Bitcoin Forum
June 17, 2024, 01:43:26 AM *
News: Latest Bitcoin Core release: 27.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 [2] 3 4 »  All
  Print  
Author Topic: Coinchat doesn't salt or use a strong hash algo  (Read 32160 times)
gweedo (OP)
Legendary
*
Offline Offline

Activity: 1498
Merit: 1000


View Profile
July 12, 2013, 08:24:25 AM
 #21

CoinLenders and CoinChat hashes passwords.

CoinLenders also salt passwords.

CoinLenders also hashes your password in your browser with Javascript.

I cannot access your password (unlike what gweedo is claiming) on CoinLenders. I can only access the hash which is useless if it has been salted with a strong hash.

Gweedo is spreading FUD that I don't do this. He is posting a misleading screenshot out of context. I DO hash passwords. I don't salt them for CoinChat, but they are hashed.

As I am tired of saying the same thing again and again, this is now my stock response.

Now he is spamming.


@Trade if you want i can make a test account on both of your sites with a random  password, you can then post hash with salt here and a screenshot of username /hash from database to prove him wrong.

How do I know he didn't pay you just to say that. Also he could just take your stuff and throw into a hash generator.
🏰 TradeFortress 🏰
Bitcoin Veteran
VIP
Legendary
*
Offline Offline

Activity: 1316
Merit: 1043

👻


View Profile
July 12, 2013, 08:26:01 AM
 #22

@Trade if you want i can make a test account on both of your sites with a random  password, you can then post hash with salt here and a screenshot of username /hash from database to prove him wrong.

You can also put a bounty to crack it.

A few things:

1) He only takes full source code and database as proof apparenty

2) I am not disclosing my salt

3) If I wasn't hashing / salting them, I could just hash later.
escrow.ms
Legendary
*
Offline Offline

Activity: 1274
Merit: 1004


View Profile
July 12, 2013, 08:27:00 AM
 #23


How do I know he didn't pay you just to say that. Also he could just take your stuff and throw into a hash generator.

Because I do not work for him and he should post screenshot from online database (phpmyadmin).
🏰 TradeFortress 🏰
Bitcoin Veteran
VIP
Legendary
*
Offline Offline

Activity: 1316
Merit: 1043

👻


View Profile
July 12, 2013, 08:27:38 AM
 #24

Screenshots shouldn't be trusted, they can be faked.
gweedo (OP)
Legendary
*
Offline Offline

Activity: 1498
Merit: 1000


View Profile
July 12, 2013, 08:27:41 AM
 #25

1) He only takes full source code and database as proof apparenty
Only way in my book to prove it.

2) I am not disclosing my salt

*FACEPLAM* why would you disclose your salt, that would be pretty dumb and I never asked you to do that.

3) If I wasn't hashing / salting them, I could just hash later.

Exactly. Plus I always said your not strongly hashing them.
🏰 TradeFortress 🏰
Bitcoin Veteran
VIP
Legendary
*
Offline Offline

Activity: 1316
Merit: 1043

👻


View Profile
July 12, 2013, 08:28:03 AM
 #26

1) He only takes full source code and database as proof apparenty
Only way in my book to prove it.

Thanks for this admission! https://bitcointalk.org/index.php?topic=254808.0
🏰 TradeFortress 🏰
Bitcoin Veteran
VIP
Legendary
*
Offline Offline

Activity: 1316
Merit: 1043

👻


View Profile
July 12, 2013, 08:30:53 AM
 #27

Also, if you want your negative trust rating removed you just need to stop making false statements. Like the topic of this post.
escrow.ms
Legendary
*
Offline Offline

Activity: 1274
Merit: 1004


View Profile
July 12, 2013, 08:32:35 AM
 #28

Let me grab some popcorn.
gweedo (OP)
Legendary
*
Offline Offline

Activity: 1498
Merit: 1000


View Profile
July 12, 2013, 08:32:57 AM
 #29

https://bitcointalk.org/index.php?topic=254808.0

LMAO you locked it LMAO

Also, if you want your negative trust rating removed you just need to stop making false statements. Like the topic of this post.

When you prove to me that you have taken the necessary security. Then i will stop making statements against you. Extorting my trust rating doesn't look good for you btw. Wink I don't care about rep, I still do my business like I will always.

 Just a prime example that power always get abused.
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218
Merit: 1079


Gerald Davis


View Profile
July 12, 2013, 08:35:28 AM
 #30

2) I am not disclosing my salt

Wait what?  Salt should be random and per record/account.  Anything less doesn't prevent a parallel execution attack.
🏰 TradeFortress 🏰
Bitcoin Veteran
VIP
Legendary
*
Offline Offline

Activity: 1316
Merit: 1043

👻


View Profile
July 12, 2013, 08:36:26 AM
 #31

Quote
Wait what?  Salt should be random and per record/account.  Anything less doesn't prevent a parallel execution attack.

Yeah, that's the best practice. I use a user unique salt for Inputs. For CoinLenders it is one salt. This doesn't matter because you need to get into a Inputs account to get coins from CL anyway.
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218
Merit: 1079


Gerald Davis


View Profile
July 12, 2013, 08:37:58 AM
 #32

Quote
Wait what?  Salt should be random and per record/account.  Anything less doesn't prevent a parallel execution attack.

Yeah, that's the best practice. I use a user unique salt for Inputs. For CoinLenders it is one salt. This doesn't matter because you need to get into a Inputs account to get coins from CL anyway.

So one site has no salt, one site uses a weak static salt and one site does it "right"?

That makes sense.
davout
Legendary
*
Offline Offline

Activity: 1372
Merit: 1007


1davout


View Profile WWW
July 12, 2013, 08:39:38 AM
 #33

If you're still using salts in 2013 you're an idiot, no exceptions.

🏰 TradeFortress 🏰
Bitcoin Veteran
VIP
Legendary
*
Offline Offline

Activity: 1316
Merit: 1043

👻


View Profile
July 12, 2013, 08:41:09 AM
 #34

So one site has no salt, one site uses a weak static salt and one site does it "right"?

That makes sense.

I could remove login checks for CoinLenders and nobody will be able to steal a single coin (because you're only able to transfer them to your Inputs account)
🏰 TradeFortress 🏰
Bitcoin Veteran
VIP
Legendary
*
Offline Offline

Activity: 1316
Merit: 1043

👻


View Profile
July 12, 2013, 08:43:10 AM
 #35

If you're still using salts in 2013 you're an idiot, no exceptions.

My Little Pony Forums needs to implement GPG auth! (We're implementing GPG signing for logging in for inputs too)

bitcoin-qt uses a random salt that scales according to host computational power for wallet encryption, FYI.
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218
Merit: 1079


Gerald Davis


View Profile
July 12, 2013, 08:44:19 AM
 #36

If you're still using salts in 2013 you're an idiot, no exceptions.

Care to clarify?  The purpose of salt is to prevent pre-execution attack (i.e. rainbow tables).

There is absolutely no reason not to salt passwords as in no possible way would it reduce security.  It limits the attacker to one attempt on one account per operation which can never be slower without salt.  Furthermore many key derivitive functions like bcrypt have integrated support for generating and storing salt.  It no requires no additional work. 


I take it bitcoin-central doesn't salt passwords to protects users?
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218
Merit: 1079


Gerald Davis


View Profile
July 12, 2013, 08:45:45 AM
 #37

So one site has no salt, one site uses a weak static salt and one site does it "right"?

That makes sense.

I could remove login checks for CoinLenders and nobody will be able to steal a single coin (because you're only able to transfer them to your Inputs account)

It was more a "why", why make it more insecure than necessary?  Proper password security also protects your users if the site is compromised and users (being users) ended up using the same password on multiple sites, possibly even your other sites.

escrow.ms
Legendary
*
Offline Offline

Activity: 1274
Merit: 1004


View Profile
July 12, 2013, 08:46:10 AM
 #38

If you're still using salts in 2013 you're an idiot, no exceptions.

Care to clarify?  The purpose of salt is to prevent pre-execution attack (i.e. rainbow tables).

There is absolutely no reason not to salt passwords as in no possible way would it reduce security.  It limits the attacker to one attempt on one account per operation which can never be slower without salt.  Furthermore many key derivitive functions like bcrypt have integrated support for generating and storing salt.  It no requires no additional work.  


I take it bitcoin-central doesn't salt passwords to protects users?

I think he's talking about static ie single salt.
🏰 TradeFortress 🏰
Bitcoin Veteran
VIP
Legendary
*
Offline Offline

Activity: 1316
Merit: 1043

👻


View Profile
July 12, 2013, 08:55:49 AM
Last edit: July 12, 2013, 09:06:37 AM by TradeFortress
 #39

It was more a "why", why make it more insecure than necessary?  Proper password security also protects your users if the site is compromised and users (being users) ended up using the same password on multiple sites, possibly even your other sites.

Took a while but CoinLenders now hashes passwords 3 times (for legacy reasons), including once with a user specific randomly generated salt collected from environmental noise (/dev/urandom, I'm using the non blocking version for now because /dev/random is impractical as a quick update for thousands of users).

Still a mostly pointless change as (i) we tell users to not reuse passwords in large font, but yes some users don't listen and (ii) Inputs.io is required.

Difference this will make in practice due to CoinLender's Inputs.io requirement: close to zero

Difference this makes to forum posters: ??
gweedo (OP)
Legendary
*
Offline Offline

Activity: 1498
Merit: 1000


View Profile
July 12, 2013, 08:57:01 AM
 #40

Lets just bring this back on topic, cause we have gone off topic for a bit. TradeFortress now has 2 bad practices on his sites. Sounds like he just experimented learned as he went, and never updated his previous sites. Which we all can be guilty of and  as soon as he proves that is fix, which isn't too much work. I will gladly remove all my post and threads.

I will how ever not be extorted and forced to do anything. I don't care if he tries and hack my paper wallets LMAO joke. But seriously extortion and trust system abuse isn't the route he should be taking.
Pages: « 1 [2] 3 4 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!