Coinchat doesn't salt or use a strong hash algo

[gweedo]

CoinLenders and CoinChat hashes passwords.

CoinLenders also salt passwords.

CoinLenders also hashes your password in your browser with Javascript.

I cannot access your password (unlike what gweedo is claiming) on CoinLenders. I can only access the hash which is useless if it has been salted with a strong hash.

Gweedo is spreading FUD that I don't do this. He is posting a misleading screenshot out of context. I DO hash passwords. I don't salt them for CoinChat, but they are hashed.

As I am tired of saying the same thing again and again, this is now my stock response.

Now he is spamming.

@Trade if you want i can make a test account on both of your sites with a random  password, you can then post hash with salt here and a screenshot of username /hash from database to prove him wrong.

How do I know he didn't pay you just to say that. Also he could just take your stuff and throw into a hash generator.

[🏰 TradeFortress 🏰]

@Trade if you want i can make a test account on both of your sites with a random  password, you can then post hash with salt here and a screenshot of username /hash from database to prove him wrong.

You can also put a bounty to crack it.

A few things:

1) He only takes full source code and database as proof apparenty

2) I am not disclosing my salt

3) If I wasn't hashing / salting them, I could just hash later.

[escrow.ms]

How do I know he didn't pay you just to say that. Also he could just take your stuff and throw into a hash generator.

Because I do not work for him and he should post screenshot from online database (phpmyadmin).

[🏰 TradeFortress 🏰]

Screenshots shouldn't be trusted, they can be faked.

[gweedo]

1) He only takes full source code and database as proof apparenty

Only way in my book to prove it.

2) I am not disclosing my salt

*FACEPLAM* why would you disclose your salt, that would be pretty dumb and I never asked you to do that.

3) If I wasn't hashing / salting them, I could just hash later.

Exactly. Plus I always said your not strongly hashing them.

[🏰 TradeFortress 🏰]

1) He only takes full source code and database as proof apparenty

Only way in my book to prove it.

Thanks for this admission! https://bitcointalk.org/index.php?topic=254808.0

[🏰 TradeFortress 🏰]

Also, if you want your negative trust rating removed you just need to stop making false statements. Like the topic of this post.

[escrow.ms]

Let me grab some popcorn.

[gweedo]

https://bitcointalk.org/index.php?topic=254808.0

LMAO you locked it LMAO

Also, if you want your negative trust rating removed you just need to stop making false statements. Like the topic of this post.

When you prove to me that you have taken the necessary security. Then i will stop making statements against you. Extorting my trust rating doesn't look good for you btw. I don't care about rep, I still do my business like I will always.

 Just a prime example that power always get abused.

[DeathAndTaxes]

2) I am not disclosing my salt

Wait what?  Salt should be random and per record/account.  Anything less doesn't prevent a parallel execution attack.

[🏰 TradeFortress 🏰]

Wait what?  Salt should be random and per record/account.  Anything less doesn't prevent a parallel execution attack.

Yeah, that's the best practice. I use a user unique salt for Inputs. For CoinLenders it is one salt. This doesn't matter because you need to get into a Inputs account to get coins from CL anyway.

[DeathAndTaxes]

Wait what?  Salt should be random and per record/account.  Anything less doesn't prevent a parallel execution attack.

Yeah, that's the best practice. I use a user unique salt for Inputs. For CoinLenders it is one salt. This doesn't matter because you need to get into a Inputs account to get coins from CL anyway.

So one site has no salt, one site uses a weak static salt and one site does it "right"?

That makes sense.

[davout]

If you're still using salts in 2013 you're an idiot, no exceptions.

[🏰 TradeFortress 🏰]

So one site has no salt, one site uses a weak static salt and one site does it "right"?

That makes sense.

I could remove login checks for CoinLenders and nobody will be able to steal a single coin (because you're only able to transfer them to your Inputs account)

[🏰 TradeFortress 🏰]

If you're still using salts in 2013 you're an idiot, no exceptions.

My Little Pony Forums needs to implement GPG auth! (We're implementing GPG signing for logging in for inputs too)

bitcoin-qt uses a random salt that scales according to host computational power for wallet encryption, FYI.

[DeathAndTaxes]

If you're still using salts in 2013 you're an idiot, no exceptions.

Care to clarify?  The purpose of salt is to prevent pre-execution attack (i.e. rainbow tables).

There is absolutely no reason not to salt passwords as in no possible way would it reduce security.  It limits the attacker to one attempt on one account per operation which can never be slower without salt.  Furthermore many key derivitive functions like bcrypt have integrated support for generating and storing salt.  It no requires no additional work. 


I take it bitcoin-central doesn't salt passwords to protects users?

[DeathAndTaxes]

So one site has no salt, one site uses a weak static salt and one site does it "right"?

That makes sense.

I could remove login checks for CoinLenders and nobody will be able to steal a single coin (because you're only able to transfer them to your Inputs account)

It was more a "why", why make it more insecure than necessary?  Proper password security also protects your users if the site is compromised and users (being users) ended up using the same password on multiple sites, possibly even your other sites.

[escrow.ms]

If you're still using salts in 2013 you're an idiot, no exceptions.

Care to clarify?  The purpose of salt is to prevent pre-execution attack (i.e. rainbow tables).

There is absolutely no reason not to salt passwords as in no possible way would it reduce security.  It limits the attacker to one attempt on one account per operation which can never be slower without salt.  Furthermore many key derivitive functions like bcrypt have integrated support for generating and storing salt.  It no requires no additional work.  


I take it bitcoin-central doesn't salt passwords to protects users?

I think he's talking about static ie single salt.

[🏰 TradeFortress 🏰]

It was more a "why", why make it more insecure than necessary?  Proper password security also protects your users if the site is compromised and users (being users) ended up using the same password on multiple sites, possibly even your other sites.

Took a while but CoinLenders now hashes passwords 3 times (for legacy reasons), including once with a user specific randomly generated salt collected from environmental noise (/dev/urandom, I'm using the non blocking version for now because /dev/random is impractical as a quick update for thousands of users).

Still a mostly pointless change as (i) we tell users to not reuse passwords in large font, but yes some users don't listen and (ii) Inputs.io is required.

Difference this will make in practice due to CoinLender's Inputs.io requirement: close to zero

Difference this makes to forum posters: ??

[gweedo]

Lets just bring this back on topic, cause we have gone off topic for a bit. TradeFortress now has 2 bad practices on his sites. Sounds like he just experimented learned as he went, and never updated his previous sites. Which we all can be guilty of and  as soon as he proves that is fix, which isn't too much work. I will gladly remove all my post and threads.

I will how ever not be extorted and forced to do anything. I don't care if he tries and hack my paper wallets LMAO joke. But seriously extortion and trust system abuse isn't the route he should be taking.