cracked here.

Mine wasn't on this list, but anybody here would be foolish indeed to assume that this means their password wasn't cracked.  If you use the same password in multiple locations, and a security breach occurs in one location, you need to change the password at every location that you used it.
DamienBlack
Jr. Member
*
Offline Offline

Activity: 56


View Profile
June 28, 2011, 07:32:59 PM
 #58

Hash collision seems really unlikely to me. The odds should be microscopically small.

I trade bitcoin options at https://bitoption.org/ ... Join me.
I play poker at https://betco.in/ ... Join me.
Support the bitcoin economy, what do you do?
Tips: 1NfXhiTFEdKQTdLy49s6DYAP1K7MeFWyao
justusranvier
Legendary
*
Offline Offline

Activity: 1400



View Profile WWW
June 28, 2011, 07:48:35 PM
 #59

Hash collision seems really unlikely to me. The odds should be microscopically small.
It's microscopically small for SHA hashes but MD5 has been considered broken (or nearly so) for a few years now.
luv2drnkbr
Hero Member
*****
Offline Offline

Activity: 771



View Profile
June 28, 2011, 08:00:37 PM
 #60

My password wasn't on there, so I'll just throw it out there.  My old mtgox password was 5kGrv3cM5-W_VKc9d6Zc.  And no, I don't use it for anything else....

Edit:  I've also started using 30 character passwords now too.  All this talk about cracking 10 characters in 3 seconds has me paranoid!

Pages: « 1 2 [3] 4 5 6 7 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!