mcx passwords

[usahero]

Notice:

Everything mentioned here was fixed by RealSolid in version mcxnow v2 with implemented google authenticator 2fa and encrypted passwords.

Thus McxNOW is now the fastest and the best exchange in crypto world. Congratulations RealSolid on excellent work. Apologies to give you hard time during working on the update. Hopefully some of my ideas were helpful.

-------------------

Just wanted to share my opinion, that text-recoverable isn't the only questionable practice of mcxnow.

The biggest problem I see is that there is no 2FA of any kind.

If you want to withdraw your balance on:
Crypto-trade, you need to know your password and your pin.
Coins-e, you need to know your password and your email password.
Cryptsy, you need to know your password, your email password and if you have 2FA enabled, you need access to your 2FA device.
Vircurex, you need to know your password, and if you have 2FA enabled, you need access to your 2FA device.


On mcxnow, the only requirement for withdrawing coins is knowing account password. Considering that the number of hacker compromised computers is significant, this 1-password-safety policy is very unsafe.

Every other site beats the mcxnow in that regards.


Best regards.


PS: If you will try to dirty my name, I suggest you to deposit all your funds to mcxnow!

ps: this post was edited on 18/8/2013 to remove "plain-text" with "text-recoverable", and topic was edited.

ps2: added notice to original post. 9/26/2013 .

[1715089793]

1715089793

[1715089793]

1715089793

[1715089793]

1715089793

[bidji29]

Password are not stored in plain text.
They are encrypted, and the operator can decrypt them if someone lose their password. They have to answer some security question, like amount on the account etc...

The 2 factor-aut will be implemented in the update after the 10-Aug update.

[usahero]

Password are not stored in plain text.

Possibly. But the admin can read your password. Operator can read any password. The hacker will also be able to read all passwords, if that will be his goal.

Operator could also read your password and steal your funds while blaming end user for having compromised computer. He wouln't get away with stealing all the coins from all users, but he could possibly get away from stealing some users.

Anyway, from the exchanges I noted, only mcxnow does not know any 2FA. Tick tock..?

[everybodyclapyohands]

Password are not stored in plain text.
They are encrypted, and the operator can decrypt them if someone lose their password. They have to answer some security question, like amount on the account etc...

The 2 factor-aut will be implemented in the update after the 10-Aug update.

No developer should EVER be able to read user passwords. This is rule #1 of building a user login system. You generate a random salt for each user, hash their password including the salt, store the salt and hashed password, and only compare hashed strings when they login.

This is now the second time I've heard of this policy and it makes me happy I stopped trading at that exchange a long time ago.

[vinne81]

Just wanted to share, that having plain-text-stored passwords isn't the only problematic practice of never-wrong-operator of mcxnow.

That's my main problem there

[paulthetafy]

Before everybody bashes RealSold and mcxNow, you might want to a) get some proof and b) give RS himself a chance to explain things rather than posting publicly.

Also remember that 2FA is coming soon (though not on Aug 10th AFAIK).  Can I remind you that BTC-e only introduced 2FA fairly recently!!

Lastly, usahero, I know you're having some beef with RealSolid and mcxNow at the moment, but raising this post was really low of you.

 - PTT

[MCXnever]

Before everybody bashes RealSold and mcxNow, you might want to a) get some proof and b) give RS himself a chance to explain things rather than posting publicly.

Also remember that 2FA is coming soon (though not on Aug 10th AFAIK).  Can I remind you that BTC-e only introduced 2FA fairly recently!!

Lastly, usahero, I know you're having some beef with RealSolid and mcxNow at the moment, but raising this post was really low of you.

 - PTT

The proof is ask RS for your password and he can give it to you been that way for a while so that is proof. Even if he changes it he has a great record of usernames and passwords to skim from pools and exchanges for the folks not smart enough to change their passwords site by site. Lets get serious the site is full of hate speech racism, sexism just an all around bad environment. The owner is a straight up psychopath and very full of himself. C++ will solve cancer!

I will start posting chat logs from there just to show the enormous amount of hate mongering going on with this exchange but I think enough folks can vouch for that.

[drummerjdb666]

SOUNDS LIKE A BUTT HURT OH NO I WAS BANNED THREAD TO ME!!!

FUCK OFF HERO!!!  GET OVER IT!!!

[drummerjdb666]

and ur little dog too

[notyep]

Before everybody bashes RealSold and mcxNow, you might want to a) get some proof and b) give RS himself a chance to explain things rather than posting publicly.

Also remember that 2FA is coming soon (though not on Aug 10th AFAIK).  Can I remind you that BTC-e only introduced 2FA fairly recently!!

Lastly, usahero, I know you're having some beef with RealSolid and mcxNow at the moment, but raising this post was really low of you.

 - PTT

I will start posting chat logs from there just to show the enormous amount of hate mongering going on with this exchange but I think enough folks can vouch for that.

"Welcome to the Internet!"   

[coinerd]

The proof is ask RS for your password and he can give it to you been that way for a while so that is proof. Even if he changes it he has a great record of usernames and passwords to skim from pools and exchanges for the folks not smart enough to change their passwords site by site. Lets get serious the site is full of hate speech racism, sexism just an all around bad environment. The owner is a straight up psychopath and very full of himself. C++ will solve cancer!

I will start posting chat logs from there just to show the enormous amount of hate mongering going on with this exchange but I think enough folks can vouch for that.

[MCXnever]

The proof is ask RS for your password and he can give it to you been that way for a while so that is proof. Even if he changes it he has a great record of usernames and passwords to skim from pools and exchanges for the folks not smart enough to change their passwords site by site. Lets get serious the site is full of hate speech racism, sexism just an all around bad environment. The owner is a straight up psychopath and very full of himself. C++ will solve cancer!

I will start posting chat logs from there just to show the enormous amount of hate mongering going on with this exchange but I think enough folks can vouch for that.

I think racism is bad yes go read the chat there its non stop race bashing, peoples religion, holocaust jokes etc, lots of hate unprofessional all around.

1) For the sake of argument let's say RS is using plaint text passwords and can see them

So fucking what, if a person in the altcoin world is STUPID enough to use the same password on two different sites, they deserve to be ripped off. So basically by following password 101, all RS could do if see the password for his own site.

2) mcxNOW does not use plain text, this is straight up fud.

3) Coinhunter is telling the truth, he's banned only four people from mcxNOW and you're 25% of that population, that makes you special.

4) You are correct, CH/RS is a real piece of work, a meglomaniacal narcissistic POS, but what you're doing isn't promoting that idea, it's just making you look like a stupid fuck.


~BCX~

I don't disagree that it is insane to have the same passwords for any crypto site but they do. On that note has anyone asked for their passwords yet?

These are facts go see for yourself oh and buy some shares of the biggest scam around.

[coinerd]

I think racism is bad yes go read the chat there its non stop race bashing, peoples religion, holocaust jokes etc, lots of hate unprofessional all around.

[ahmed_bodi]

more reason why mcxnow should be avoided

[17:07] <ahmedbodi> RealSolid: how many actual times have i insulted you?
[17:13] <ahmedbodi> RealSolid: well^
[17:15] <RealSolid> you think i count or care about such things?
[17:16] <ahmedbodi> approximation, by my count like twice
[17:18] <RealSolid> ok?
[17:18] <ahmedbodi> never mind (facepalm)
[17:18] <ahmedbodi> plz unban my account? no trolling or spamming
[17:20] <RealSolid> no you annoy me
[17:21] <RealSolid> its probably worse because youre muslim
[17:21] <necom> troll!
[17:21] <ahmedbodi> HAHAHA, and you guys call me a troll
[17:21] <ahmedbodi> 1 sec let me put my bot here so it starts recording
[17:21] <ahmedbodi>
[17:22] --> MainBot has joined this channel (~Crypto-Ex@host-212-159-185-14.static.as13285.net).
[17:22] <ahmedbodi> haha
[17:22] *** ChanServ gives channel operator privileges to RealSolid.
[17:22] *** RealSolid sets a ban on *!*@host-212-159-185-14.static.as13285.net.
[17:22] *** You have been kicked from channel #mcxnow by RealSolid (ahmedbodi).
[17:23] [474] ahmedbodi #mcxnow Cannot join channel (+b) - you are banned
[17:23] [474] ahmedbodi #mcxnow Cannot join channel (+b) - you are banned

[DeathAndTaxes]

It's still pretty shitty of him to store passwords in a reversible format. If he gets hacked, an attacker can dump them. Of course he'd say it's absolutely impossible for his site to be hacked, but that's because he's seriously out of touch with reality.

This.

It shows a complete lack of understanding of basic password security.  If he got this wrong what else did he get wrong.
Simple version: the website needs to be able to decrypt the password so it is like saying "no I keep my money locked up in that safe, the one with the key taped to the front of it".

Passwords are salted and hashed not encrypted for a reason.  This was cutting edge computer science ... in 1970.

[usahero]

This thread was never about what you (idiots) think about what I think about being banned on mcxnow. I gave an advice to realsolid and he is working hard on implementing 2FA.

Now if you idiots have problems with me, maybe thats because you are doubting your "investment"? If it is so good investment, you shouln't be afraid of one fud-troll, eh...?


Well, the list of people getting banned for stating facts on mcxnow is increasing. Enjoy your tiny fee-shares.. They will get lower after RealSolid decreases btc withdrawal fees from 0.005 to 0.001, as he promised...

[usahero]

SOUNDS LIKE A BUTT HURT OH NO I WAS BANNED THREAD TO ME!!!

FUCK OFF HERO!!!  GET OVER IT!!!

You know it's a strange day in the neighborhood when BitcoinEXpress is defending Coinhunter aka Real Sold aka rlh aka Notyep.

@usahero


1) For the sake of argument let's say RS is using plaint text passwords and can see them

So fucking what, if a person in the altcoin world is STUPID enough to use the same password on two different sites, they deserve to be ripped off. So basically by following password 101, all RS could do if see the password for his own site.

2) mcxNOW does not use plain text, this is straight up fud.

3) Coinhunter is telling the truth, he's banned only four people from mcxNOW and you're 25% of that population, that makes you special.

4) You are correct, CH/RS is a real piece of work, a meglomaniacal narcissistic POS, but what you're doing isn't promoting that idea, it's just making you look like a stupid fuck.


~BCX~

I care about your opinion. So far you have been active in every thread trying to "protect" your master. hahaha. so funny.


Anyway, if someone is "allowed" to spread lies about me, straight up FUD doesn't even sound that bad......

So I'll continue with straight up FUD if needed.

[usahero]

Before everybody bashes RealSold and mcxNow, you might want to a) get some proof and b) give RS himself a chance to explain things rather than posting publicly.

Also remember that 2FA is coming soon (though not on Aug 10th AFAIK).  Can I remind you that BTC-e only introduced 2FA fairly recently!!

Lastly, usahero, I know you're having some beef with RealSolid and mcxNow at the moment, but raising this post was really low of you.

 - PTT

I gave chance to explain everything about fee-shares to rs. Instead of explaining me stuff about the shares, he started yelling at me, making outrageous claims and shittalking me.


So we are still waiting for 2FA. I'm sure he will deliver it on time.

And since you don't know circumstances around my beef with RealSolid, it is low from you to call it "low from me". Because you got no clue what happened.

[usahero]

SOUNDS LIKE A BUTT HURT OH NO I WAS BANNED THREAD TO ME!!!

FUCK OFF HERO!!!  GET OVER IT!!!

If your dick was long enough, you could stick it in your a**

[usahero]

Damn USA let it go.  It was just a chat ban.  I mean really you claim the trollbox is racist hate filled evil (it really isn't), but YOU'RE one of the only ones to ever get chat banned there.  

Did you get chat banned? Yep.
Did you deserve that ban?  I dunno, I didn't see what happened.
Is 2FA coming to mcxNOW?  "Soon."
Did RS steal your money before, or after, you were banned?  Nope.
Do you still trade on the site?  Probably... (and for good reason)

This post was obviously about 2fa, not abotu what you think about me. Get over it, i'm just internet anonymous. You shouldn't waste time with me.......


OHHHHHHH, you are protecting your fee-shares... Here we go

[laughingbear]

It's still pretty shitty of him to store passwords in a reversible format. If he gets hacked, an attacker can dump them. Of course he'd say it's absolutely impossible for his site to be hacked, but that's because he's seriously out of touch with reality.

This.

It shows a complete lack of understanding of basic password security.  If he got this wrong what else did he get wrong.
Simple version: the website needs to be able to decrypt the password so it is like saying "no I keep my money locked up in that safe, the one with the key taped to the front of it".

Passwords are salted and hashed not encrypted for a reason.  This was cutting edge computer science ... in 1970.

Step up then big guy. Hack it, steal all the coins on the exchange. Teach him a lesson. We will all wait with bated breath.

[DeathAndTaxes]

It's still pretty shitty of him to store passwords in a reversible format. If he gets hacked, an attacker can dump them. Of course he'd say it's absolutely impossible for his site to be hacked, but that's because he's seriously out of touch with reality.

This.

It shows a complete lack of understanding of basic password security.  If he got this wrong what else did he get wrong.
Simple version: the website needs to be able to decrypt the password so it is like saying "no I keep my money locked up in that safe, the one with the key taped to the front of it".

Passwords are salted and hashed not encrypted for a reason.  This was cutting edge computer science ... in 1970.

Step up then big guy. Hack it, steal all the coins on the exchange. Teach him a lesson. We will all wait with bated breath.

Yes that is the standard for information security.  Don't follow established practices just do anything you feel like no matter how stupid (and pointless).   The fact that other sites (hundreds, thousands?) have made the same mistake and you can't undo it after the hack should just be ignored.  The absence of a hack means you are secure right?  That works right up until a hack does occur and then it is "oh well in hindsight who could have seen the hacker would decrypt the password list".  

Your statement is like saying you leave your door unlocked with a sign saying "money inside".  You haven't been robbed yet so it must be secure and anyone who says locking your door would be more secure should just try to rob you instead. 

[usahero]

From what I hear, the beef between BCX and RS goes way back. Claiming RS is BCX's "master" isn't just stupid, it's insane. You're excluding everyone's reasonable opinions by labeling them as "with RS".

You are correct, Coinhunter and I are old friends LOL

@usahero, claiming I'm a Coinhunter puppet is "Gold Certification" that

1) You're an idiot
2) Have no clue on RS/CH history
3) Butt Hurt over getting banned from a troll box LOL...


~BCX~

This post was about security. It was about the fact that mcxnow still has the worst 2fa security. Any other site you need more than password to hack it. Only on mcx, knowing password is enough to get your coins stolen.

I have some funds there so its something that matters to me.



I guess you are troll, but not from his team. I don't care enough about you to track your history with RS. I am troll too. So nice to meet you. And btw, everyone is free to think I am idiot. So I'll write it here: I AM IDIOT.

Now deal with it. Everyone is free to ignore me.

[laughingbear]

Don't follow established practices just do anything you feel like no matter how stupid (and pointless).  

like using a different password for every website?  I know you guys have an agenda to push here, and need to make rs or the website look bad, but try harder. 

[usahero]

Don't follow established practices just do anything you feel like no matter how stupid (and pointless).  

like using a different password for every website?  I know you guys have an agenda to push here, and need to make rs or the website look bad, but try harder.  

Its a waste of time.

The result of the project will be whatever will be whether I troll or not.

I just saw yesterday that someone reopened topic that should be forgotten, so I took time to respond.



I am certain RealSolid is working on the patch right now, because he is not wasting as much time on chat, so update will be soon around. The thing about "plain-text" password was problematic to me the time when I wanted to revive the password. I may be too paranoid, but I prefer to have my funds protected via 2FA - whether that is email confirmation, google auth or pin, anything is better than just password. Fortunately only-password was good enough so far...

[Etlase2]

Don't follow established practices just do anything you feel like no matter how stupid (and pointless).  

like using a different password for every website?  I know you guys have an agenda to push here, and need to make rs or the website look bad, but try harder.  

If anyone has an agenda to push, it's DeathAndTaxes. He is the hardcorest of hardcore bitcoin proponents and unequivocally biased, but he is totally, 100% correct here. Passwords, especially passwords that protect money, should not be stored in a reversible format. That is madness. (That is, of course, if actually true.)

[K1773R]

Don't follow established practices just do anything you feel like no matter how stupid (and pointless).  

like using a different password for every website?  I know you guys have an agenda to push here, and need to make rs or the website look bad, but try harder. 

if RS really stores the password in plain or any reversible format (ie, not hashing them probperly, md5 isnt probperly ) then he lost me, i havent seen any proof of this or did i miss it (due to ignore this usascum moron)?

[usahero]

This post was about security.

Yeah sure it was LOL....

Somehow I have hard time believing this isn't just another one of your five "I'm butt hurt because I got banned by RS threads".

You must be real special because as much as RS hates me and I do him, even after asking him in his troll box "If his first anal sex was with his mother or his father", he still didn't ban me.

Since I'm in a charitable mood, here's a free suggestion for you.

If you find his site so bad, don't use it!



~BCX~

I know this stuff. It is up to me whether I want to trade on that site or not. It is also up to me whether I want to share my opinion about it or not. I don't think there is much you can do about it.

All this "butthurt" talk would be done on mcxnow chat, if I wasn't banned there.

[usahero]

Don't follow established practices just do anything you feel like no matter how stupid (and pointless).  

like using a different password for every website?  I know you guys have an agenda to push here, and need to make rs or the website look bad, but try harder.  

if RS really stores the password in plain or any reversible format (ie, not hashing them probperly, md5 isnt probperly ) then he lost me, i havent seen any proof of this or did i miss it (due to ignore this usascum moron)?

He is storing them in reversible format. If you want to recover your password, he gives you your password and he sees your password. There is no "password recovery" form on the site, and I think only way to recover the password is:
1) message rs that you lost your password.
2) tell a part of your password/describe your password, so that he can confirm "it is really you" who is recovering
3) he returns you passwords as a string   and in the process he sees your password.  When I did this procedure, I was feeling like my privacy has been breached.


Now even if you think I am moron, you know something you didn't know before.

And if someone has done the procedure, please confirm it is really done this way, as I am not making this up.

[K1773R]

Don't follow established practices just do anything you feel like no matter how stupid (and pointless).  

like using a different password for every website?  I know you guys have an agenda to push here, and need to make rs or the website look bad, but try harder.  

if RS really stores the password in plain or any reversible format (ie, not hashing them probperly, md5 isnt probperly ) then he lost me, i havent seen any proof of this or did i miss it (due to ignore this usascum moron)?

He is storing them in reversible format. If you want to recover your password, he gives you your password and he sees your password. There is no "password recovery" form on the site, and I think only way to recover the password is:
1) message rs that you lost your password.
2) tell a part of your password/describe your password, so that he can confirm "it is really you" who is recovering
3) he returns you passwords as a string   and in the process he sees your password.  When I did this procedure, I was feeling like my privacy has been breached.


Now even if you think I am moron, you know something you didn't know before.

And if someone has done the procedure, please confirm it is really done this way, as I am not making this up.

i apologize if this really is true!

[BTCPOOLMINING]

I never stored my coins on mcxnow after trading I transferred back  the coins to my wallet. I have no problem with the trading platform only the security.

[K1773R]

well, i had a chat with RS on IRC, i asked him if can publish it, he went mad and didnt answer anymore (so i cutted the things below):

Code:

<K1773R> RealSolid: https://bitcointalk.org/index.php?topic=270155.0 <-- can i get a ACK/NACK on this? ie that you store the users PW in plain (or decryptable only by X ppl)
<RealSolid> passwords are stored encrypted yeah
<RealSolid> they are the only identifyable information atm, i may change it in the future and have other info i force people to enter
<RealSolid> name of first pet, etc
<K1773R> as suggestion, hash the passwords...
<K1773R> in 1970-1980 hashing started, now we have 2013!
<RealSolid> no
<RealSolid> theres no added security to my system in salting them
<K1773R> i like your idea about the selfbuild engine + DB alot, as its secure. but this is horrible
<K1773R> i dont talk abuot salting, i talk about hashing!
<RealSolid> or hashing
<RealSolid> that may change as i adapt future requirements of course
<K1773R> not hashing is a huge security risk, mtgox had to learn it the hard way
<RealSolid> haha
<RealSolid> thinking its a security risk shows your ignorance on mcxnow security
<K1773R> hmm, "they are the only identifyable information atm" <-- so you identify users per password and not per user id?
<RealSolid> no but if they want a reset its the only info they have put in there
<RealSolid> so i either offer no resets or add more info they can store to prove they are account holders
<K1773R> so if someone forgot his password (and really forgot), hes totally fucked or you just give it to them?
<RealSolid> the exchanges that do password email resets are way more insecure
<K1773R> i agree that password email resets are extreme insecure
<RealSolid> same with automated password recovery
<RealSolid> the mcxnow database is undumpable from the internet and you should be using a unique password at the site anyhow, this is what i tell everyone <RealSolid> if you K1773R use a unique password at mcxnow there is no difference whether i hash+salt+shit on your password
<RealSolid> so im not sure what *your* personal issue is with the way i handle passwords, even if you think its insecure, when you should be following good security protocol as a security expert :P
<K1773R> if someone successfully takes over your engine, he gets access to the user DB as its needed to identify persons right? so why not just dumping this, all thats needed is to break the encryption (password? privkey? combination?) and you have the password of every person @ mcxnow
<K1773R> or did i miss something?
<RealSolid> i protect the people who are insecure people by nature by not allowing auto password resets and requiring they remember part of their password
<RealSolid> the only person who can "take over the engine" is someone who works at the datacenter of the exchange server
<RealSolid> not internet hackers
<RealSolid> and ive added protection against local admin hacking by encrypting everything the exchange uses
<RealSolid> nothing is fullproof of course, but worrying about your unique password being in the wild is nothing compared to losing all your funds right?
<K1773R> how comes? if your engine needs informations to identifiy users (ie, username + password), as soon you got the engine, you also got the encrypted password, all you need then is to encrypt it
<RealSolid> and as soon as you got the engine youve got all the funds too if youre an elite hacker who can decrypt and reverse engineer a x64 binary
<K1773R> yes, i liked your setup alot as its the only exchange i saw knowing something about security, this is just the little ugly thing that poped up, so im wondering ;)
<RealSolid> so if a compromised amazon elite hacker data center admin finds out about the mcxnow exchange server we could be in trouble
<RealSolid> so what do you propose to do instead of what i do to verify lost passwords?
<RealSolid> just lock people out of accounts if they forget?
<K1773R> nope, its a tough question
<RealSolid> to be honest i think only morons/haters care about this because as a specific user if you use unique password at mcxnow you are no more or less compromised if the database gets breached
<K1773R> i have no idea so far how an average person could be able to get his account back due to missing knowledge
<RealSolid> so why should *YOU* care about these people?
<K1773R> well, i dont care about anyone usual ;)
<K1773R> so if we are in trouble (stolen funds), would you pay it back out of ur pocket?
<RealSolid> people recommend salting and hashing passwords because sql and other database technologies are often compromised, mine cant be from the internet
<K1773R> if yes, well then i dont care anymore
<RealSolid> worrying about rogue elite datacenter admin hacker taking your password is the least of your worries, the funds are more important :P
<RealSolid> and unlike pretty much all other exchanges except perhaps mtgox ive put a lot of thought into protecting against those
<K1773R> so you would pay back the stolen funds?
<RealSolid> i dont have enough money to do that
<RealSolid> if theres a 50/50 split on funds in hot/cold for instance, i guess id just pay back the percentage in cold to everyone
<K1773R> ok
<RealSolid> to me thats pretty much game over material though
<RealSolid> so i never want it to happen at all
<RealSolid> hence the paranoia and security

after this, he didnt answer me anymore :S well, i for myself will stay @ mcxnow for "now", will see how things work out.

EDIT: seems he wasnt mad, just busy, will edit again if neccessary.
EDIT2: chat updated.

[CIYAM]

Any system that encrypts rather than securely hashes account passwords is just asking for trouble (using reversible encryption for things like email addresses makes perfect sense but not for account passwords).

Unfortunately even today many ISP's still even do this (I have had low-level support staff read my password to me over the phone only several years ago).

[SistaFista]

Why update a dead site? Even coins-e is better

[TheRealSolid]

Unfortunately when a layman such as usahero encounters manual password reset and verification he gets upset that his "used at every site" password is visible to someone like myself. However exchanges which have reset by email (which usahero wanted and thinks is secure) are actually quite insecure. MtGOX for instance has password reset by email.

https://www.mtgox.com/login/lost-password

Now why do mtgox (and pretty much everyone) do this? Well it cuts back on support to not have manual verification on password resets. So I don't necessarily blame shoe-string operations which employ simple systems to cut back on support. The funny thing is if I had the same insecure system setup then there would no complaints from laymen such as usahero, regardless of how I stored the passwords. They would never know what really happens at the backend.

As to why I store passwords encrypted instead of hashed is simply to allow original account holders to claim their funds instead of block their access. As noted above email password resets are ridiculously insecure so I don't employ it. My current system allows me to see the password when requested by a user and they can give suggestions on something they should know (they may not know the whole password but they usually remember some of it). To get around this I could instead ask the user on signup to answer questions like "What is your first pets name" or "What is your mothers maiden name", but then people may care that I store such details in recoverable form on the site also (you literally cannot win with some people). Currently the password serves as information only the current account holder should know.

Any person who is involved in security knows you should use a unique password at every site because that is the best security. You should never rely on a site to protect your "used everywhere password", use a new password at every site and there are zero issues in regards to how the site stores your password.

Anyone who thinks their "Sacred password" is sacred needs to get a clue. It shouldn't be sacred and if it is you need a lesson in internet security. Anyone reading this cannot claim ignorance on this going forward. It's rather embarrassing I need to post this as I figured most people on this forum were well versed in internet security but hopefully it can clear things up for those who aren't.

Finally I'll just say unlike every other exchange out there mcxNOW is coded entirely in C++ from top to bottom, it incorporates anti-virus esque self protection systems which limit even a "rogue datacenter admin" getting fanciful with the exchange. I'm well versed not only in internet security but security against humans and these are employed at mcxNOW. I am just _that_ paranoid.

[mr_random]

Email password reset mechanisms are not ridiculously insecure if they are done correctly. Their only weak point is a 'hacker' could get their email password and do a reset but of course if they can get their email password then they can probably get their mcxnow password too.

Hashing of passwords is the gold standard of password storage in web applications.

Admins are strongly advised to never use encryption for the obvious reason if the db is compromised then the hacker gains access to everyone's passwords. Before you give your standard canned response to this, remember: 1. some people use dozens of websites and it's a pain in the arse having a strong, unique password for every single one, 2. even if you're the world's best programmer unexpected things can occur meaning the db could be compromised. It is therefore a non-zero probability that a hacker could gain everyone's passwords by your poor decision to employ encryption; using hashing+salting would make this a zero probability.

[laughingbear]

Just using a unique password would make this a zero probability.  This is such a non issue.

[TheRealSolid]

Email password reset mechanisms are not ridiculously insecure if they are done correctly. Their only weak point is a 'hacker' could get their email password and do a reset but of course if they can get their email password then they can probably get their mcxnow password too.

Hashing of passwords is the gold standard of password storage in web applications.

Admins are strongly advised to never use encryption for the obvious reason if the db is compromised then the hacker gains access to everyone's passwords. Before you give your standard canned response to this, remember: 1. some people use dozens of websites and it's a pain in the arse having a strong, unique password for every single one, 2. even if you're the world's best programmer unexpected things can occur meaning the db could be compromised. It is therefore a non-zero probability that a hacker could gain everyone's passwords by your poor decision to employ encryption; using hashing+salting would make this a zero probability.

mcxNOW has no "Remote database", which means everything is incorporated on the one machine which doesn't have internet access. Secondly the reason hashing passwords is a "gold standard" is because everyone uses databases like SQL which have been hacked to death since the internet began. mcxNOW doesn't use these systems, it uses a custom database and the exchange server cannot be accessed on the internet. There is zero code to read passwords on the site which means it is impossible for an internet hacker to obtain passwords. Therefore the only way to get into the system is to be at the datacenter, then to understand the encryption, to reverse the binary, etc. This is beyond ludicrous to suggest it's a more probable event compared to any other system out there.

Meanwhile a typical exchange site that uses SQL can be broken from the internet. Yet if the SQL site uses password hashing it's somehow a "gold standard" compared to mcxNOW? Please. mcxNOW is *THE* standard because every single packet of information is controlled by the code from one person, I know everything that goes on within the exchange. There are no black boxes like others use in their php/sql/asp.net setup.

And email systems are ridiculously insecure. If an email is hacked from ANYWHERE then they can reset your exchange password and steal all your funds. Say you check your email at your mothers house and she has a virus. They log into your email, see you use mtgox and reset password. 24 hours later your account is drained. Your main PC doesn't even have to be compromised and email systems are among the highest compromised websites in existence. Most people probably aren't even aware their emails are hacked.

Your claim that email reset systems aren't insecure if "used properly" is easily extended to using a unique password at every site you use. It's really not that hard and the only reason you shouldn't be doing it is ignorance, not laziness.

[CIYAM]

Actually CIYAM Open is a 100% C++ platform (and I would be interested to perhaps compare notes then).

I only store hashed passwords in the DB and don't really understand why you are not doing the same - the *reset* issue is really not the same thing as you can always send a new password (or a unique link for the email recipient) to accomplish this.

Why exactly do you think you should be able to decrypt your users passwords?

[usahero]

Unfortunately when a layman such as usahero encounters manual password reset and verification he gets upset that his "used at every site" password is visible to someone like myself. However exchanges which have reset by email (which usahero wanted and thinks is secure) are actually quite insecure.

I know email recovery system has its weaknesses, so this is just another of many of your strawmen arguments. Lets rather focus on the recoverable passwords and the fact you can spy on our passwords?




If you worked your ass as much as you bragged about your c++ skills last 2 months, the update would already be here... by the way. So go to work, make your followers happy.

[TheRealSolid]

Actually CIYAM Open is a 100% C++ platform (and I would be interested to perhaps compare notes then).

I only store hashed passwords in the DB and don't really understand why you are not doing the same - the *reset* issue is really not the same thing as you can always send a new password (or a unique link for the email recipient) to accomplish this.

Why exactly do you think you should be able to decrypt your user's passwords?

I don't believe in email password resets. I stated this. So unless you have another work-around to resolve people who forget passwords (outside of having them store other data about themselves in recoverable form) then it's pretty easy to understand my position.

[TheRealSolid]

Unfortunately when a layman such as usahero encounters manual password reset and verification he gets upset that his "used at every site" password is visible to someone like myself. However exchanges which have reset by email (which usahero wanted and thinks is secure) are actually quite insecure.

I know email recovery system has its weaknesses, so this is just another of many of your strawmen arguments. Lets rather focus on the recoverable passwords and the fact you can spy on our passwords?

Yes I can spy on your passwords. If I moved to another piece of information for a user to store instead of passwords I'd be able to spy on that too, or your funds, etc. I'm the admin. Basically if you don't trust an admin to keep your password (or password hash) and other important data to themselves you shouldn't be using that site in my opinion. So what is your point, that an admin has access to data other people don't?

Alternatively you can do what every security expert does, use a unique password at every site so it's irrelevant. Simple isn't it?

[CIYAM]

I don't believe in email password resets. I stated this. So unless you have another work-around to resolve people who forget passwords (outside of having them store other data about themselves in recoverable form) then it's pretty easy to understand my position.

I also think that email password resets are a problem (although not so much if you use a GPG sign-up which CIYAM Open offers).

Asking someone to disclose even part of their password insecurely (i.e. via plain email or IM) is of no extra benefit and in fact is just even less secure than asking them to disclose something you sent in an initial email.

Why not also offer 2FA via Google Authenticator (I can give you the necessary code in C++ if you like as CIYAM Open offers this)?

[usahero]

On decent sites, admin would have to use password cracker to see hashed passwords. On your site, you just click the button (or whatever implementation you are using).

So this is my concern, and it doesn't matter if I use the site or I don't use the site. And I can have opinion of the site whether I use it or not.

[CIYAM]

On decent sites, admin would have to use password cracker to see hashed passwords.

Actually on CIYAM Open I wouldn't even try to crack your password (as I wouldn't have enough computing power to do so unless you used a very poor password - all I could do is change your password).

[MCXnever]

Unfortunately when a layman such as usahero encounters manual password reset and verification he gets upset that his "used at every site" password is visible to someone like myself. However exchanges which have reset by email (which usahero wanted and thinks is secure) are actually quite insecure.

I know email recovery system has its weaknesses, so this is just another of many of your strawmen arguments. Lets rather focus on the recoverable passwords and the fact you can spy on our passwords?

Yes I can spy on your passwords. If I moved to another piece of information for a user to store instead of passwords I'd be able to spy on that too, or your funds, etc. I'm the admin. Basically if you don't trust an admin to keep your password (or password hash) and other important data to themselves you shouldn't be using that site in my opinion. So what is your point, that an admin has access to data other people don't?

Alternatively you can do what every security expert does, use a unique password at every site so it's irrelevant. Simple isn't it?

Does anyone really trust you? Seriously basic password shit name a major company that uses the RS method to password recovery. Perhaps Google's straw team of support crew can just give it to me. Does it mean I get my password as fast as we get fee shares or the site upgrade on the 10th? Does C++ enable us to trust you more? You sir are a nut job and no WE DONT TRUST YOU.

[TheRealSolid]

I don't believe in email password resets. I stated this. So unless you have another work-around to resolve people who forget passwords (outside of having them store other data about themselves in recoverable form) then it's pretty easy to understand my position.

I also think that email password resets are a problem (although not so much if you use a GPG sign-up which CIYAM Open offers).

Asking someone to disclose even part of their password insecurely (i.e. via plain email or IM) is of no extra benefit and in fact is just even less secure than asking them to disclose something you sent in an initial email.

Why not also offer 2FA via Google Authenticator (I can give you the necessary code in C++ if you like as CIYAM Open offers this)?

Google auth is in the next update already, but thanks for the offer. It's quite easy to implement in c++ which is why I like it.

This isn't about ways to make users more protected from themselves, it's a discussion about how mcxNOW stores some data and the ignorance on why it's irrelevant. People are coming at it like it's a SQL/PHP site when it's completely different and been coded in a way for utmost security.

I don't do email resets at all because even people who don't lose their passwords can be attacked in this way. The few people who do forget their passwords and email me are of course opening themselves up to potential abuse, but they will likely be in the "Loop" quicker than any attacker reading their email and can therefore change it before it's able to be abused. I tell people in my response emails this if usahero wants to share it with the world.

[usahero]

You could easily implement algorithm that would disallow you to see plain-texted passwords. You could easily create email recovery system, which you would have to authorize first te be used. So people that didn't lose password could not be attacked via email recovery method, while protecting privacy of people who did lose the password, but with this system they would have to share password details with you.

Its not as much a security concern (if you want to steal from us, you will steal from us anyway), as it is a customer experience issue.



Now you may continue with some strawmen arguments and personal attacks... You are usually very off with assumptions of what I really think. (which shouln't be surprising, as sometimes I am serious and sometimes I just troll for the t of it)

[SlyWax]

So RealSolid, how your system check the user password when he log in ?
He has to send a request to your password server.
So your password server is not off the internet.
He is just not directly on the internet.
So if a hacker compromise you site, he now have internet access to your password server.

Then you say "so what, the password should be unique to my site", but imagine the hacker just retrieve the password list and leave, cleaning all his trace.
Then he could empty the accounts on mcxnow even the cold storage ones.

So maybe there is a median solution here :
- Hash the passwords that are used to authenticate user loging in.
- Store an offline encrypted list of password, so you can do your manual password recovery stuff.

On a side note I agree with you that user have to trust the admin of a site, because whatever he says, he can watch your password if he wants to.
On the other side you could do the javascript hashing on client side and that would prevent the admin to have access to it.
Actually I'm wondering why there is no standard way of doing the hashing on the browser side, this could be a enhancement off security world wide...
 

[mr_random]

mcxNOW has no "Remote database", which means everything is incorporated on the one machine which doesn't have internet access. Secondly the reason hashing passwords is a "gold standard" is because everyone uses databases like SQL which have been hacked to death since the internet began. mcxNOW doesn't use these systems, it uses a custom database and the exchange server cannot be accessed on the internet. There is zero code to read passwords on the site which means it is impossible for an internet hacker to obtain passwords. Therefore the only way to get into the system is to be at the datacenter, then to understand the encryption, to reverse the binary, etc. This is beyond ludicrous to suggest it's a more probable event compared to any other system out there.

No it's beyond ludricous to suggest it's not possible there are holes in your security measures outside of a dodgy datacenter. It's laughable you think it's impossible there might be a hole somewhere you haven't thought of. The probability is non-zero, fact.

Multi-billion dollar companies with teams of the best minds in the industry have had their db's compromised by hackers, you're deluded to have your main argument as "welp we can't be hacked anyway LOL".

Meanwhile a typical exchange site that uses SQL can be broken from the internet. Yet if the SQL site uses password hashing it's somehow a "gold standard" compared to mcxNOW? Please. mcxNOW is *THE* standard because every single packet of information is controlled by the code from one person, I know everything that goes on within the exchange. There are no black boxes like others use in their php/sql/asp.net setup.

This is complete fluff in relation to my post. As far as 'gold standard', the SQL site that using password hashing and salting per password is doing a superior job to mcxnow in terms of password storage. Every single packet of information nonsense is simply irrelevant to what we are talking about here. Encrypted passwords could be retrieved in plaintext form by a hacker at your exchange Realsolid, however small the possibility, it's still a possibility. Honestly I'm not wanting to be rude here, but do you not understand this concept?

And email systems are ridiculously insecure. If an email is hacked from ANYWHERE then they can reset your exchange password and steal all your funds. Say you check your email at your mothers house and she has a virus. They log into your email, see you use mtgox and reset password. 24 hours later your account is drained. Your main PC doesn't even have to be compromised and email systems are among the highest compromised websites in existence. Most people probably aren't even aware their emails are hacked.

I addressed this point in my original message in anticipation of you making this weak argument. Yes you could check your email on a computer that has a virus. In the same way you could check your mcxnow account on a computer that has a virus. By extension that makes your own site 'ridiculously insecure'. If you have a keylogger on your machine you think the keylogger will collect the email password but never the mcxnow password? That makes no sense at all.

Your claim that email reset systems aren't insecure if "used properly" is easily extended to using a unique password at every site you use. It's really not that hard and the only reason you shouldn't be doing it is ignorance, not laziness.

The distinction between the two is if you implemented an email reset system properly the onus wouldn't fall on the customer but instead on the person who is responsible for running the exchange.

Just using a unique password would make this a zero probability.  This is such a non issue.

That doesn't make any sense in relation to what I wrote:

It is therefore a non-zero probability that a hacker could gain everyone's passwords by your poor decision to employ encryption; using hashing+salting would make this a zero probability.

If everyone used a strong, unique password (never going to happen) the hacker gaining access to all those passwords would still be a non-zero probability. I guess what you tried to say is, if everyone used a strong, unique password then it wouldn't matter if a hacker gained access to everyone's passwords - however people do re-use their passwords unfortunately, a good programmer would design for this and use the standard approach of hashing and salting - it's very, very little effort. This is all completely standard, textbook web programming stuff you'll find on any book or lecture on the subject.

Do not confuse me as someone who is claiming the exchange is insecure. I am simply explaining that their password storage procedure is crap.

As a separate note, ethically Realsolid should say on his sign up page that passwords can be decrypted to their plaintext format by the admin and are thus readable by him. Because that is the case here. It will also encourage and explain to users one reason why they have to use a unique, strong password just for mcxnow.

[mr_random]

Then you say "so what, the password should be unique to my site", but imagine the hacker just retrieve the password list and leave, cleaning all his trace.
The he could empty the accounts on mcxnow even the cold storage ones.

This is a good point. If RS has done things properly the cold storage funds won't be accessible and only the hot wallet would be affected by this. Although until RS realised/accepted that his db had been compromised, the hacker could just keep emptying the hot wallet everytime RS filled it back up.

[Shad3dOne]

I find password drama...interesting....

I wonder how bitcointalk.org stores and retrieves our passwords?

[MCXnever]

um hello this thread should never die

[CIYAM]

Actually I'm wondering why there is no standard way of doing the hashing on the browser side, this could be a enhancement off security world wide...

CIYAM Open uses this browser-side approach for its sign-in accounts (it also supports OpenID) - the password is hashed multiple rounds along with a server specific id (so hashes will not be the same for others that implement a CIYAM system) and finally concatenated with a UUID and hashed again (so a replay attack is not possible).

On the server side (for storage) the password hash is encrypted with a UUID for salt so that even in the event of the DB being stolen rainbow tables will be of no use.

I wonder how bitcointalk.org stores and retrieves our passwords?

The password is passed in the clear (through SSL of course) to the server side where it is hashed iteratively and compared against the hash in the DB (thus the password cannot be retrieved - only hashes compared).

[TheRealSolid]

So RealSolid, how your system check the user password when he log in ?
He has to send a request to your password server.
So your password server is not off the internet.
He is just not directly on the internet.
So if a hacker compromise you site, he now have internet access to your password server.

A comparison of password==password. There is _zero_ code to read passwords and deliver them back to the user on the site. This means an attacker would need to create this code to deliver it back to users. ie In a C++ executable they have never seen it's virtually impossible even if there was a way to insert code (a bug).

Then you say "so what, the password should be unique to my site", but imagine the hacker just retrieve the password list and leave, cleaning all his trace.
Then he could empty the accounts on mcxnow even the cold storage ones.

The mcxNOW database works on a single serve mechanism only. This means there is no code to get "all users". I designed the system on purpose to limit any abuse to a single account, not the system. To abuse a single account you will of course need to know a username and password. To abuse all accounts you will of course need to know all user names and passwords and it is impossible to get this information over the internet because I designed the system and there is no code to do such a thing for a hacker to abuse. Do you understand that for a hacker to abuse something there needs to exist code on the site to do the thing to abuse?

So maybe there is a median solution here :
- Hash the passwords that are used to authenticate user loging in.
- Store an offline encrypted list of password, so you can do your manual password recovery stuff.

On a side note I agree with you that user have to trust the admin of a site, because whatever he says, he can watch your password if he wants to.
On the other side you could do the javascript hashing on client side and that would prevent the admin to have access to it.
Actually I'm wondering why there is no standard way of doing the hashing on the browser side, this could be a enhancement off security world wide...
 

The point is there is no difference in my setup whether I hash passwords or don't. There is zero security benefit. Furthermore unlike other exchanges which have weak email password resets I do all password resets manually to protect my users, at the cost of my time. The security at mcxNOW is higher than every other exchange in my (and others) opinion, regardless of what a couple of PHP/SQL laymen think about how secure hashing+salting a password is.

The people here who talk up hashing passwords and in same breath recommend weak email reset systems make me laugh. Most banks keep your passwords in encrypted form, you better stop using your banks too!

[TheRealSolid]

Actually I'm wondering why there is no standard way of doing the hashing on the browser side, this could be a enhancement off security world wide...

CIYAM Open uses this browser-side approach for its sign-in accounts (it also supports OpenID) - the password is hashed multiple rounds along with a server specific id (so hashes will not be the same for others that implement a CIYAM system) and finally concatenated with a UUID and hashed again (so a replay attack is not possible).

Yet you do email resets. While you said you do offer options to "beef that up" the default situation is highly insecure. Please go find a bank that does automatic password resets via email with no other authentication. It's highly insecure yet accepted as ok by some here why?

[MCXnever]

Actually I'm wondering why there is no standard way of doing the hashing on the browser side, this could be a enhancement off security world wide...

CIYAM Open uses this browser-side approach for its sign-in accounts (it also supports OpenID) - the password is hashed multiple rounds along with a server specific id (so hashes will not be the same for others that implement a CIYAM system) and finally concatenated with a UUID and hashed again (so a replay attack is not possible).

Yet you do email resets. While you said you do offer options to "beef that up" the default situation is highly insecure. Please go find a bank that does automatic password resets via email with no other authentication. It's highly insecure yet accepted as ok by some here why?

Yip just checked many banks do email password resets google it. If you don't have the link http://google.com Oh wait Google does email password resets. Let me check another super insecure company http://Amazon.com OMG password resets what is with the insecurity! What my bank doesn't do is give me my password over the phone..... weird I wonder why? I will also note my bank is not C++ and actually delivers on share dividends on time its a crazy concept.

Some use 2FA like most exchanges in crypto offer.... I say most coins-e and MCxnow dont. Pretty sure coinex and cryptsy do as well as every BTC exchange. Email alerts on login? Nope. Email withdraw notification? Nope. I guess these options cant be done in C++ or with your UBER L3EET skills.

But of course the RS is right he has to be speak against him in his little world he bans you belittles you. Then his small army of trolls comes after you. Grow up you little psycho.

[CIYAM]

Yet you do email resets. While you said you do offer options to "beef that up" the default situation is highly insecure. Please go find a bank that does automatic password resets via email with no other authentication. It's highly insecure yet accepted as ok by some here why?

I currently do not have any automatic email reset at all (have a look for yourself please - my system is open source after all https://github.com/ciyam/ciyam).

I do allow a manual reset (that has to be done myself) which then involves a GPG encrypted email being sent (assuming the user signed up with GPG) or at worst an email with a link to create a new password (the last would only be sent if I am satisfied the reset is genuine which can be done with questions *other* than what they think their password is).

Although using C++ does give some big advantages with regards to security it is still *never* a good idea to store encrypted passwords. You can have things like "password recovery question and answers" (regardless of whether you do resets manually or automatically) that do not need to involve needing to know an end-user's password.

[TheRealSolid]

I currently do not have any automatic email reset at all (have a look for yourself please - my system is open source after all https://github.com/ciyam/ciyam). I do allow a manual reset (that has to be done myself) which then involves a GPG encrypted email being sent (assuming the user signed up with GPG) or at worst an email with a link to create a new password (the last would only be sent if I am satisfied the reset is genuine which can be done with questions *other* than what they think their password is).

Sorry I thought you did have auto password resets. Are you planning on adding that? What questions do you ask them? You're aware that if a session is stolen all info a user can grab from the site itself is useless to verify right?

Although using C++ does give some big advantages with regards to security it is still *never* a good idea to store encrypted passwords. You can have things like "password recovery question and answers" (regardless of whether you do resets manually or automatically) that do not need to involve needing to know an end-user's password.

You do realize the fact you store anything "personal" from the user, whether it's password or mothers maiden name, or first pet in recoverable form is pretty much the same? Just a different type of fish my friend.

For some reason some people think keeping personal private details about themselves in recoverable form is somehow more appropriate than a unique password. It's kind of interesting to me but I will probably move to a system like that instead because educating laymen is pretty foolish as we can see in this thread.

When a hacker breaks the database do you want your mothers maiden name, social security number, first pet all in the open too? That's ok but a unique password in the wild is just too insecure? I just don't get some people.

The first rule is to never get broken into and thats what my system is probably best at doing compared to anything else out there.

[CIYAM]

When a hacker breaks the database do you want your mothers maiden name, social security number, first pet all in the open too? That's ok but a unique password in the wild is just too insecure? I just don't get some people.

As I also stated I encrypt sensitive information in the DB (including the password hashes) - and the key used (along with a UUID salt) is composed of parts that are all separate from the DB (and can include a compiled in UUID, a UUID in a separate file as well as a RAM only portion - meaning that only an uber-hacker who has root access, can decompile and has a memory dump of the running system would have any real chance of working out how to decrypt anything).

The problem is that users often re-use passwords so if someone managed to crack your encryption then they may well be able to do much more damage than just find what is in your DB.

In regards to your question about automatic password resets I have not yet made a decision (for now only manual resets will be possible). I think for GPG users though this would be safer than for others.

[mr_random]

Actually I'm wondering why there is no standard way of doing the hashing on the browser side, this could be a enhancement off security world wide...

CIYAM Open uses this browser-side approach for its sign-in accounts (it also supports OpenID) - the password is hashed multiple rounds along with a server specific id (so hashes will not be the same for others that implement a CIYAM system) and finally concatenated with a UUID and hashed again (so a replay attack is not possible).

Yet you do email resets. While you said you do offer options to "beef that up" the default situation is highly insecure. Please go find a bank that does automatic password resets via email with no other authentication. It's highly insecure yet accepted as ok by some here why?

Yip just checked many banks do email password resets google it. If you don't have the link http://google.com Oh wait Google does email password resets. Let me check another super insecure company http://Amazon.com OMG password resets what is with the insecurity!

Notice how Realsolid calls people 'laymen' without even knowing the background of the person he is speaking to (myself - 1st class maths degree from an ivy league university and have been a web developer for years). The least Realsolid should do is warn on the new user registration page that he can read the passwords as this will stop most people from re-using passwords. That is the ethically correct thing to do imo until he follows the industry standard of hashing and salting passwords rather than reversible encryption/decryption.

[CIYAM]

Wrong. Here's your solution: Store a user's GPG public key in encrypted form, or hell, even in plaintext. If they request a password reset, do a challenge/response.

No need to encrypt the public key (it is *public* after all) so all that is needed is to create a new random password and then GPG email it (unless the user has had their GPG private key stolen in which case you are no better off than any other automatic reset).

[laughingbear]

RS, unless you provide one of these for every user that signs up, your security is total shit!

http://360biometrics.com/iris_image_capture_scanner/crossmatch/I_SCAN_2_Dual_Iris_Capture_Scanner.php


Shit.... I guess a hacker "could" steal our eyes.

I guess the only thing we can do is use a unique password

[usahero]

I guess the only thing we can do is use a unique password

And when unique passwords gets logged by keylogger, Google Authenticator is there to help you protect your funds.

No need to flame, added security should result in higher share-fee payouts.

[laughingbear]

I guess the only thing we can do is use a unique password

And when unique passwords gets logged by keylogger, Google Authenticator is there to help you protect your funds.

No need to flame, added security should result in higher share-fee payouts.

you are right... I should not try and stir up a bunch of problems over a stupid non issue.

[DeathAndTaxes]

I guess the only thing we can do is use a unique password

That is naive.  Say the company (any company) grows and eventually multiple people will have access to the password list.  If it is hashed that provides a level of security against internal theft/abuse.  If it isn't then an employee steals your login credentials, goes home, logs in as you with your unique secure password and withdraws all your coins. 

There is a reason hashed passwords is a security standard.   Password resuse is on vulnerability but it isn't the only one.

[TheRealSolid]

That is naive.  Say the company (any company) grows and eventually multiple people will have access to the password list.  If it is hashed that provides a level of security against internal theft/abuse.  If it isn't then an employee steals your login credentials, goes home, logs in as you with your unique secure password and withdraws all your coins. 

There is a reason hashed passwords is a security standard.   Password resuse is on vulnerability but it isn't the only one.

No such threat exists currently because only one person has access to any such data (myself). Employees of any company are expected to treat data in a secure fashion. My bank for instance knows my password and all security questions. Any employee I call has access to that data. More factors of authentication is always good and helps restrict what employees can do though, which I've added in the next update.

I think the biggest weakness with any of these systems is the human element which is why I reduced the need for them to the bare essentials. Handling 10 minutes of support a day for over 7000 accounts isn't too hard for me atm but thinking longer term if the site is very successful then new arrangements will have to be made because I always want to restrict that human element, the biggest weakness.

[korobass]

I've lost my password for mcx account. How can I recover it? I've already sent an email with description of my problem to mcx support address, but didn't get response. I've also tried to contact RealSolid on IRC channel, but didn't get any response. Is there a chance to recover lost password for my account ? Anyone have similar situation on mcx site ?