Bitcoin Forum
November 18, 2024, 06:34:34 PM *
News: Check out the artwork 1Dq created to commemorate this forum's 15th anniversary
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: [Warning] People with MtGox  (Read 2835 times)
XPiRX (OP)
Newbie
*
Offline Offline

Activity: 13
Merit: 0


View Profile
July 02, 2011, 04:04:26 PM
 #1

So today I wake up to my paypal account being used and several hundred dollars in money were being transferred from my bank account. If you all remember MtGox was recently hacked and they required all your email account passwords to be changed as well as the site.  They told us that their passwords were stored in md5 and newer accounts were Salted MD5.  I changed every password I could possibly thing of related to my email, making sure they were long and well secure. One password I forgot was paypal, and guess what, my account was being used only weeks after MtGox got hacked. I had been using same password as on MtGox. I quickly changed all my passwords, security questions, phone pin, etc and got it resolved rather quickly with paypal.

My point being with all of this, change your passwords EVERYWHERE! I would also like to point out the fact that I highly doubt MtGox had MD5 or Salted MD5 Encrypted passwords because my password was 14 characters long before (was not a regular word, random letters with 4 numbers). It would have taken an extremely long time to decrypt an md5 hash with that kind of character amount, if not impossible(Due to it taking YEARS). I don't think MtGox had any password encryption at all now that this has happened, this is the first and I hope only time someone has gained access to an account of my anywhere in the 2 decades Ive been online.

So please change your passwords everywhere you used the same password and/or email address. Thanks!
gentakin
Member
**
Offline Offline

Activity: 98
Merit: 10


View Profile
July 02, 2011, 04:46:48 PM
 #2

The leaked accounts.csv file had a few thousand md5 password hashes, and the rest (total 60k) was md5 with salt.

Unless those have been hashed by the hacker, there's no reason to doubt MtGox had the passwords hashed.

1HNjbHnpu7S3UUNMF6J9yWTD597LgtUCxb
dinzy
Full Member
***
Offline Offline

Activity: 140
Merit: 100


View Profile
July 02, 2011, 05:01:51 PM
 #3

Why would you not change your password on sites involving money after such a hack?   Shocked
AtlasONo
Hero Member
*****
Offline Offline

Activity: 551
Merit: 500



View Profile
July 02, 2011, 05:16:01 PM
 #4

Duh
Bitsky
Hero Member
*****
Offline Offline

Activity: 576
Merit: 514


View Profile
July 02, 2011, 05:20:54 PM
 #5

Why would you not change your password on sites involving money after such a hack?   Shocked
More interesting, why would one use the same password at different sites? Everybody tells you not to do that, but people still do it. There is nobody to blame but himself.

Bounty: Earn up to 68.7 BTC
Like my post? Feel free to drop a tip to 1BitskyZbfR4irjyXDaGAM2wYKQknwX36Y
vectorvictor
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
July 02, 2011, 08:58:55 PM
 #6


The passwords that have been cracked independently include many that are 14 characters long.

http://forum.bitcoin.org/index.php?topic=24727.msg314393#msg314393

BTW, one list includes:

  XPiRX0@gmail.com rascal101

fascistmuffin
Newbie
*
Offline Offline

Activity: 56
Merit: 0



View Profile
July 02, 2011, 09:06:11 PM
 #7

Pretty sure we said to change passwords weeks ago when that happened. Sorry you missed all 100 of those posts.
geek-trader
Sr. Member
****
Offline Offline

Activity: 294
Merit: 250


View Profile
July 02, 2011, 09:07:11 PM
 #8

I used to use the same password at most sites.  Sites that had non-financial info, of course.  Then Gawker Media got hacked, and that allowed a hacker into my Facebook page, which had the same email and password.

I learned my lesson that day.  I got Last Pass, and all sites now have a unique and complex password.

Make 1 deposit and earn BTC for life! http://bitcoinpyramid.com/r/345
Play my FREE HTML5 games at: http://magigames.org  BTC donations accepted.
geek-trader
Sr. Member
****
Offline Offline

Activity: 294
Merit: 250


View Profile
July 02, 2011, 09:09:33 PM
 #9

Pretty sure we said to change passwords weeks ago when that happened. Sorry you missed all 100 of those posts.

You win the internets.  Grin

seriously, made me laugh.  Spot on.

Make 1 deposit and earn BTC for life! http://bitcoinpyramid.com/r/345
Play my FREE HTML5 games at: http://magigames.org  BTC donations accepted.
Oldminer
Legendary
*
Offline Offline

Activity: 1022
Merit: 1001



View Profile
July 02, 2011, 09:09:40 PM
 #10

Yea thanks but I already changed my password from password

If you like my post please feel free to give me some positive rep https://bitcointalk.org/index.php?action=trust;u=18639
Tip me BTC: 1FBmoYijXVizfYk25CpiN8Eds9J6YiRDaX
Bitsky
Hero Member
*****
Offline Offline

Activity: 576
Merit: 514


View Profile
July 02, 2011, 10:13:15 PM
 #11

"was not a regular word, random letters with 4 numbers", huh? Let me introduce you to dictionary based attacks, you little rascal you.

I learned my lesson that day.  I got Last Pass, and all sites now have a unique and complex password.
http://techcrunch.com/2011/05/05/password-manager-last-pass-possibly-hacked/
Anybody who stores his passwords with a 3rd party online service is in a state of sin.

Bounty: Earn up to 68.7 BTC
Like my post? Feel free to drop a tip to 1BitskyZbfR4irjyXDaGAM2wYKQknwX36Y
BitcoinPorn
Hero Member
*****
Offline Offline

Activity: 630
Merit: 500


Posts: 69


View Profile WWW
July 02, 2011, 10:15:57 PM
 #12

"was not a regular word, random letters with 4 numbers", huh? Let me introduce you to dictionary based attacks, you little rascal you.

rascalwned

geek-trader
Sr. Member
****
Offline Offline

Activity: 294
Merit: 250


View Profile
July 02, 2011, 10:16:45 PM
 #13

http://techcrunch.com/2011/05/05/password-manager-last-pass-possibly-hacked/
Anybody who stores his passwords with a 3rd party online service is in a state of sin.

But it turns out the "possibly" became "not".

The alternative is to write them down in a little book that you always carry with you.  Or have the same password everywhere.

Whatever solution you use, it's going to be bad.  Unless you have super memory, which I do not.

Make 1 deposit and earn BTC for life! http://bitcoinpyramid.com/r/345
Play my FREE HTML5 games at: http://magigames.org  BTC donations accepted.
fascistmuffin
Newbie
*
Offline Offline

Activity: 56
Merit: 0



View Profile
July 02, 2011, 10:21:54 PM
 #14

http://techcrunch.com/2011/05/05/password-manager-last-pass-possibly-hacked/
Anybody who stores his passwords with a 3rd party online service is in a state of sin.

But it turns out the "possibly" became "not".

The alternative is to write them down in a little book that you always carry with you.  Or have the same password everywhere.

Whatever solution you use, it's going to be bad.  Unless you have super memory, which I do not.

Reminds me of a friend I have who has great memory. All his passwords are ~20 characters long, and involve numbers, letters (upper & lower). He picks a phrase and then implements it like: First letter, Number, Last letter, Number... . He makes a new password for every site. Amazing that he hasn't forgot any.
Tasty Champa
Member
**
Offline Offline

Activity: 84
Merit: 10


View Profile
July 03, 2011, 12:55:57 AM
 #15

password changed from "password" to "passwerrrrrrd".
Jack of Diamonds
Sr. Member
****
Offline Offline

Activity: 252
Merit: 251



View Profile
July 03, 2011, 02:12:03 AM
 #16

password changed from "password" to "passwerrrrrrd".

There are ways to bruteforce all combinations with repeats up to 16 letters relatively fast.
So if your pass is something like "paaaaaaaaaaaasword" or "passwwwwwword", it's not safer just because you entered a bunch of letters.
Repeating the same word twice or multiple times is also one of the easiest ways to get your pass cracked as well (footballfootballfootball is not a safe pass)

What you need to do is use completely unique, altering-case letters and numbers & special characters each occurring no more than once.

Example of a safe 25 char. password would be 4gD_7´%jU1Q#}!5Lv=¤*h^8~¨

About 20 to 30 characters should be safe forever, the harder it is to remember the better. Don't use sequential symbols, numbers or characters.

Don't use words in a standard dictionary of any language no matter how cleverly disguised with stretched vocals or 1337-speak replacement of letters with numbers.

1f3gHNoBodYw1LLs3ndY0UanYB1tC0lnsBec4USeYoU9AREaCH34PBeGgAR67fx
phillipsjk
Legendary
*
Offline Offline

Activity: 1008
Merit: 1001

Let the chips fall where they may.


View Profile WWW
July 03, 2011, 02:21:58 AM
 #17

What you need to do is use completely unique, altering-case letters and numbers & special characters each occurring no more than once.

Repeats can happen in a secure, randomly generated password. For many passphrases, I have started using 32 random hex digits (128 bits of entropy). With only 16 symbols, each symbol is repeated, on average, twice. I did that calculation after noticing that one of my passphrases was actually missing one of those 16 symbols.

Quote
Example of a safe 25 char. password would be 4gD_7´%jU1Q#}!5Lv=¤*h^8~¨

That password is no longer secure because it has been published and may now be in a password-cracking dictionary.

James' OpenPGP public key fingerprint: EB14 9E5B F80C 1F2D 3EBE  0A2F B3DE 81FF 7B9D 5160
Jack of Diamonds
Sr. Member
****
Offline Offline

Activity: 252
Merit: 251



View Profile
July 03, 2011, 02:47:47 AM
 #18

That was just an example I made up on the spot. I hope nobody is dumb enough to actually use something that can be found with Google.

You can construct a similar pass with any combination of symbols

1f3gHNoBodYw1LLs3ndY0UanYB1tC0lnsBec4USeYoU9AREaCH34PBeGgAR67fx
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!