Bitcoin Forum
November 06, 2024, 09:53:26 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Bitcoin Forum > Economy > Marketplace > Service Discussion > Inputs.io Security [Solved]
Pages: [1]
« previous topic next topic »
  Print  
Author Topic: Inputs.io Security [Solved]  (Read 900 times)
nimda (OP)
Hero Member
*****
Offline Offline

Activity: 784
Merit: 1000


0xFB0D8D1534241423


View Profile
July 02, 2013, 03:25:30 PM
Last edit: July 05, 2013, 09:03:43 PM by nimda
 #1
Quote
Passwords hashed with SHA256 before sent to the server - we never know your password
This concerns me slightly. The whole point of a hash is irreversibility once the server is compromised. However, this just uses the sha2 as the password. It's therefore a step forwards in some areas and a step backwards in others, unless the server takes the hash of the hash once received.
tom1
Full Member
***
Offline Offline

Activity: 130
Merit: 100



View Profile
July 02, 2013, 04:05:11 PM
 #2
I'm wondering why there isn't an official thread about Inputs.io?
█ ♦ Coinroll.it - 1% House Edge Dice Game ♦ █ • Coinroll Thread • *FREE* 100 BTC Raffle
My address for signing messages
escrow.ms
Legendary
*
Offline Offline

Activity: 1274
Merit: 1004


View Profile
July 02, 2013, 04:07:10 PM
 #3
Quote from: tom1 on July 02, 2013, 04:05:11 PM
I'm wondering why there isn't an official thread about Inputs.io?

Because it's in beta aka testing stage.
tom1
Full Member
***
Offline Offline

Activity: 130
Merit: 100



View Profile
July 02, 2013, 04:29:01 PM
 #4
Quote from: escrow.ms on July 02, 2013, 04:07:10 PM
Quote from: tom1 on July 02, 2013, 04:05:11 PM
I'm wondering why there isn't an official thread about Inputs.io?

Because it's in beta aka testing stage.
Hmm, it looks like it was released today: https://inputs.io/news#n-2
█ ♦ Coinroll.it - 1% House Edge Dice Game ♦ █ • Coinroll Thread • *FREE* 100 BTC Raffle
My address for signing messages
paroxsitic
Newbie
*
Offline Offline

Activity: 37
Merit: 0


View Profile
July 04, 2013, 03:33:08 PM
 #5
I have confirmed via HTTP recording they do send just a SHA256 hashed password over the network (with no salt). It would indeed be more secure to salt your pin code you entered in a way that would not be obvious to someone who was sniffing around.

None the less, hashing a password before it's sent in a POST is more secure most non-financial sites.

I can only hope they do some sort of unique salt when storing the password to their database.
MPOE-PR
Hero Member
*****
Offline Offline

Activity: 756
Merit: 522



View Profile
July 04, 2013, 11:41:14 PM
 #6
Quote from: nimda on July 02, 2013, 03:25:30 PM
Quote
Passwords hashed with SHA256 before sent to the server - we never know your password
This concerns me slightly. The whole point of a hash is irreversibility once the server is compromised. However, this just uses the sha2 as the password. It's therefore a step forwards in some areas and a step backwards in others, unless the server takes the hash of the hash once received.

There's no real reason to suspect they aren't taking the hash of the hash is there?
My Credentials  | THE BTC Stock Exchange | I have my very own anthology! | Use bitcointa.lk, it's like this one but better.
🏰 TradeFortress 🏰
Bitcoin Veteran
VIP
Legendary
*
Offline Offline

Activity: 1316
Merit: 1043

👻


View Profile
July 04, 2013, 11:57:20 PM
Last edit: July 05, 2013, 12:11:52 AM by TradeFortress
 #7
Quote from: MPOE-PR on July 04, 2013, 11:41:14 PM
Quote from: nimda on July 02, 2013, 03:25:30 PM
Quote
Passwords hashed with SHA256 before sent to the server - we never know your password
This concerns me slightly. The whole point of a hash is irreversibility once the server is compromised. However, this just uses the sha2 as the password. It's therefore a step forwards in some areas and a step backwards in others, unless the server takes the hash of the hash once received.

There's no real reason to suspect they aren't taking the hash of the hash is there?

This.

We use bcrypt on the server side, with a user unique salt.
nimda (OP)
Hero Member
*****
Offline Offline

Activity: 784
Merit: 1000


0xFB0D8D1534241423


View Profile
July 05, 2013, 09:03:19 PM
 #8
Quote from: MPOE-PR on July 04, 2013, 11:41:14 PM
Quote from: nimda on July 02, 2013, 03:25:30 PM
Quote
Passwords hashed with SHA256 before sent to the server - we never know your password
This concerns me slightly. The whole point of a hash is irreversibility once the server is compromised. However, this just uses the sha2 as the password. It's therefore a step forwards in some areas and a step backwards in others, unless the server takes the hash of the hash once received.

There's no real reason to suspect they aren't taking the hash of the hash is there?
The phrasing of the FAQ had me worried.
Quote from: TradeFortress on July 04, 2013, 11:57:20 PM
We use bcrypt on the server side, with a user unique salt.
That's good, thanks. I'll lock the topic.
Pages: [1]
  Print  
Bitcoin Forum > Economy > Marketplace > Service Discussion > Inputs.io Security [Solved]
 « previous topic next topic »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!