Cracked Passwords List Leaked, were you cracked?

[Saturn7]

A 5870 can do 3.8 Billion password combinations a second.

If you have 3 of them in your system like most miners do, thats 11.4 Billion per second

684 Billion per Minute
41 Trillion per Hour
984 Trillion per day (24 hours)
6.8 Quadrillion per week
210 Quadrillion per Month  

I think the days of "passwords" you type with a keyboard are over.

[1713245420]

1713245420

[1713245420]

1713245420

[1713245420]

1713245420

[1713245420]

1713245420

[1713245420]

1713245420

[1713245420]

1713245420

[DamienBlack]

The fact that a password is in this list doesn't imply that it was cracked. As finack said, the complex passwords were probably stolen by some other means - e.g. phishing - and happened to be reused.

Hmm, so someone who uses the password "7XiBKeJe5ochSqVW" has been phished?

I looked that dude up on Facebook. He's an older guy whose activities include singing, sailing, barefoot hiking, etc. No evidence of computer expertise. The complex password was a false sense of security, most likely, and he was phished, in all likelihood.

Interesting and creepy... <quietly goes off and changes facebook email>

[Saturn7]

Opps, its actually "just" 3.6 billion per second.

[bitcoin0918]

Interesting and creepy... <quietly goes off and changes facebook email>

What's creepier is that people are fine with publishing so much personal information for the public to see.

[proudhon]

Wait, what is this? Is this the MtGox database?

[DamienBlack]

Wait, what is this? Is this the MtGox database?

Yes

[bitcoin0918]

A 5870 can do 3.8 Billion password combinations a second.

If you have 3 of them in your system like most miners do, thats 11.4 Billion per second

684 Billion per Minute
41 Trillion per Hour
984 Trillion per day (24 hours)
6.8 Quadrillion per week
210 Quadrillion per Month  

I think the days of "passwords" you type with a keyboard are over.

Even with those numbers, it would take on average a week to crack a purely random 8-character combination of alphanumeric/special characters. If that number is raised to 10, it's 21 years, according to this spreadsheet calculator.

[Isepick]

A random selection of some of the more secure looking passwords:

60x8760b6k328vc3v24kw8y1
Y!m4g6s3j*
Ev3rL@NRDX11090821
b1Ackb0x3!1
8W3G7Pds9712++
c65b5DF488
mgq$jc)kw3
w@chtw00rdLanimret!
acy7zkprddv2k3iFd&
VeryStrongPassword

I doubt that these and the many more that are on there 1) got phished and 2)wound up on this particular list at the same time. Well, except for the last guy. Though I do suppose that is an upgrade to using 'password' for a password

[DamienBlack]

A random selection of some of the more secure looking passwords:

60x8760b6k328vc3v24kw8y1
Y!m4g6s3j*
Ev3rL@NRDX11090821
b1Ackb0x3!1
8W3G7Pds9712++
c65b5DF488
mgq$jc)kw3
w@chtw00rdLanimret!
acy7zkprddv2k3iFd&
VeryStrongPassword

I doubt that these and the many more that are on there 1) got phished and 2)wound up on this particular list at the same time. Well, except for the last guy. Though I do suppose that is an upgrade to using 'password' for a password

I also doubt that all of these were phished. But if they weren't, a network about 1% as large as the bitcoin network must have been pointed at cracking them.

[Saturn7]

A 5870 can do 3.8 Billion password combinations a second.

If you have 3 of them in your system like most miners do, thats 11.4 Billion per second

684 Billion per Minute
41 Trillion per Hour
984 Trillion per day (24 hours)
6.8 Quadrillion per week
210 Quadrillion per Month  

I think the days of "passwords" you type with a keyboard are over.

Even with those numbers, it would take on average a week to crack a purely random 8-character combination of alphanumeric/special characters. If that number is raised to 10, it's 21 years, according to this spreadsheet calculator.

Yes but this spreadsheet assumes only 17 billion per hour not 41 Trillion.
And thats just 3 cards, if somebody really wanted to go all out and have 30 cards then who knows.
Might open up a black hole in you PC  LOL
 

[DamienBlack]

A 5870 can do 3.8 Billion password combinations a second.

If you have 3 of them in your system like most miners do, thats 11.4 Billion per second

684 Billion per Minute
41 Trillion per Hour
984 Trillion per day (24 hours)
6.8 Quadrillion per week
210 Quadrillion per Month  

I think the days of "passwords" you type with a keyboard are over.

Even with those numbers, it would take on average a week to crack a purely random 8-character combination of alphanumeric/special characters. If that number is raised to 10, it's 21 years, according to this spreadsheet calculator.

Deepbit could crack a 10 char password every three seconds.

[finack]

The thing is that plenty of people here have reported having weak-ish passwords (including myself) that they didn't crack, so a large cracking network or optimized algs don't explain them.

Has anyone actually checked one of the hashes for one of the strong passwords and confirmed it's correct? Could just be someone fucking around.

If they are legit, they have to have come from another source than just cracking. Either they were pre-cracked or phished or the publisher had access to the passwords some other way.

[DamienBlack]

I wonder if people who aren't cracked, but are reporting that they have easy-ish passwords are people who had very little in their account. Is there any information about whether our account balances were available?

[SgtSpike]

A 5870 can do 3.8 Billion password combinations a second.

If you have 3 of them in your system like most miners do, thats 11.4 Billion per second

684 Billion per Minute
41 Trillion per Hour
984 Trillion per day (24 hours)
6.8 Quadrillion per week
210 Quadrillion per Month  

I think the days of "passwords" you type with a keyboard are over.

It'd take 4 months to crack a 10-char alphanumeric password.  I don't think the days of "passwords" you type with a keyboard are over.

That said, how did so many of these passwords get cracked so quickly, if it should take centuries to crack some of them based on length?  Were that many people really idiots enough to visit the phishing sites sent in the spam emails?

EDIT:  Also, mine was not cracked.

[xenon481]

The throwaway password I used on a throwaway mtgox account is not in the list. It was only 7 characters long with uppercase letters and numbers.

[bitcoin0918]

I doubt that these and the many more that are on there 1) got phished and 2)wound up on this particular list at the same time. Well, except for the last guy. Though I do suppose that is an upgrade to using 'password' for a password

Well, aside from *MAGIC*, by what other method do you believe those passwords were determined?

[bitcoin0918]

A 5870 can do 3.8 Billion password combinations a second.

If you have 3 of them in your system like most miners do, thats 11.4 Billion per second

684 Billion per Minute
41 Trillion per Hour
984 Trillion per day (24 hours)
6.8 Quadrillion per week
210 Quadrillion per Month  

I think the days of "passwords" you type with a keyboard are over.

Even with those numbers, it would take on average a week to crack a purely random 8-character combination of alphanumeric/special characters. If that number is raised to 10, it's 21 years, according to this spreadsheet calculator.

Yes but this spreadsheet assumes only 17 billion per hour not 41 Trillion.
 

No you dolt! I took their number for total combinations, and divided it by your password test rate, to determine the amount of time necessary. You could have seen this yourself by actually looking at the numbers, rather than just seeing something that didn't make sense and assuming that was the explanation.

[sturle]

The fact that a password is in this list doesn't imply that it was cracked. As finack said, the complex passwords were probably stolen by some other means - e.g. phishing - and happened to be reused.

Yep.  This is definetly a wordlist crack from both mangled words and leaked or phished passwords from other sites.  I can say that with 100% certainty because my own password isn't on the list.  My old Mt.Gox password was set for testing the new exchange at a time when a bitcoin was worth a few cents.  I used it on BBSes in the eighties, and it is very far from secure to modern standards.  Not even the nineties standard, I'd say.

[aral]

The throwaway password I used on a throwaway mtgox account is not in the list. It was only 7 characters long with uppercase letters and numbers.

ditto

i had no money in it, never have had

i think it's weird though if they managed to make a list of active users.  what does that imply?

[DamienBlack]

I can verify that 7XiBKeJe5ochSqVW is in fact the correct password, he was unsalted, and using "simple" md5. I cannot verify the salted passwords, they seem to be a different type of md5 then I am using. Why are there two different types of md5, and what do I call the second one?