mcx passwords

[laughingbear]

It's still pretty shitty of him to store passwords in a reversible format. If he gets hacked, an attacker can dump them. Of course he'd say it's absolutely impossible for his site to be hacked, but that's because he's seriously out of touch with reality.

This.

It shows a complete lack of understanding of basic password security.  If he got this wrong what else did he get wrong.
Simple version: the website needs to be able to decrypt the password so it is like saying "no I keep my money locked up in that safe, the one with the key taped to the front of it".

Passwords are salted and hashed not encrypted for a reason.  This was cutting edge computer science ... in 1970.

Step up then big guy. Hack it, steal all the coins on the exchange. Teach him a lesson. We will all wait with bated breath.

[1714139656]

1714139656

[DeathAndTaxes]

It's still pretty shitty of him to store passwords in a reversible format. If he gets hacked, an attacker can dump them. Of course he'd say it's absolutely impossible for his site to be hacked, but that's because he's seriously out of touch with reality.

This.

It shows a complete lack of understanding of basic password security.  If he got this wrong what else did he get wrong.
Simple version: the website needs to be able to decrypt the password so it is like saying "no I keep my money locked up in that safe, the one with the key taped to the front of it".

Passwords are salted and hashed not encrypted for a reason.  This was cutting edge computer science ... in 1970.

Step up then big guy. Hack it, steal all the coins on the exchange. Teach him a lesson. We will all wait with bated breath.

Yes that is the standard for information security.  Don't follow established practices just do anything you feel like no matter how stupid (and pointless).   The fact that other sites (hundreds, thousands?) have made the same mistake and you can't undo it after the hack should just be ignored.  The absence of a hack means you are secure right?  That works right up until a hack does occur and then it is "oh well in hindsight who could have seen the hacker would decrypt the password list".  

Your statement is like saying you leave your door unlocked with a sign saying "money inside".  You haven't been robbed yet so it must be secure and anyone who says locking your door would be more secure should just try to rob you instead. 

[usahero]

From what I hear, the beef between BCX and RS goes way back. Claiming RS is BCX's "master" isn't just stupid, it's insane. You're excluding everyone's reasonable opinions by labeling them as "with RS".

You are correct, Coinhunter and I are old friends LOL

@usahero, claiming I'm a Coinhunter puppet is "Gold Certification" that

1) You're an idiot
2) Have no clue on RS/CH history
3) Butt Hurt over getting banned from a troll box LOL...


~BCX~

This post was about security. It was about the fact that mcxnow still has the worst 2fa security. Any other site you need more than password to hack it. Only on mcx, knowing password is enough to get your coins stolen.

I have some funds there so its something that matters to me.



I guess you are troll, but not from his team. I don't care enough about you to track your history with RS. I am troll too. So nice to meet you. And btw, everyone is free to think I am idiot. So I'll write it here: I AM IDIOT.

Now deal with it. Everyone is free to ignore me.

[laughingbear]

Don't follow established practices just do anything you feel like no matter how stupid (and pointless).  

like using a different password for every website?  I know you guys have an agenda to push here, and need to make rs or the website look bad, but try harder. 

[usahero]

Don't follow established practices just do anything you feel like no matter how stupid (and pointless).  

like using a different password for every website?  I know you guys have an agenda to push here, and need to make rs or the website look bad, but try harder.  

Its a waste of time.

The result of the project will be whatever will be whether I troll or not.

I just saw yesterday that someone reopened topic that should be forgotten, so I took time to respond.



I am certain RealSolid is working on the patch right now, because he is not wasting as much time on chat, so update will be soon around. The thing about "plain-text" password was problematic to me the time when I wanted to revive the password. I may be too paranoid, but I prefer to have my funds protected via 2FA - whether that is email confirmation, google auth or pin, anything is better than just password. Fortunately only-password was good enough so far...

[Etlase2]

Don't follow established practices just do anything you feel like no matter how stupid (and pointless).  

like using a different password for every website?  I know you guys have an agenda to push here, and need to make rs or the website look bad, but try harder.  

If anyone has an agenda to push, it's DeathAndTaxes. He is the hardcorest of hardcore bitcoin proponents and unequivocally biased, but he is totally, 100% correct here. Passwords, especially passwords that protect money, should not be stored in a reversible format. That is madness. (That is, of course, if actually true.)

[K1773R]

Don't follow established practices just do anything you feel like no matter how stupid (and pointless).  

like using a different password for every website?  I know you guys have an agenda to push here, and need to make rs or the website look bad, but try harder. 

if RS really stores the password in plain or any reversible format (ie, not hashing them probperly, md5 isnt probperly ) then he lost me, i havent seen any proof of this or did i miss it (due to ignore this usascum moron)?

[usahero]

This post was about security.

Yeah sure it was LOL....

Somehow I have hard time believing this isn't just another one of your five "I'm butt hurt because I got banned by RS threads".

You must be real special because as much as RS hates me and I do him, even after asking him in his troll box "If his first anal sex was with his mother or his father", he still didn't ban me.

Since I'm in a charitable mood, here's a free suggestion for you.

If you find his site so bad, don't use it!



~BCX~

I know this stuff. It is up to me whether I want to trade on that site or not. It is also up to me whether I want to share my opinion about it or not. I don't think there is much you can do about it.

All this "butthurt" talk would be done on mcxnow chat, if I wasn't banned there.

[usahero]

Don't follow established practices just do anything you feel like no matter how stupid (and pointless).  

like using a different password for every website?  I know you guys have an agenda to push here, and need to make rs or the website look bad, but try harder.  

if RS really stores the password in plain or any reversible format (ie, not hashing them probperly, md5 isnt probperly ) then he lost me, i havent seen any proof of this or did i miss it (due to ignore this usascum moron)?

He is storing them in reversible format. If you want to recover your password, he gives you your password and he sees your password. There is no "password recovery" form on the site, and I think only way to recover the password is:
1) message rs that you lost your password.
2) tell a part of your password/describe your password, so that he can confirm "it is really you" who is recovering
3) he returns you passwords as a string   and in the process he sees your password.  When I did this procedure, I was feeling like my privacy has been breached.


Now even if you think I am moron, you know something you didn't know before.

And if someone has done the procedure, please confirm it is really done this way, as I am not making this up.

[K1773R]

Don't follow established practices just do anything you feel like no matter how stupid (and pointless).  

like using a different password for every website?  I know you guys have an agenda to push here, and need to make rs or the website look bad, but try harder.  

if RS really stores the password in plain or any reversible format (ie, not hashing them probperly, md5 isnt probperly ) then he lost me, i havent seen any proof of this or did i miss it (due to ignore this usascum moron)?

He is storing them in reversible format. If you want to recover your password, he gives you your password and he sees your password. There is no "password recovery" form on the site, and I think only way to recover the password is:
1) message rs that you lost your password.
2) tell a part of your password/describe your password, so that he can confirm "it is really you" who is recovering
3) he returns you passwords as a string   and in the process he sees your password.  When I did this procedure, I was feeling like my privacy has been breached.


Now even if you think I am moron, you know something you didn't know before.

And if someone has done the procedure, please confirm it is really done this way, as I am not making this up.

i apologize if this really is true!

[BTCPOOLMINING]

I never stored my coins on mcxnow after trading I transferred back  the coins to my wallet. I have no problem with the trading platform only the security.

[K1773R]

well, i had a chat with RS on IRC, i asked him if can publish it, he went mad and didnt answer anymore (so i cutted the things below):

Code:

<K1773R> RealSolid: https://bitcointalk.org/index.php?topic=270155.0 <-- can i get a ACK/NACK on this? ie that you store the users PW in plain (or decryptable only by X ppl)
<RealSolid> passwords are stored encrypted yeah
<RealSolid> they are the only identifyable information atm, i may change it in the future and have other info i force people to enter
<RealSolid> name of first pet, etc
<K1773R> as suggestion, hash the passwords...
<K1773R> in 1970-1980 hashing started, now we have 2013!
<RealSolid> no
<RealSolid> theres no added security to my system in salting them
<K1773R> i like your idea about the selfbuild engine + DB alot, as its secure. but this is horrible
<K1773R> i dont talk abuot salting, i talk about hashing!
<RealSolid> or hashing
<RealSolid> that may change as i adapt future requirements of course
<K1773R> not hashing is a huge security risk, mtgox had to learn it the hard way
<RealSolid> haha
<RealSolid> thinking its a security risk shows your ignorance on mcxnow security
<K1773R> hmm, "they are the only identifyable information atm" <-- so you identify users per password and not per user id?
<RealSolid> no but if they want a reset its the only info they have put in there
<RealSolid> so i either offer no resets or add more info they can store to prove they are account holders
<K1773R> so if someone forgot his password (and really forgot), hes totally fucked or you just give it to them?
<RealSolid> the exchanges that do password email resets are way more insecure
<K1773R> i agree that password email resets are extreme insecure
<RealSolid> same with automated password recovery
<RealSolid> the mcxnow database is undumpable from the internet and you should be using a unique password at the site anyhow, this is what i tell everyone <RealSolid> if you K1773R use a unique password at mcxnow there is no difference whether i hash+salt+shit on your password
<RealSolid> so im not sure what *your* personal issue is with the way i handle passwords, even if you think its insecure, when you should be following good security protocol as a security expert :P
<K1773R> if someone successfully takes over your engine, he gets access to the user DB as its needed to identify persons right? so why not just dumping this, all thats needed is to break the encryption (password? privkey? combination?) and you have the password of every person @ mcxnow
<K1773R> or did i miss something?
<RealSolid> i protect the people who are insecure people by nature by not allowing auto password resets and requiring they remember part of their password
<RealSolid> the only person who can "take over the engine" is someone who works at the datacenter of the exchange server
<RealSolid> not internet hackers
<RealSolid> and ive added protection against local admin hacking by encrypting everything the exchange uses
<RealSolid> nothing is fullproof of course, but worrying about your unique password being in the wild is nothing compared to losing all your funds right?
<K1773R> how comes? if your engine needs informations to identifiy users (ie, username + password), as soon you got the engine, you also got the encrypted password, all you need then is to encrypt it
<RealSolid> and as soon as you got the engine youve got all the funds too if youre an elite hacker who can decrypt and reverse engineer a x64 binary
<K1773R> yes, i liked your setup alot as its the only exchange i saw knowing something about security, this is just the little ugly thing that poped up, so im wondering ;)
<RealSolid> so if a compromised amazon elite hacker data center admin finds out about the mcxnow exchange server we could be in trouble
<RealSolid> so what do you propose to do instead of what i do to verify lost passwords?
<RealSolid> just lock people out of accounts if they forget?
<K1773R> nope, its a tough question
<RealSolid> to be honest i think only morons/haters care about this because as a specific user if you use unique password at mcxnow you are no more or less compromised if the database gets breached
<K1773R> i have no idea so far how an average person could be able to get his account back due to missing knowledge
<RealSolid> so why should *YOU* care about these people?
<K1773R> well, i dont care about anyone usual ;)
<K1773R> so if we are in trouble (stolen funds), would you pay it back out of ur pocket?
<RealSolid> people recommend salting and hashing passwords because sql and other database technologies are often compromised, mine cant be from the internet
<K1773R> if yes, well then i dont care anymore
<RealSolid> worrying about rogue elite datacenter admin hacker taking your password is the least of your worries, the funds are more important :P
<RealSolid> and unlike pretty much all other exchanges except perhaps mtgox ive put a lot of thought into protecting against those
<K1773R> so you would pay back the stolen funds?
<RealSolid> i dont have enough money to do that
<RealSolid> if theres a 50/50 split on funds in hot/cold for instance, i guess id just pay back the percentage in cold to everyone
<K1773R> ok
<RealSolid> to me thats pretty much game over material though
<RealSolid> so i never want it to happen at all
<RealSolid> hence the paranoia and security

after this, he didnt answer me anymore :S well, i for myself will stay @ mcxnow for "now", will see how things work out.

EDIT: seems he wasnt mad, just busy, will edit again if neccessary.
EDIT2: chat updated.

[CIYAM]

Any system that encrypts rather than securely hashes account passwords is just asking for trouble (using reversible encryption for things like email addresses makes perfect sense but not for account passwords).

Unfortunately even today many ISP's still even do this (I have had low-level support staff read my password to me over the phone only several years ago).

[SistaFista]

Why update a dead site? Even coins-e is better

[TheRealSolid]

Unfortunately when a layman such as usahero encounters manual password reset and verification he gets upset that his "used at every site" password is visible to someone like myself. However exchanges which have reset by email (which usahero wanted and thinks is secure) are actually quite insecure. MtGOX for instance has password reset by email.

https://www.mtgox.com/login/lost-password

Now why do mtgox (and pretty much everyone) do this? Well it cuts back on support to not have manual verification on password resets. So I don't necessarily blame shoe-string operations which employ simple systems to cut back on support. The funny thing is if I had the same insecure system setup then there would no complaints from laymen such as usahero, regardless of how I stored the passwords. They would never know what really happens at the backend.

As to why I store passwords encrypted instead of hashed is simply to allow original account holders to claim their funds instead of block their access. As noted above email password resets are ridiculously insecure so I don't employ it. My current system allows me to see the password when requested by a user and they can give suggestions on something they should know (they may not know the whole password but they usually remember some of it). To get around this I could instead ask the user on signup to answer questions like "What is your first pets name" or "What is your mothers maiden name", but then people may care that I store such details in recoverable form on the site also (you literally cannot win with some people). Currently the password serves as information only the current account holder should know.

Any person who is involved in security knows you should use a unique password at every site because that is the best security. You should never rely on a site to protect your "used everywhere password", use a new password at every site and there are zero issues in regards to how the site stores your password.

Anyone who thinks their "Sacred password" is sacred needs to get a clue. It shouldn't be sacred and if it is you need a lesson in internet security. Anyone reading this cannot claim ignorance on this going forward. It's rather embarrassing I need to post this as I figured most people on this forum were well versed in internet security but hopefully it can clear things up for those who aren't.

Finally I'll just say unlike every other exchange out there mcxNOW is coded entirely in C++ from top to bottom, it incorporates anti-virus esque self protection systems which limit even a "rogue datacenter admin" getting fanciful with the exchange. I'm well versed not only in internet security but security against humans and these are employed at mcxNOW. I am just _that_ paranoid.

[mr_random]

Email password reset mechanisms are not ridiculously insecure if they are done correctly. Their only weak point is a 'hacker' could get their email password and do a reset but of course if they can get their email password then they can probably get their mcxnow password too.

Hashing of passwords is the gold standard of password storage in web applications.

Admins are strongly advised to never use encryption for the obvious reason if the db is compromised then the hacker gains access to everyone's passwords. Before you give your standard canned response to this, remember: 1. some people use dozens of websites and it's a pain in the arse having a strong, unique password for every single one, 2. even if you're the world's best programmer unexpected things can occur meaning the db could be compromised. It is therefore a non-zero probability that a hacker could gain everyone's passwords by your poor decision to employ encryption; using hashing+salting would make this a zero probability.

[laughingbear]

Just using a unique password would make this a zero probability.  This is such a non issue.

[TheRealSolid]

Email password reset mechanisms are not ridiculously insecure if they are done correctly. Their only weak point is a 'hacker' could get their email password and do a reset but of course if they can get their email password then they can probably get their mcxnow password too.

Hashing of passwords is the gold standard of password storage in web applications.

Admins are strongly advised to never use encryption for the obvious reason if the db is compromised then the hacker gains access to everyone's passwords. Before you give your standard canned response to this, remember: 1. some people use dozens of websites and it's a pain in the arse having a strong, unique password for every single one, 2. even if you're the world's best programmer unexpected things can occur meaning the db could be compromised. It is therefore a non-zero probability that a hacker could gain everyone's passwords by your poor decision to employ encryption; using hashing+salting would make this a zero probability.

mcxNOW has no "Remote database", which means everything is incorporated on the one machine which doesn't have internet access. Secondly the reason hashing passwords is a "gold standard" is because everyone uses databases like SQL which have been hacked to death since the internet began. mcxNOW doesn't use these systems, it uses a custom database and the exchange server cannot be accessed on the internet. There is zero code to read passwords on the site which means it is impossible for an internet hacker to obtain passwords. Therefore the only way to get into the system is to be at the datacenter, then to understand the encryption, to reverse the binary, etc. This is beyond ludicrous to suggest it's a more probable event compared to any other system out there.

Meanwhile a typical exchange site that uses SQL can be broken from the internet. Yet if the SQL site uses password hashing it's somehow a "gold standard" compared to mcxNOW? Please. mcxNOW is *THE* standard because every single packet of information is controlled by the code from one person, I know everything that goes on within the exchange. There are no black boxes like others use in their php/sql/asp.net setup.

And email systems are ridiculously insecure. If an email is hacked from ANYWHERE then they can reset your exchange password and steal all your funds. Say you check your email at your mothers house and she has a virus. They log into your email, see you use mtgox and reset password. 24 hours later your account is drained. Your main PC doesn't even have to be compromised and email systems are among the highest compromised websites in existence. Most people probably aren't even aware their emails are hacked.

Your claim that email reset systems aren't insecure if "used properly" is easily extended to using a unique password at every site you use. It's really not that hard and the only reason you shouldn't be doing it is ignorance, not laziness.

[CIYAM]

Actually CIYAM Open is a 100% C++ platform (and I would be interested to perhaps compare notes then).

I only store hashed passwords in the DB and don't really understand why you are not doing the same - the *reset* issue is really not the same thing as you can always send a new password (or a unique link for the email recipient) to accomplish this.

Why exactly do you think you should be able to decrypt your users passwords?

[usahero]

Unfortunately when a layman such as usahero encounters manual password reset and verification he gets upset that his "used at every site" password is visible to someone like myself. However exchanges which have reset by email (which usahero wanted and thinks is secure) are actually quite insecure.

I know email recovery system has its weaknesses, so this is just another of many of your strawmen arguments. Lets rather focus on the recoverable passwords and the fact you can spy on our passwords?




If you worked your ass as much as you bragged about your c++ skills last 2 months, the update would already be here... by the way. So go to work, make your followers happy.