Coinchat doesn't salt or use a strong hash algo

[🏰 TradeFortress 🏰]

gweedo: you have multiple security vulnerabilities on your sites like BitcoinLister.

I've already admitted that some of my sites weren't best practices, but that does not matter in the slightest when talking about Bitcoins because Inputs.io. And CoinLenders now uses a user specific salt generated from /dev/urandom.

No, I am not posting my entire source code or database.

Now the only thing remaining is coinchat. I'd love for you to bitch more about how a pet project chatroom doesn't use best practices, especially when it uses Inputs.io and has an effect of about nil!

(Keep in mind that this forum does not use a user specific salt.)

[favdesu]

tbh, I can't see any problems, as long as inputs is safe, since it's acting as the master account.

only issues are bad jurisdiction and doxing by the hopefully only one person with access to the db.

[🏰 TradeFortress 🏰]

I'm not talking about bitcoins. I'm talking about web security basics / best practices, which you violated many times for BitcoinLister. Including things like your architecture and code layouts. Every developer does that for hacky / pet projects really.

Aren't you arguing over a CHATROOM? Instead of Bitcoins (ie Inputs.io)?

Also, soon, the next time users sign into CoinLenders, they will be hashed and salted with data from /dev/random (so it's guaranteed to be all from environmental noise instead of some from PRNGs). I'm not doing this right now because it's impractical to get long salts for thousands of users from a blocking source.

[davout]

My Little Pony Forums needs to implement GPG auth! (We're implementing GPG signing for logging in for inputs too)

bitcoin-qt uses a random salt that scales according to host computational power for wallet encryption, FYI.

Using a salt to protect a password from being looked up in rainbow tables is useless.
Just because bitcoin-qt does something doesn't make it correct.

Care to clarify?  The purpose of salt is to prevent pre-execution attack (i.e. rainbow tables).

Yes, thing is, that's not really how passwords are cracked nowadays.
I strongly encourage you to read this and this, you'll see how it actually happens.

There is absolutely no reason not to salt passwords as in no possible way would it reduce security.

Usually when you do something thinking "it can't hurt" it means that you don't really understand what you're doing.

Furthermore many key derivitive functions like bcrypt have integrated support for generating and storing salt.  It no requires no additional work.

Yup, and that's precisely why the "should we use salts" question is completely outdated, you don't hash, use salts or whatever, you do the right thing, you use bcrypt.

I take it bitcoin-central doesn't salt passwords to protects users?

We actually switched to bcrypt before you even registered on bitcointalk.

[gweedo]

I'm not talking about bitcoins. I'm talking about web security basics / best practices, which you violated many times for BitcoinLister. Including things like your architecture and code layouts. Every developer does that for hacky / pet projects really.

Aren't you arguing over a CHATROOM? Instead of Bitcoins (ie Inputs.io)?

Also, soon, the next time users sign into CoinLenders, they will be hashed and salted with data from /dev/random (so it's guaranteed to be all from environmental noise instead of some from PRNGs). I'm not doing this right now because it's impractical to get long salts for thousands of users from a blocking source.

When did inputs.io become Bitcoins? So you claiming that inputs.io is now bitcoin?

[🏰 TradeFortress 🏰]

Inputs used bcrypt since the start, we've been looking into & implementing alternative security like GPG or password derivatives for signing transactions too.

Just because bitcoin-qt does something doesn't make it correct.

Most, if not a figure very close to 100% of software in the world does not use absolute best practices. People should be demanding absolute best practices for sites handling money like storing Bitcoins for example, and that's a valid point - but like I said before, Inputs.io uses bcrypt and that is the ONLY site that stores bitcoins.

Demanding that for a web chatroom not recommended to be used for sensitive communications isn't what you should be wasting your time with.

If you compromise someone's coinchat or coinlenders account - cool. Now withdraw to Inputs.io and try to compromise that!

When did inputs.io become Bitcoins? So you claiming that inputs.io is now bitcoin?

No, just that it actually handles Bitcoins.

[🏰 TradeFortress 🏰]

LOL so gweedo still wants the database of coinlenders. Dream on buddy.

[🏰 TradeFortress 🏰]

Dude all you do is screw over your users and abuse your powers

Yes, I screwed over a hacker / phisher / script kiddie / DoSer. Was he your friend?

Also, you're. Try digesting messages before rushing to post!

I'm happy to post a SQL dump of users.password, which are hashed and salted with a user unique salt. That proves nothing through, if it was not indistinguishable from randomness then it was done wrong.

No, you're not getting SSH / mysql / whatever access.

[vokain]

Dude all you do is screw over your users and abuse your powers

Yes, I screwed over a hacker / phisher / script kiddie / DoSer. Was he your friend?

Also, you're. Try digesting messages before rushing to post!

I'm happy to post a SQL dump of users.password, which are hashed and salted with a user unique salt. That proves nothing through, if it was not indistinguishable from randomness then it was done wrong.

No, you're not getting SSH / mysql / whatever access.

ooooh, in your quoted excerpt he actually used the possessive pronoun "your" correctly. a bit quick to flame back, eh Señor Grammar Nazi? 

[🏰 TradeFortress 🏰]

Dude all you do is screw over your users and abuse your powers

Yes, I screwed over a hacker / phisher / script kiddie / DoSer. Was he your friend?

Also, you're. Try digesting messages before rushing to post!

I'm happy to post a SQL dump of users.password, which are hashed and salted with a user unique salt. That proves nothing through, if it was not indistinguishable from randomness then it was done wrong.

No, you're not getting SSH / mysql / whatever access.

ooooh, in your quoted excerpt he actually used the possessive pronoun "your" correctly. a bit quick to flame back, eh Señor Grammar Nazi?  

Lol, my mistake, sorry

Anyway, gweedo, I'm happy to remove my negative feedback if you stop continue to make misleading and factually incorrect statements regarding my websites. You don't need to remove anything, that's extortion. I made it clear my negative feedback was because you continued to lie and spread FUD.

[scotaloo]

Dude all you do is screw over your users and abuse your powers

Yes, I screwed over a hacker / phisher / script kiddie / DoSer. Was he your friend?

Also, you're. Try digesting messages before rushing to post!

I'm happy to post a SQL dump of users.password, which are hashed and salted with a user unique salt. That proves nothing through, if it was not indistinguishable from randomness then it was done wrong.

No, you're not getting SSH / mysql / whatever access.

Friends with Gweedo? grasping at straws there lol! nah bro I don't even know him in fact I'm not sure if he is even a he, I always thought it was a she for some reason, now I'm confused.

EDIT: for clarification, gweedo lent an alt of mine money on btcjam before and I paid him back, thats the only other contact I've ever had with him, try and find out who it was gweedo!

DoSer? your the one who threatened to DoS me lol! provide proof I DoSed anyone, I don't have a botnet.

You've locked down your sites really good on the SQL injection side of things props for that, the rest however if laughably insecure, you clearly nothing about server administration/security but know a bit about web development is all. You remind me of a guy I met recently, he was an NVC developer and earned $200k working for a multi-national, he didn't know what a password hash was, he found the whole thing extremely alien when I explained it to him, he didn't know what ssh was, plus a lot of other things, and he was a web developer earning serious bucks with a very important job with years and years of experience, your just like him, your not capable of running a site on your own you should be a development contractor, and clearly you have no partners either because I don't believe anyone would let you do crazy shit like this.

I have no idea what is wrong with you, maybe its an ego thing, but people need to read this thread and see what you are really like.

Also you should provide that SQL dump, you'll know if its secure if your users don't get hacked after you post it (providing you actually post the real thing and not fake it which you likely will).

You fix that coinchat bug I told you about yet? how about the coinchat vulnerability I told you about or the coinlenders one? and the inputs.io bug/screw up (deposit I made never credited)? I still don't see it in my balance. Theymos was nice enough to listen to me and fix the 'issue' I pointed out to him on bitcointalk and even followed through and paid me the bounty, you just said 'oh your a phisher fuck off' didn't pay me for any of the ones I pointed out to you and didn't even fix them in some cases, so there will be no more dislosures when I find bugs/vulns in your sites, I will use them for personal gain.

Go and check your logs on coinchat for the "hollowinfinity" episode, where that account was hacked multiple times, you'll noticed I used a fuckload of vulnerabilities on your site that day, I'm never going to disclose them to you and your to incompetent to find them. And post the chatlog here from that 'episode' too so people can see how secure your shit really is.

[scotaloo]

Also, the only other person who ignored a vuln disclosure by me since I've came here in 2010 was davout, that worked out well for him didn't it, look at davout for the future of TradeFortress co.

[davout]

Also, the only other person who ignored a vuln disclosure by me since I've came here in 2010 was davout, that worked out well for him didn't it, look at davout for the future of TradeFortress co.

Lolwut?

[DeathAndTaxes]

Care to clarify?  The purpose of salt is to prevent pre-execution attack (i.e. rainbow tables).

Yes, thing is, that's not really how passwords are cracked nowadays.

Yeah rainbow tables can't be used BECAUSE sites employ the use of strong random salt.  If you passwords aren't salted then you are vulnerable to this much faster form of precomputation attack.

I strongly encourage you to read this and this, you'll see how it actually happens.

Nothing in there about not salting passwords.

The fact that the file of hashed passwords was not salted helps a lot.  As an aside, even if they were salted, you could concentrate the cracking session to crack the easiest passwords first using the "single" mode of John the Ripper.

Nobody said salt = "magic solve all your security problems" bullet.  However properly employing salt does make the job of the attacker harder.  They can't precompute, they can't use rainbow tables, they can't check all entries in password table simultaneously.  If your passwords is weak or known they can still break it but they have to do it the hard way.  One hash at a time with no speed ups. 

Furthermore many key derivitive functions like bcrypt have integrated support for generating and storing salt.  It no requires no additional work.

Yup, and that's precisely why the "should we use salts" question is completely outdated, you don't hash, use salts or whatever, you do the right thing, you use bcrypt.

Um bcrypt is a salted hash.  Are you dense?

If you're still using salts in 2013 you're an idiot, no exceptions.

We actually switched to bcrypt before you even registered on bitcointalk.

Thank you by your logic you are "an idiot, no exceptions".

[CIYAM]

Thank you by your logic you are "an idiot, no exceptions".

I can't see "davout's" posts as he is the only member of this forum that I have ignored but I think you have quite likely nailed it on the head (especially when you consider what happened to his own website).

[DiamondCardz]

So now we have FUD from both TF and gweedo.

Oh, for fuck sake, guys. Trying to paint each other red, there is always some kind of drama on this forum. This fucking FUD does not improve your reputation, it just makes you look like a dick.

@gweedo: I would trust TF with my bank account details, I'm 99% sure that he will never scam or access passwords for malicious use. Especially as people do have his personal info. He also DOES hash and salt his passwords, he doesn't need to give you his source code. Hell, I wouldn't give someone source code of something I made because they're having a hissy fit over security.

You don't trust it? Don't use it.

[DiamondCardz]

So now we have FUD from both TF and gweedo.

Oh, for fuck sake, guys. Trying to paint each other red, there is always some kind of drama on this forum. This fucking FUD does not improve your reputation, it just makes you look like a dick.

@gweedo: I would trust TF with my bank account details, I'm 99% sure that he will never scam or access passwords for malicious use. Especially as people do have his personal info. He also DOES hash and salt his passwords, he doesn't need to give you his source code. Hell, I wouldn't give someone source code of something I made because they're having a hissy fit over security.

You don't trust it? Don't use it.

So trying to help new users or protect users that may not be super into tech is now shown as being a "dick" and FUD. Yeah I guess I just shouldn't help those people anymore.

The only remotely bad thing was that he posted the hash of a password, and that password being find-able via Google search.

So yeah, FUD.

[🏰 TradeFortress 🏰]

gweedo: the issue is with you spreading FUD. The only site not salted is CoinChat but despite multiple denials you somehow assume it is for all my other sites, which is the FUD and lies part.

That's what is reasonable but obviously people will ho "a chat room just hashes? Everything is properly done for sites that actually handle money?" But I guess that reaction wasn't what you are looking for.

If you do not get this part, you're dense or you are just here to pick a fight.

[CIYAM]

I think that if gweedo only has *proof* of the one site not having secure passwords then the title of this topic should be changed (otherwise it really is FUD). To say you "suspect all other sites" run by the same person have the same problem is really a bit of a stretch if you have no proof.

Apart from that guys I think that this topic is doing *nothing* for the benefit of the Bitcoin community (although I am sure many are enjoying the *drama* of it all).

[DiamondCardz]

I think you should read this, gweedo. You might find it interesting.