Cracked Passwords List Leaked, were you cracked?

[bcearl]

my password is not on the list. it was seven rather random letters/caps/numbers and I did not use it anywhere else.

my mtgox balance has been: 0 btc / 0 usd

I think I did not log on to mtgox for a while before the incident.

I have used the mtgox claim website just for the fun of it.

these salted hashes/passwords match, I checked it.

2754,$1$ul1uYRLP$OX0qFAuT9wu78ZdAApIeB.
2754,K7mmI8lAsn1o0q

10253,$1$Pdz6SDbH$X3Nz7dxhG6/bXCpcHPrlg1
10253,yT#g1Srm123

13434,$1$vWDRQAo.$kH6Rc9E6unn80S.UK0RHa/
13434,djcnbimil99332k

it would be a waste to crack these PWs. you could make plenty of coins instead.

the hackers will laugh their asses off if they read this thread and find everyone wondering. give us a hint already!

Enough people were stupid and used weak passwords, and the same passwords in mybitcoin.

You don't make that much money with mining!

[SgtSpike]

I recommend passwords at least 45 characters long with no character being the same.
At least a sextillion years to get half way through cracking something like that.

How many minutes to search the room where you use the computer to find the place where you've written it down?

Exactly.  If I can't remember it in my head, it's a useless password.

[bcearl]

I recommend passwords at least 45 characters long with no character being the same.
At least a sextillion years to get half way through cracking something like that.

How many minutes to search the room where you use the computer to find the place where you've written it down?

Exactly.  If I can't remember it in my head, it's a useless password.

Depends on the purpose. For an encryption passphrase it makes sense. For a login at mtgox it doesn't.

[fcmatt]

Man, I seriously underestimated the power of GPU password crackers!

I had an 11-character password which I thought was pretty good--b1Ackb0x3!1, and that was cracked.  I'm pretty sure I didn't succumb to any phishing attempts.

Good thing I use 20+ characters for passphrases.

leetspeak is no good.



EDIT:
My password was also weak, but fortunately it wasn't cracked yet. (I would like to tell you what the password is like, but maybe I should not give hints.)

the password above is not exactly l33tsp34k as i know it and if i had to configure a password cracker
config file to attempt leetspeak cracking styles... i would not have guessed to match his style up.

it seems someone actually ran a gpu(s) password cracker for days on end.. if i had to guess.
i wonder what the time line is for that file being first noticed versus the file being in the wild for
anyone to get? Two weeks? 5 days? hmm

[phelix]

my password is not on the list. it was seven rather random letters/caps/numbers and I did not use it anywhere else.

my mtgox balance has been: 0 btc / 0 usd

I think I did not log on to mtgox for a while before the incident.

I have used the mtgox claim website just for the fun of it.

these salted hashes/passwords match, I checked it.

2754,$1$ul1uYRLP$OX0qFAuT9wu78ZdAApIeB.
2754,K7mmI8lAsn1o0q

10253,$1$Pdz6SDbH$X3Nz7dxhG6/bXCpcHPrlg1
10253,yT#g1Srm123

13434,$1$vWDRQAo.$kH6Rc9E6unn80S.UK0RHa/
13434,djcnbimil99332k

it would be a waste to crack these PWs. you could make plenty of coins instead.

the hackers will laugh their asses off if they read this thread and find everyone wondering. give us a hint already!

Enough people were stupid and used weak passwords, and the same passwords in mybitcoin.

You don't make that much money with mining!

according to the spreadsheet and crackrate bitcoin0918 posted above it would take more than 100years to crack K7mmI8lAsn1o0q on a mining rig of 4x 5870s.

and the chances to really find an account with money in it that (still) uses that password are rather low I think.


---correction---
probably that pw is more in the 5000years range on 4x 5870.

[fcmatt]

Man, I seriously underestimated the power of GPU password crackers!

I had an 11-character password which I thought was pretty good--b1Ackb0x3!1, and that was cracked.  I'm pretty sure I didn't succumb to any phishing attempts.

Good thing I use 20+ characters for passphrases.

leetspeak is no good.



EDIT:
My password was also weak, but fortunately it wasn't cracked yet. (I would like to tell you what the password is like, but maybe I should not give hints.)

the password above is not exactly l33tsp34k as i know it and if i had to configure a password cracker
config file to attempt leetspeak cracking styles... i would not have guessed to match his style up.

it seems someone actually ran a gpu(s) password cracker for days on end.. if i had to guess.
i wonder what the time line is for that file being first noticed versus the file being in the wild for
anyone to get? Two weeks? 5 days? hmm

You don't even need a dictionary, all you need is a histogram to dramatically reduce the search space. That is why random is the only way to go.

You are right. That would be an excellent method to reduce the amount of work. But random may not really
help unless it is spitting out some very very odd characters people normally never use and probably do not
even know how to type in the USA. Do they output characters like this? (which i found on a webpage about
a histogram of a rainbow table website).

 2 times the character “ž”
 2 times the character “®”
 2 times the character “¯”
 2 times the character “»”
 2 times the character “Ø”

[d.james]

  How long would it take for our total mining power to bruteforce that 60,000 list?

[bcearl]

the password above is not exactly l33tsp34k as i know it and if i had to configure a password cracker
config file to attempt leetspeak cracking styles... i would not have guessed to match his style up.

it seems someone actually ran a gpu(s) password cracker for days on end.. if i had to guess.
i wonder what the time line is for that file being first noticed versus the file being in the wild for
anyone to get? Two weeks? 5 days? hmm

No, that's bullshit. That's the whole point I am trying to make here for weeks now. You should not assume that the attacker is stupid, if you want security.

Dictionary attack does not mean that the cracker uses the Oxford dictionary for English. They have password dictionaries, they are generated for that purpose and include much more than correctly spelled oxford words. And the tools can vary the words from the dictionary while testing by replacing letters by similar looking numbers and special chars.

Fact is: Your password was cracked within' a few days.

[dserrano5]

2 times the character “ž”
 2 times the character “®”
 2 times the character “¯”
 2 times the character “»”
 2 times the character “Ø”

I would be using some of those fancy Unicode characters from some time now if I wasn't afraid that applications weren't able to handle them properly, thus locking myself out of websites. Coping with Unicode is hard.

Off the top of my head, and easily type'able with my actual keyboard setup/layout: — – « » ß þ Þ œ Œ æ Æ ø Ø …

[bcearl]

With ASCII alone you have about 95 characters, that makes 6.5 bits of randomness per character.

If you have US international keyboard layout, you can make the following with the right ALT key:

Code:

¹²³¤€’¥×
äåéëþüúíóö«»¬
áßðfghïœø¶
朩®bñµç˙¿

with shift even more:

Code:

¡˝¯£¸¼½¾˘° ̣÷
ÄÅÉËÞÜÚÍÓÖ“”¦
Á§ÐFGHόذ¨
ÆŒ¢®BÑµÇˇ ̉

[nakowa]

unfortunately, I was cracked, and lost 40 BTC...

[phelix]

How long would it take for our total mining power to bruteforce that 60,000 list?

quite a long time.

I calculated this one alone to take more than half a year: K7mmI8lAsn1o0q

well, a little shorter with network speed rising like crazy

(data from posts above and bitcoinwatch)

[Joise]

There were other 8600 passwords from the database posted on Twitter...

[Chick]

There were other 8600 passwords from the database posted on Twitter...

Link?

[bcearl]

To crack mine in a year, if you assume lower letters only and know the two special characters (26+2), you need 161.6 THashes/sec.

After I tell you the exact set of characters, you still need 4.9 GHashes/sec for a year.




And I consider this one of my weakest passwords.

[FractalUniverse]

yes, my password was cracked but i was just testing mtgox with no intention of trading at that time, so it was very weak.

[xenon481]

I would also check https://shouldichangemypassword.com/ It correctly reports I've hade my password compromised once on June 19, 2011. I got an email from Chase about my account on June 20, so it seems pretty accurate.

I asked it if the following passwords had been compromised and it told me they were safe.

- password
- password1
- password123
- p@ssw0rd
- P@ssw0rd
- love
- hackers
- superman

[Jack of Diamonds]

There are probably some kind of pattern in all the difficult looking passwords that the cracker happens to find through cleaver combinations of dictionary attacks, leet speek decoding, common combinations and brute forcing. For instance Ev3rL@NRDX11090821 = Everland (a place) RDX (an explosive) and a number. w@chtw00rdLanimret! = Watch word Lanimret!

I would also have thought some of these were safe, though.

Actually, "wachtwoord" means password in Dutch.

Yes, and Lanimret is terminal backwards.
Using an advanced dictionary attack that also takes in account the use of symbols and numbers as substitutes for words, passwords like that are easy to crack using multiple GPUs.

What you need to use is completely random, non-repeating ASCII characters that make zero logical sense.
Here I would agree with Vladimir; If you can remember your password then you're doing it wrong.

[phelix]

There were other 8600 passwords from the database posted on Twitter...

Link?

+1

[jgraham]

Man, I seriously underestimated the power of GPU password crackers!

I had an 11-character password which I thought was pretty good--b1Ackb0x3!1, and that was cracked.  I'm pretty sure I didn't succumb to any phishing attempts.

Good thing I use 20+ characters for passphrases.

It depends.   IIRC in the broadcast Mt. Gox mentioned that some of the older accounts were MD5 unsalted.  In which case leetspeek pass isn't very good.  Yours interestingly enough was salted.
IMHO this was simply bad luck in one of two senses:

i) Your password happened to be in some wordlist or is a simple permute of some worklist
ii) They started multiple crackers bruting specific keyspaces and yours was close to whatever the startpoint was for 11 char passwords.


By contrast I ran oclHashcat on my 6990 for my password and it seemed to say it would take 4 years to exhaust the keyspace but hey if someone here wants to divert some of their mining software to the cause they're welcome to show me the error of my ways.  That would be pretty cool too....


Interesting side issue.   If your organization uses google as a mail system and they perform password synchronization.   They are shipping unsalted hashes to the big G (either SHA1 or MD5).  I don't know how many people have access to encrypted hashes at Google but the sample seems large enough that it's only a matter of time before someone sees the money making potential there.  (Password reset function + known gmail address + big ass hashing equipment = access to your Mt. Gox account).