Bitcoin Forum
December 08, 2016, 12:23:12 AM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 [4] 5 6 7 »  All
  Print  
Author Topic: Cracked Passwords List Leaked, were you cracked?  (Read 14825 times)
BTC Economist
Member
**
Offline Offline

Activity: 112


View Profile
June 28, 2011, 08:03:20 PM
 #61

My password wasn't on there, so I'll just throw it out there.  My old mtgox password was 5kGrv3cM5-W_VKc9d6Zc.  And no, I don't use it for anything else....

Edit:  I've also started using 30 character passwords now too.  All this talk about cracking 10 characters in 3 seconds has me paranoid!

I use the same password, what a coincidence.

When BTC soars, you need to be READY!  PM me to learn more about my new e-book, How to Create and Profit from the Second Bitcoin Bubble available exclusively to BTC forum members!

17JzkreEBYNHQM9tMTiUKCHANofwzHRLhP
1481156592
Hero Member
*
Offline Offline

Posts: 1481156592

View Profile Personal Message (Offline)

Ignore
1481156592
Reply with quote  #2

1481156592
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481156592
Hero Member
*
Offline Offline

Posts: 1481156592

View Profile Personal Message (Offline)

Ignore
1481156592
Reply with quote  #2

1481156592
Report to moderator
1481156592
Hero Member
*
Offline Offline

Posts: 1481156592

View Profile Personal Message (Offline)

Ignore
1481156592
Reply with quote  #2

1481156592
Report to moderator
justusranvier
Legendary
*
Offline Offline

Activity: 1400



View Profile WWW
June 28, 2011, 08:08:16 PM
 #62

That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!
Bunghole
Member
**
Offline Offline

Activity: 64



View Profile
June 28, 2011, 08:13:10 PM
 #63

That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!

Spaceballs!
TECSHARE
Legendary
*
Offline Offline

Activity: 2002


Welcome to Bitcoin Stalk


View Profile
June 28, 2011, 08:28:47 PM
 #64

26533: hackthis123191

haha! i'm using the internet!!!1


BITCOINTALK STAFF SELECTIVELY ENFORCE THE RULES IN AN ATTEMPT TO CREATE A CHILL EFFECT AND PERMANENTLY REMOVE ME AND OTHERS FROM THIS FORUM AS RETALIATION FOR SPEAKING OUT ABOUT THEIR ABUSIVE BEHAVIOR, AND THAT OF THEIR PERSONAL CLIQUES.
flug
Sr. Member
****
Offline Offline

Activity: 280



View Profile
June 28, 2011, 08:58:11 PM
 #65

There are about 3000 passwords there out of about 60,000 accounts, or about 5% of the total.

So if it was brute force why only crack 5% of them? They must have used additional info from somewhere.
FlipPro
Legendary
*
Offline Offline

Activity: 1372



View Profile WWW
June 28, 2011, 09:01:22 PM
 #66

This plays into my theory that everything will be public for the world to see in the future. Part of the NWO, Apocolypse, and Utopia theory's. Depending on your "views" of it.

Tweet For Coins http://uptweet.com
Xer0
Hero Member
*****
Offline Offline

Activity: 826


°^°


View Profile
June 28, 2011, 09:02:35 PM
 #67

[conspiracy]
this list was generated while the Mt.Gox account recovery phase.
[/conspiracy]

Maybe he didn't clean the server completely? what if there was some kind of backdoor? yo rembember that you had to enter your old password on the recovery form. as soon as the inital hackers knew about the recovery procedure, they manipulated the scripts so that the input is stored plaintext or send somewhere. then it just get matched to username/email and voila.


This can be checked so:

Anyone who did NOT recovered his MtGox account AND has a safe password found himself on the list?
SgtSpike
Legendary
*
Offline Offline

Activity: 1344



View Profile
June 28, 2011, 09:05:24 PM
 #68

I get the feeling that this list isn't any of the bruteforced passwords - only the people that feel for the phishing attacks.
airdata
Sr. Member
****
Offline Offline

Activity: 406


View Profile
June 28, 2011, 09:09:26 PM
 #69

So, I'm not cracked.  Yet ?

Nice.  Makes me feel all warm inside.
dserrano5
Legendary
*
Offline Offline

Activity: 1638



View Profile
June 28, 2011, 09:18:00 PM
 #70

I'm not there. My password was 10 chars long.

tsvekric
Sr. Member
****
Offline Offline

Activity: 246


View Profile
June 28, 2011, 09:22:18 PM
 #71

And the uncracked password list that was released had the salts along with each password, so being 'salted' or 'unsalted' shouldn't matter...
Yes, it matters.  A lot.  Salted means you have to crack each password individually.  You have to run through the entire list of candidates (until a match) for each and every salted password (given unique salts).  With unsalted passwords you can run through the wordlist once, and get all matching passwords with a single MD5 run for each word in your wordlist.  It doesn't matter for one single password, but for 60000 salting means 60000 times more work.  And salting renders rainbow tables useless, because you'd have to build one rainbow table for each possible salt.

But the salts are given.  Correct me if I'm wrong, I'm new to understanding this: a password hash here is given as salt*md5*password sort of setup.  If it was just md5*password, you can solve the md5 and then just run that through the list of hashes to get all the passwords?  But if the salts are given then password crackers aren't trying to figure out the [salt] part of the equation, so you can effectively remove that and it just becomes md5*password again.  Right?

like if you have:
[salt1]*md5*[password1]
[salt2]*md5*[password2]
etc... its really hard to solve because you have crack each individual salt - BUT you don't have to crack each individual md5.  If the salts are listed right there on the table (and on MtGox that's what happened) then you're not cracking salts, just the md5 again.  That's how they get all these super-complex passwords - right?  They solved one simple md5 pass, and then used the given salts to get any password instantly.  Or am I not understanding how this works....
Serge
Legendary
*
Offline Offline

Activity: 1050


View Profile
June 28, 2011, 09:22:45 PM
 #72

no one mentioned rootkits and keyloggers?  Shocked
finack
Jr. Member
*
Offline Offline

Activity: 56


View Profile
June 28, 2011, 09:41:34 PM
 #73

Or am I not understanding how this works....

Salts prevent people from pre-computing large amounts of hashes and then just simply comparing the hashes to see what the password is. These large lists of pre-computed hashes are called rainbow tables.

Let's imagine you and I both have the same password. If you use an unsalted hash, the resulting hash of the password will always be the same.

user:hashed_password

me:54yg7(momlk32
you:54yg7(momlk32

if I had a rainbow table for that type of hash, it might have an entry like:

54yg7(momlk32:password1

And I'd just have to search for it, not have to do any hashing and I'd find both our passwords out.

On the otherhand, if I use salts with the hash, the result would look more like this:

user:$salt$hash

me:$yg$sdf87dsfgbh^%$szdfds
you:$7z$powiuer9asd3ee343z^%

Practically this prevents me from computing a bunch of hashes beforehand and simply comparing the results to the stored hashes. You and I both still have the same weak password, but since a salt was used they have to be cracked independently.

It's not a big hurdle, but it's something.
Grinder
Legendary
*
Offline Offline

Activity: 1269


View Profile
June 28, 2011, 10:33:32 PM
 #74

A random selection of some of the more secure looking passwords:

60x8760b6k328vc3v24kw8y1
Y!m4g6s3j*
Ev3rL@NRDX11090821
b1Ackb0x3!1
8W3G7Pds9712++
c65b5DF488
mgq$jc)kw3
w@chtw00rdLanimret!
acy7zkprddv2k3iFd&
VeryStrongPassword
There are probably some kind of pattern in all the difficult looking passwords that the cracker happens to find through cleaver combinations of dictionary attacks, leet speek decoding, common combinations and brute forcing. For instance Ev3rL@NRDX11090821 = Everland (a place) RDX (an explosive) and a number. w@chtw00rdLanimret! = Watch word Lanimret!

I would also have thought some of these were safe, though.
enmaku
Hero Member
*****
Offline Offline

Activity: 742



View Profile WWW
June 28, 2011, 10:52:57 PM
 #75

I'm on the list, but I figured I would be - it was medium-strength password at best. Of course I *never* kept a balance for any longer than it took to buy or sell, then I transferred immediately to my wallet or Dwolla where I did *not* use a medium-strength password.  Grin

MrMagic
Jr. Member
*
Offline Offline

Activity: 34


View Profile
June 28, 2011, 11:20:02 PM
 #76

I'm really wondering how they got some of the passwords now because my brothers account is in the list but mine is not. We used the same password....

BTC: 1FDqBwA2YEinCrzhhZ6AqCM8PMJQiNGqTr
LTC: LMKwqdHaYwuYgQaTyLEvaXB7itTzb2PTxv
DTC: DNn21GEpQX82z5BNeFPttTCU4PDL8CahH2
stapler117
Jr. Member
*
Offline Offline

Activity: 56


View Profile
June 28, 2011, 11:44:43 PM
 #77

Sweet! I'm not there! I used an 8-character long password with uppercase, lowercase, and numbers. Foolishly, I set other bitcoin-related passwords to the same one. As soon as I saw the news, I changed every site to a different 15-character long password with uppercase, lowercase, numbers, and symbols. Now I should apply this to RL...

I'm an ex-miner. I still love bitcoins, but I've decided it's too expensive to mine for me. Lowered the difficulty a bit for the rest of you Wink

Eat FibreOne bars. they are made of pure deliciousness
Nescio
Jr. Member
*
Offline Offline

Activity: 56


View Profile
June 28, 2011, 11:50:44 PM
 #78

With unsalted passwords you can run through the wordlist once, and get all matching passwords with a single MD5 run for each word in your wordlist.  It doesn't matter for one single password, but for 60000 salting means 60000 times more work.

Since it is extremely unlikely that all 60000 passwords were the same, you still have to brute force the rest.

If you assume a more reasonable 3000 passwords that are either identical or the same as the mail address for example, the difference between everything salted or not is only 60/57=5% more work.

Salting only (significantly) helps against rainbow tables.
indio007
Full Member
***
Offline Offline

Activity: 210


View Profile
June 28, 2011, 11:53:58 PM
 #79

Luckily mine wasn't cracked. Password WAS iamdana1qaz0p;/
XIU
Member
**
Offline Offline

Activity: 84


View Profile
June 28, 2011, 11:57:28 PM
 #80

There are probably some kind of pattern in all the difficult looking passwords that the cracker happens to find through cleaver combinations of dictionary attacks, leet speek decoding, common combinations and brute forcing. For instance Ev3rL@NRDX11090821 = Everland (a place) RDX (an explosive) and a number. w@chtw00rdLanimret! = Watch word Lanimret!

I would also have thought some of these were safe, though.

Actually, "wachtwoord" means password in Dutch.

1xiuHwHk81j4TRnLuLBMvH2ctqtTsubT6
Pages: « 1 2 3 [4] 5 6 7 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!