darbsllim (OP)
Sr. Member
 Offline
Activity: 297
Merit: 251
Founder, Filmmaker, Fun Guy
|
 |
June 28, 2011, 04:55:15 PM |
|
Some of these people with complex passwords could have fallen for the fake mtgox emails
|
Brad Mills,
Investor - Former miner - Former Bitcoin Business Owner - Survivor of the Great Bitcoin Crashes of 2011 and 2012, the MtGox Heist of 2014 & the 2017 crypto bubble.
Bitrated user: bradmillscan.
|
|
|
|
|
|
|
|
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
bitcon
Legendary
Offline
Activity: 2212
Merit: 1008
|
|
June 28, 2011, 04:57:45 PM |
|
they got mine too.. wonder what percentage of this list even realize that their passwords are floating around on the internet for everyone to see.. thats a lot of passwords.
|
|
|
|
|
bitcoin0918
Newbie
Offline
Activity: 70
Merit: 0
|
|
June 28, 2011, 05:04:20 PM |
|
I set my password to my bitcoin address. What could be more secure than that?!  |
|
|
|
|
gentakin
Member
Offline
Activity: 98
Merit: 10
|
|
June 28, 2011, 05:10:02 PM |
|
I set my password to my bitcoin address. What could be more secure than that?! Now that you've publicly stated this, it should be trivial to get a tool up that searches the block chain for bitcoin addresses and attempts to crack your password with each of them.  |
1HNjbHnpu7S3UUNMF6J9yWTD597LgtUCxb
|
|
|
|
Isepick
|
|
June 28, 2011, 05:12:51 PM |
|
I can verify that 7XiBKeJe5ochSqVW is in fact the correct password, he was unsalted, and using "simple" md5. I cannot verify the salted passwords, they seem to be a different type of md5 then I am using. Why are there two different types of md5, and what do I call the second one?
http://www.insidepro.com/hashes.php?lang=engMD5(unix) Edit: And the salted passwords match, too, at least the 3 I've checked: 60x8760b6k328vc3v24kw8y1 acy7zkprddv2k3iFd& 8W3G7Pds9712++ Curioser and curioser |
|
|
|
|
bitcoin0918
Newbie
Offline
Activity: 70
Merit: 0
|
|
June 28, 2011, 05:15:07 PM |
|
Now that you've publicly stated this, it should be trivial to get a tool up that searches the block chain for bitcoin addresses and attempts to crack your password with each of them. Yeah, but look how many characters it has - there's just NO WAY any cracking program could guess this: 1GryC1TD9bXdwrV1YbDX3RnJrS2Ak87Vbw. It's perfect!  |
|
|
|
|
|
tsvekric
|
|
June 28, 2011, 05:30:37 PM |
|
how could saab9000aeroskodafabiavrs or 7XiBKeJe5ochSqVW be cracked in such a short amount of time? Even unsalted...
And the uncracked password list that was released had the salts along with each password, so being 'salted' or 'unsalted' shouldn't matter...
|
Hey TeKillaSunRise, check it out
-qwe2323
|
|
|
|
Bitcoin Swami
|
|
June 28, 2011, 05:34:06 PM |
|
I guess i dont understand how password cracking works. I don't understand how they get multiple chances figuring out a password.
|
|
|
|
|
sturle
Legendary
Offline
Activity: 1437
Merit: 1002
https://bitmynt.no
|
|
June 28, 2011, 05:39:32 PM |
|
And the uncracked password list that was released had the salts along with each password, so being 'salted' or 'unsalted' shouldn't matter...
Yes, it matters. A lot. Salted means you have to crack each password individually. You have to run through the entire list of candidates (until a match) for each and every salted password (given unique salts). With unsalted passwords you can run through the wordlist once, and get all matching passwords with a single MD5 run for each word in your wordlist. It doesn't matter for one single password, but for 60000 salting means 60000 times more work. And salting renders rainbow tables useless, because you'd have to build one rainbow table for each possible salt. |
Sjå https://bitmynt.no for veksling av bitcoin mot norske kroner. Trygt, billig, raskt og enkelt sidan 2010. I buy with EUR and other currencies at a fair market price when you want to sell. See http://bitmynt.no/eurprice.plWarning: "Bitcoin" XT, Classic, Unlimited and the likes are scams. Don't use them, and don't listen to their shills. |
|
|
BTC Economist
Member
Offline
Activity: 112
Merit: 10
|
|
June 28, 2011, 05:46:45 PM |
|
I'm surprised I'm not on the list.
|
When BTC soars, you need to be READY! PM me to learn more about my new e-book, How to Create and Profit from the Second Bitcoin Bubble available exclusively to BTC forum members!
17JzkreEBYNHQM9tMTiUKCHANofwzHRLhP
|
|
|
o
Member
Offline
Activity: 76
Merit: 10
|
|
June 28, 2011, 05:46:54 PM |
|
What is the possibility of the hash collision? There is no such need those long characters number combination to be the true user password, as far as those hash match the users true hash, then the server will consider them to be the same. Though I would expect the collision password should be much uglier than the one shown in the file.
As written in wikipedia, there is already methods to generate collision 5 years before with some requirements, so it is not surprise that there is a generic method to find collision particular for the password.
|
|
|
|
|
|
sgravina
|
|
June 28, 2011, 05:54:27 PM |
|
My password is not on the list. It was 'password1'. I read somewhere that 'password1' is the most common password so I figured it must be good.
Could somebody find the source of this list. I would really like to know how this was done. Is it really possible? I suspect this list is at least partially fake. My real password should have been easy to crack but is not on the list.
Sam
|
|
|
|
|
DukeOfEarl
Newbie
Offline
Activity: 28
Merit: 0
|
|
June 28, 2011, 05:55:26 PM |
|
Yes, it matters. A lot. Salted means you have to crack each password individually. You have to run through the entire list of candidates (until a match) for each and every salted password (given unique salts). With unsalted passwords you can run through the wordlist once, and get all matching passwords with a single MD5 run for each word in your wordlist. It doesn't matter for one single password, but for 60000 salting means 60000 times more work. And salting renders rainbow tables useless, because you'd have to build one rainbow table for each possible salt.
Thanks for this explanation. For implementation purposes, how would a website use a unique salt? For example, when the username types in a password it must be joined to the salt and then an MD5 algorithm ran over the product to compare with the database stored hash. Somewhere then the salt must be stored, right? |
|
|
|
|
kjj
Legendary
Offline
Activity: 1302
Merit: 1024
|
|
June 28, 2011, 07:10:44 PM |
|
Yes, it matters. A lot. Salted means you have to crack each password individually. You have to run through the entire list of candidates (until a match) for each and every salted password (given unique salts). With unsalted passwords you can run through the wordlist once, and get all matching passwords with a single MD5 run for each word in your wordlist. It doesn't matter for one single password, but for 60000 salting means 60000 times more work. And salting renders rainbow tables useless, because you'd have to build one rainbow table for each possible salt.
Thanks for this explanation. For implementation purposes, how would a website use a unique salt? For example, when the username types in a password it must be joined to the salt and then an MD5 algorithm ran over the product to compare with the database stored hash. Somewhere then the salt must be stored, right? Random, and yes, it is stored. If the hash started with $, it follows this format: $<scheme, always 1 here>$<salt>$<hash>. Scheme 1 means about 1001 rounds of MD5 with complex combinations of the previous round, the password, and the salt. Other schemes are available for SHA, blowfish, and (try not to laugh) NT. If it doesn't start with $, it is just a simple unsalted MD5 hash of the input. |
17Np17BSrpnHCZ2pgtiMNnhjnsWJ2TMqq8
I routinely ignore posters with paid advertising in their sigs. You should too.
|
|
|
justusranvier
Legendary
Offline
Activity: 1400
Merit: 1009
|
|
June 28, 2011, 07:22:34 PM |
|
I doubt that these and the many more that are on there 1) got phished and 2)wound up on this particular list at the same time. Well, except for the last guy. Though I do suppose that is an upgrade to using 'password' for a password  Well, aside from *MAGIC*, by what other method do you believe those passwords were determined? I can think of three possibilities: Password reuse Malware Hash collisions |
|
|
|
|
bitcoin0918
Newbie
Offline
Activity: 70
Merit: 0
|
|
June 28, 2011, 07:27:33 PM |
|
I doubt that these and the many more that are on there 1) got phished and 2)wound up on this particular list at the same time. Well, except for the last guy. Though I do suppose that is an upgrade to using 'password' for a password Well, aside from *MAGIC*, by what other method do you believe those passwords were determined? I can think of three possibilities: Password reuse Malware Hash collisions Oh certainly, there are other methods (though password reuse alone doesn't cause this). I was just making the point that the *least likely* method was brute force cracking. |
|
|
|
|
|
ErgoOne
|
|
June 28, 2011, 07:31:37 PM |
|
Not sure if any of you have seen this or not, but here it is: https://www.nanaimogold.com/microlionsec.txtIf you haven't changed your passwords yet...do it. If you wanted to see whether or not your password was safe, feel free to check if it was cracked here. Mine wasn't on this list, but anybody here would be foolish indeed to assume that this means their password wasn't cracked. If you use the same password in multiple locations, and a security breach occurs in one location, you need to change the password at every location that you used it. |
|
|
|
|
DamienBlack
Jr. Member
Offline
Activity: 56
Merit: 1
|
|
June 28, 2011, 07:32:59 PM |
|
Hash collision seems really unlikely to me. The odds should be microscopically small.
|
|
|
|
|
justusranvier
Legendary
Offline
Activity: 1400
Merit: 1009
|
|
June 28, 2011, 07:48:35 PM |
|
Hash collision seems really unlikely to me. The odds should be microscopically small.
It's microscopically small for SHA hashes but MD5 has been considered broken (or nearly so) for a few years now. |
|
|
|
|
|
luv2drnkbr
|
|
June 28, 2011, 08:00:37 PM |
|
My password wasn't on there, so I'll just throw it out there. My old mtgox password was 5kGrv3cM5-W_VKc9d6Zc. And no, I don't use it for anything else....
Edit: I've also started using 30 character passwords now too. All this talk about cracking 10 characters in 3 seconds has me paranoid!
|
|
|
|
|
