Bitcoin Forum
December 09, 2016, 08:05:26 AM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 [3]  All
  Print  
Author Topic: TradeHill – Security Update – Round 1 PCI Compliance / Business Verification etc  (Read 4575 times)
airdata
Sr. Member
****
Offline Offline

Activity: 406


View Profile
July 01, 2011, 04:34:44 PM
 #41

Thanks Jared.

I sent an email just now to you.
1481270726
Hero Member
*
Offline Offline

Posts: 1481270726

View Profile Personal Message (Offline)

Ignore
1481270726
Reply with quote  #2

1481270726
Report to moderator
1481270726
Hero Member
*
Offline Offline

Posts: 1481270726

View Profile Personal Message (Offline)

Ignore
1481270726
Reply with quote  #2

1481270726
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481270726
Hero Member
*
Offline Offline

Posts: 1481270726

View Profile Personal Message (Offline)

Ignore
1481270726
Reply with quote  #2

1481270726
Report to moderator
1481270726
Hero Member
*
Offline Offline

Posts: 1481270726

View Profile Personal Message (Offline)

Ignore
1481270726
Reply with quote  #2

1481270726
Report to moderator
1481270726
Hero Member
*
Offline Offline

Posts: 1481270726

View Profile Personal Message (Offline)

Ignore
1481270726
Reply with quote  #2

1481270726
Report to moderator
Jered Kenna (TradeHill)
Sr. Member
****
Offline Offline

Activity: 420



View Profile WWW
July 01, 2011, 05:07:56 PM
 #42

Thanks Jared.

I sent an email just now to you.

You should have a new password in your inbox of the email account that you used.
We've responded by email but let me know if there is any confusion.

-Jered

moneyandtech.com
@moneyandtech @jeredkenna
phillipsjk
Legendary
*
Offline Offline

Activity: 1008

Let the chips fall where they may.


View Profile WWW
July 01, 2011, 05:28:37 PM
 #43

Well's just the thing: MtGox did salt (AFAIK) and I -did- have a good password and it still bombed, mostly because I believe they only used 1 iteration of MD5.

MD5 hashes are no longer cryptographically secure. If you were indeed using an old password hashed with MD5, the attacker could have generated a collision without guessing your password. However, it is usually easier to guess the password. If you generated the password yourself without using a random number generator, your password may not be as strong as you think it is.

Edit: looks like you still have to have knowledge of both messages to generate a collision.

James' OpenPGP public key fingerprint: EB14 9E5B F80C 1F2D 3EBE  0A2F B3DE 81FF 7B9D 5160
makomk
Hero Member
*****
Offline Offline

Activity: 686


View Profile
July 01, 2011, 06:54:31 PM
 #44

Edit: looks like you still have to have knowledge of both messages to generate a collision.
I think you actually have to be able to control both messages to generate a collision - that's actually the definition of one. In order to be able to generate a second message that gives the same hash as an existing message you need a preimage attack, and I don't think those are practical against MD5 yet.

Quad XC6SLX150 Board: 860 MHash/s or so.
SIGS ABOUT BUTTERFLY LABS ARE PAID ADS
FairUser
Sr. Member
****
Offline Offline

Activity: 261


View Profile WWW
July 01, 2011, 10:29:39 PM
 #45

I'd like to see the site log you out after x amount of time of inactivity.
I've rebooted my system several times and have yet to be prompted for a new password when I go to the site.


We've received feedback from users that love not being logged out and more that would prefer the additional security.
We've evaluated the situation and decided to implement logout due to inactivity. Security trumps laziness  Grin
We're coding it in as I write this and it should be live today after extensive testing.


Good man! 
FairUser
Sr. Member
****
Offline Offline

Activity: 261


View Profile WWW
July 01, 2011, 10:32:04 PM
 #46

Edit: looks like you still have to have knowledge of both messages to generate a collision.
I think you actually have to be able to control both messages to generate a collision - that's actually the definition of one. In order to be able to generate a second message that gives the same hash as an existing message you need a preimage attack, and I don't think those are practical against MD5 yet.

I think both of you have gotten a bit off topic here and missed one of the finer points.

Collisions don't matter here since Tradehill will lock your account if you try to login too many times.
phillipsjk
Legendary
*
Offline Offline

Activity: 1008

Let the chips fall where they may.


View Profile WWW
July 03, 2011, 06:24:33 AM
 #47

It is only off-topic because Tradehill does not use MD5 Hashing, I can't find what hashing they do at the moment.

However, if the database is compromised somehow, account locks after failed login attempts won't help much. That is why you need to choose a secure (likely hard to remember) password. It doesn't matter how convoluted the hash function is; attackers will have the time to do a dictionary attack on their own machines.

That said, (salted) hashing of the passwords is better than storing them in clear-text. It means that most users have time to change their passwords once they learn about the breach. Hopefully Tradehill won't have such a breach. Smiley

James' OpenPGP public key fingerprint: EB14 9E5B F80C 1F2D 3EBE  0A2F B3DE 81FF 7B9D 5160
Pages: « 1 2 [3]  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!