mcx passwords

[usahero]

Notice:

Everything mentioned here was fixed by RealSolid in version mcxnow v2 with implemented google authenticator 2fa and encrypted passwords.

Thus McxNOW is now the fastest and the best exchange in crypto world. Congratulations RealSolid on excellent work. Apologies to give you hard time during working on the update. Hopefully some of my ideas were helpful.

-------------------

Just wanted to share my opinion, that text-recoverable isn't the only questionable practice of mcxnow.

The biggest problem I see is that there is no 2FA of any kind.

If you want to withdraw your balance on:
Crypto-trade, you need to know your password and your pin.
Coins-e, you need to know your password and your email password.
Cryptsy, you need to know your password, your email password and if you have 2FA enabled, you need access to your 2FA device.
Vircurex, you need to know your password, and if you have 2FA enabled, you need access to your 2FA device.


On mcxnow, the only requirement for withdrawing coins is knowing account password. Considering that the number of hacker compromised computers is significant, this 1-password-safety policy is very unsafe.

Every other site beats the mcxnow in that regards.


Best regards.


PS: If you will try to dirty my name, I suggest you to deposit all your funds to mcxnow!

ps: this post was edited on 18/8/2013 to remove "plain-text" with "text-recoverable", and topic was edited.

ps2: added notice to original post. 9/26/2013 .

[bidji29]

Password are not stored in plain text.
They are encrypted, and the operator can decrypt them if someone lose their password. They have to answer some security question, like amount on the account etc...

The 2 factor-aut will be implemented in the update after the 10-Aug update.

[usahero]

Password are not stored in plain text.

Possibly. But the admin can read your password. Operator can read any password. The hacker will also be able to read all passwords, if that will be his goal.

Operator could also read your password and steal your funds while blaming end user for having compromised computer. He wouln't get away with stealing all the coins from all users, but he could possibly get away from stealing some users.

Anyway, from the exchanges I noted, only mcxnow does not know any 2FA. Tick tock..?

[everybodyclapyohands]

Password are not stored in plain text.
They are encrypted, and the operator can decrypt them if someone lose their password. They have to answer some security question, like amount on the account etc...

The 2 factor-aut will be implemented in the update after the 10-Aug update.

No developer should EVER be able to read user passwords. This is rule #1 of building a user login system. You generate a random salt for each user, hash their password including the salt, store the salt and hashed password, and only compare hashed strings when they login.

This is now the second time I've heard of this policy and it makes me happy I stopped trading at that exchange a long time ago.

[vinne81]

Just wanted to share, that having plain-text-stored passwords isn't the only problematic practice of never-wrong-operator of mcxnow.

That's my main problem there

[paulthetafy]

Before everybody bashes RealSold and mcxNow, you might want to a) get some proof and b) give RS himself a chance to explain things rather than posting publicly.

Also remember that 2FA is coming soon (though not on Aug 10th AFAIK).  Can I remind you that BTC-e only introduced 2FA fairly recently!!

Lastly, usahero, I know you're having some beef with RealSolid and mcxNow at the moment, but raising this post was really low of you.

 - PTT

[MCXnever]

Before everybody bashes RealSold and mcxNow, you might want to a) get some proof and b) give RS himself a chance to explain things rather than posting publicly.

Also remember that 2FA is coming soon (though not on Aug 10th AFAIK).  Can I remind you that BTC-e only introduced 2FA fairly recently!!

Lastly, usahero, I know you're having some beef with RealSolid and mcxNow at the moment, but raising this post was really low of you.

 - PTT

The proof is ask RS for your password and he can give it to you been that way for a while so that is proof. Even if he changes it he has a great record of usernames and passwords to skim from pools and exchanges for the folks not smart enough to change their passwords site by site. Lets get serious the site is full of hate speech racism, sexism just an all around bad environment. The owner is a straight up psychopath and very full of himself. C++ will solve cancer!

I will start posting chat logs from there just to show the enormous amount of hate mongering going on with this exchange but I think enough folks can vouch for that.

[drummerjdb666]

SOUNDS LIKE A BUTT HURT OH NO I WAS BANNED THREAD TO ME!!!

FUCK OFF HERO!!!  GET OVER IT!!!

[drummerjdb666]

and ur little dog too

[notyep]

Before everybody bashes RealSold and mcxNow, you might want to a) get some proof and b) give RS himself a chance to explain things rather than posting publicly.

Also remember that 2FA is coming soon (though not on Aug 10th AFAIK).  Can I remind you that BTC-e only introduced 2FA fairly recently!!

Lastly, usahero, I know you're having some beef with RealSolid and mcxNow at the moment, but raising this post was really low of you.

 - PTT

I will start posting chat logs from there just to show the enormous amount of hate mongering going on with this exchange but I think enough folks can vouch for that.

"Welcome to the Internet!"   

[coinerd]

The proof is ask RS for your password and he can give it to you been that way for a while so that is proof. Even if he changes it he has a great record of usernames and passwords to skim from pools and exchanges for the folks not smart enough to change their passwords site by site. Lets get serious the site is full of hate speech racism, sexism just an all around bad environment. The owner is a straight up psychopath and very full of himself. C++ will solve cancer!

I will start posting chat logs from there just to show the enormous amount of hate mongering going on with this exchange but I think enough folks can vouch for that.

[MCXnever]

The proof is ask RS for your password and he can give it to you been that way for a while so that is proof. Even if he changes it he has a great record of usernames and passwords to skim from pools and exchanges for the folks not smart enough to change their passwords site by site. Lets get serious the site is full of hate speech racism, sexism just an all around bad environment. The owner is a straight up psychopath and very full of himself. C++ will solve cancer!

I will start posting chat logs from there just to show the enormous amount of hate mongering going on with this exchange but I think enough folks can vouch for that.

I think racism is bad yes go read the chat there its non stop race bashing, peoples religion, holocaust jokes etc, lots of hate unprofessional all around.

1) For the sake of argument let's say RS is using plaint text passwords and can see them

So fucking what, if a person in the altcoin world is STUPID enough to use the same password on two different sites, they deserve to be ripped off. So basically by following password 101, all RS could do if see the password for his own site.

2) mcxNOW does not use plain text, this is straight up fud.

3) Coinhunter is telling the truth, he's banned only four people from mcxNOW and you're 25% of that population, that makes you special.

4) You are correct, CH/RS is a real piece of work, a meglomaniacal narcissistic POS, but what you're doing isn't promoting that idea, it's just making you look like a stupid fuck.


~BCX~

I don't disagree that it is insane to have the same passwords for any crypto site but they do. On that note has anyone asked for their passwords yet?

These are facts go see for yourself oh and buy some shares of the biggest scam around.

[coinerd]

I think racism is bad yes go read the chat there its non stop race bashing, peoples religion, holocaust jokes etc, lots of hate unprofessional all around.

[ahmed_bodi]

more reason why mcxnow should be avoided

[17:07] <ahmedbodi> RealSolid: how many actual times have i insulted you?
[17:13] <ahmedbodi> RealSolid: well^
[17:15] <RealSolid> you think i count or care about such things?
[17:16] <ahmedbodi> approximation, by my count like twice
[17:18] <RealSolid> ok?
[17:18] <ahmedbodi> never mind (facepalm)
[17:18] <ahmedbodi> plz unban my account? no trolling or spamming
[17:20] <RealSolid> no you annoy me
[17:21] <RealSolid> its probably worse because youre muslim
[17:21] <necom> troll!
[17:21] <ahmedbodi> HAHAHA, and you guys call me a troll
[17:21] <ahmedbodi> 1 sec let me put my bot here so it starts recording
[17:21] <ahmedbodi>
[17:22] --> MainBot has joined this channel (~Crypto-Ex@host-212-159-185-14.static.as13285.net).
[17:22] <ahmedbodi> haha
[17:22] *** ChanServ gives channel operator privileges to RealSolid.
[17:22] *** RealSolid sets a ban on *!*@host-212-159-185-14.static.as13285.net.
[17:22] *** You have been kicked from channel #mcxnow by RealSolid (ahmedbodi).
[17:23] [474] ahmedbodi #mcxnow Cannot join channel (+b) - you are banned
[17:23] [474] ahmedbodi #mcxnow Cannot join channel (+b) - you are banned

[DeathAndTaxes]

It's still pretty shitty of him to store passwords in a reversible format. If he gets hacked, an attacker can dump them. Of course he'd say it's absolutely impossible for his site to be hacked, but that's because he's seriously out of touch with reality.

This.

It shows a complete lack of understanding of basic password security.  If he got this wrong what else did he get wrong.
Simple version: the website needs to be able to decrypt the password so it is like saying "no I keep my money locked up in that safe, the one with the key taped to the front of it".

Passwords are salted and hashed not encrypted for a reason.  This was cutting edge computer science ... in 1970.

[usahero]

This thread was never about what you (idiots) think about what I think about being banned on mcxnow. I gave an advice to realsolid and he is working hard on implementing 2FA.

Now if you idiots have problems with me, maybe thats because you are doubting your "investment"? If it is so good investment, you shouln't be afraid of one fud-troll, eh...?


Well, the list of people getting banned for stating facts on mcxnow is increasing. Enjoy your tiny fee-shares.. They will get lower after RealSolid decreases btc withdrawal fees from 0.005 to 0.001, as he promised...

[usahero]

SOUNDS LIKE A BUTT HURT OH NO I WAS BANNED THREAD TO ME!!!

FUCK OFF HERO!!!  GET OVER IT!!!

You know it's a strange day in the neighborhood when BitcoinEXpress is defending Coinhunter aka Real Sold aka rlh aka Notyep.

@usahero


1) For the sake of argument let's say RS is using plaint text passwords and can see them

So fucking what, if a person in the altcoin world is STUPID enough to use the same password on two different sites, they deserve to be ripped off. So basically by following password 101, all RS could do if see the password for his own site.

2) mcxNOW does not use plain text, this is straight up fud.

3) Coinhunter is telling the truth, he's banned only four people from mcxNOW and you're 25% of that population, that makes you special.

4) You are correct, CH/RS is a real piece of work, a meglomaniacal narcissistic POS, but what you're doing isn't promoting that idea, it's just making you look like a stupid fuck.


~BCX~

I care about your opinion. So far you have been active in every thread trying to "protect" your master. hahaha. so funny.


Anyway, if someone is "allowed" to spread lies about me, straight up FUD doesn't even sound that bad......

So I'll continue with straight up FUD if needed.

[usahero]

Before everybody bashes RealSold and mcxNow, you might want to a) get some proof and b) give RS himself a chance to explain things rather than posting publicly.

Also remember that 2FA is coming soon (though not on Aug 10th AFAIK).  Can I remind you that BTC-e only introduced 2FA fairly recently!!

Lastly, usahero, I know you're having some beef with RealSolid and mcxNow at the moment, but raising this post was really low of you.

 - PTT

I gave chance to explain everything about fee-shares to rs. Instead of explaining me stuff about the shares, he started yelling at me, making outrageous claims and shittalking me.


So we are still waiting for 2FA. I'm sure he will deliver it on time.

And since you don't know circumstances around my beef with RealSolid, it is low from you to call it "low from me". Because you got no clue what happened.

[usahero]

SOUNDS LIKE A BUTT HURT OH NO I WAS BANNED THREAD TO ME!!!

FUCK OFF HERO!!!  GET OVER IT!!!

If your dick was long enough, you could stick it in your a**

[usahero]

Damn USA let it go.  It was just a chat ban.  I mean really you claim the trollbox is racist hate filled evil (it really isn't), but YOU'RE one of the only ones to ever get chat banned there.  

Did you get chat banned? Yep.
Did you deserve that ban?  I dunno, I didn't see what happened.
Is 2FA coming to mcxNOW?  "Soon."
Did RS steal your money before, or after, you were banned?  Nope.
Do you still trade on the site?  Probably... (and for good reason)

This post was obviously about 2fa, not abotu what you think about me. Get over it, i'm just internet anonymous. You shouldn't waste time with me.......


OHHHHHHH, you are protecting your fee-shares... Here we go