XPiRX (OP)
Newbie
Offline
Activity: 13
Merit: 0
|
|
July 02, 2011, 04:04:26 PM |
|
So today I wake up to my paypal account being used and several hundred dollars in money were being transferred from my bank account. If you all remember MtGox was recently hacked and they required all your email account passwords to be changed as well as the site. They told us that their passwords were stored in md5 and newer accounts were Salted MD5. I changed every password I could possibly thing of related to my email, making sure they were long and well secure. One password I forgot was paypal, and guess what, my account was being used only weeks after MtGox got hacked. I had been using same password as on MtGox. I quickly changed all my passwords, security questions, phone pin, etc and got it resolved rather quickly with paypal.
My point being with all of this, change your passwords EVERYWHERE! I would also like to point out the fact that I highly doubt MtGox had MD5 or Salted MD5 Encrypted passwords because my password was 14 characters long before (was not a regular word, random letters with 4 numbers). It would have taken an extremely long time to decrypt an md5 hash with that kind of character amount, if not impossible(Due to it taking YEARS). I don't think MtGox had any password encryption at all now that this has happened, this is the first and I hope only time someone has gained access to an account of my anywhere in the 2 decades Ive been online.
So please change your passwords everywhere you used the same password and/or email address. Thanks!
|
|
|
|
gentakin
Member
Offline
Activity: 98
Merit: 10
|
|
July 02, 2011, 04:46:48 PM |
|
The leaked accounts.csv file had a few thousand md5 password hashes, and the rest (total 60k) was md5 with salt.
Unless those have been hashed by the hacker, there's no reason to doubt MtGox had the passwords hashed.
|
1HNjbHnpu7S3UUNMF6J9yWTD597LgtUCxb
|
|
|
dinzy
|
|
July 02, 2011, 05:01:51 PM |
|
Why would you not change your password on sites involving money after such a hack?
|
|
|
|
|
Bitsky
|
|
July 02, 2011, 05:20:54 PM |
|
Why would you not change your password on sites involving money after such a hack? More interesting, why would one use the same password at different sites? Everybody tells you not to do that, but people still do it. There is nobody to blame but himself.
|
|
|
|
|
fascistmuffin
Newbie
Offline
Activity: 56
Merit: 0
|
|
July 02, 2011, 09:06:11 PM |
|
Pretty sure we said to change passwords weeks ago when that happened. Sorry you missed all 100 of those posts.
|
|
|
|
geek-trader
|
|
July 02, 2011, 09:07:11 PM |
|
I used to use the same password at most sites. Sites that had non-financial info, of course. Then Gawker Media got hacked, and that allowed a hacker into my Facebook page, which had the same email and password.
I learned my lesson that day. I got Last Pass, and all sites now have a unique and complex password.
|
|
|
|
geek-trader
|
|
July 02, 2011, 09:09:33 PM |
|
Pretty sure we said to change passwords weeks ago when that happened. Sorry you missed all 100 of those posts.
You win the internets. seriously, made me laugh. Spot on.
|
|
|
|
Oldminer
Legendary
Offline
Activity: 1022
Merit: 1001
|
|
July 02, 2011, 09:09:40 PM |
|
Yea thanks but I already changed my password from password
|
|
|
|
Bitsky
|
|
July 02, 2011, 10:13:15 PM |
|
"was not a regular word, random letters with 4 numbers", huh? Let me introduce you to dictionary based attacks, you little rascal you. I learned my lesson that day. I got Last Pass, and all sites now have a unique and complex password.
http://techcrunch.com/2011/05/05/password-manager-last-pass-possibly-hacked/Anybody who stores his passwords with a 3rd party online service is in a state of sin.
|
|
|
|
BitcoinPorn
|
|
July 02, 2011, 10:15:57 PM |
|
"was not a regular word, random letters with 4 numbers", huh? Let me introduce you to dictionary based attacks, you little rascal you. rascalwned
|
|
|
|
geek-trader
|
|
July 02, 2011, 10:16:45 PM |
|
But it turns out the "possibly" became "not". The alternative is to write them down in a little book that you always carry with you. Or have the same password everywhere. Whatever solution you use, it's going to be bad. Unless you have super memory, which I do not.
|
|
|
|
fascistmuffin
Newbie
Offline
Activity: 56
Merit: 0
|
|
July 02, 2011, 10:21:54 PM |
|
But it turns out the "possibly" became "not". The alternative is to write them down in a little book that you always carry with you. Or have the same password everywhere. Whatever solution you use, it's going to be bad. Unless you have super memory, which I do not. Reminds me of a friend I have who has great memory. All his passwords are ~20 characters long, and involve numbers, letters (upper & lower). He picks a phrase and then implements it like: First letter, Number, Last letter, Number... . He makes a new password for every site. Amazing that he hasn't forgot any.
|
|
|
|
Tasty Champa
Member
Offline
Activity: 84
Merit: 10
|
|
July 03, 2011, 12:55:57 AM |
|
password changed from "password" to "passwerrrrrrd".
|
|
|
|
Jack of Diamonds
|
|
July 03, 2011, 02:12:03 AM |
|
password changed from "password" to "passwerrrrrrd".
There are ways to bruteforce all combinations with repeats up to 16 letters relatively fast. So if your pass is something like "paaaaaaaaaaaasword" or "passwwwwwword", it's not safer just because you entered a bunch of letters. Repeating the same word twice or multiple times is also one of the easiest ways to get your pass cracked as well (footballfootballfootball is not a safe pass) What you need to do is use completely unique, altering-case letters and numbers & special characters each occurring no more than once. Example of a safe 25 char. password would be 4gD_7´%jU1Q#}!5Lv=¤*h^8~¨ About 20 to 30 characters should be safe forever, the harder it is to remember the better. Don't use sequential symbols, numbers or characters. Don't use words in a standard dictionary of any language no matter how cleverly disguised with stretched vocals or 1337-speak replacement of letters with numbers.
|
1f3gHNoBodYw1LLs3ndY0UanYB1tC0lnsBec4USeYoU9AREaCH34PBeGgAR67fx
|
|
|
phillipsjk
Legendary
Offline
Activity: 1008
Merit: 1001
Let the chips fall where they may.
|
|
July 03, 2011, 02:21:58 AM |
|
What you need to do is use completely unique, altering-case letters and numbers & special characters each occurring no more than once.
Repeats can happen in a secure, randomly generated password. For many passphrases, I have started using 32 random hex digits (128 bits of entropy). With only 16 symbols, each symbol is repeated, on average, twice. I did that calculation after noticing that one of my passphrases was actually missing one of those 16 symbols. Example of a safe 25 char. password would be 4gD_7´%jU1Q#}!5Lv=¤*h^8~¨
That password is no longer secure because it has been published and may now be in a password-cracking dictionary.
|
James' OpenPGP public key fingerprint: EB14 9E5B F80C 1F2D 3EBE 0A2F B3DE 81FF 7B9D 5160
|
|
|
Jack of Diamonds
|
|
July 03, 2011, 02:47:47 AM |
|
That was just an example I made up on the spot. I hope nobody is dumb enough to actually use something that can be found with Google.
You can construct a similar pass with any combination of symbols
|
1f3gHNoBodYw1LLs3ndY0UanYB1tC0lnsBec4USeYoU9AREaCH34PBeGgAR67fx
|
|
|
|