mcx passwords

[mr_random]

Actually I'm wondering why there is no standard way of doing the hashing on the browser side, this could be a enhancement off security world wide...

CIYAM Open uses this browser-side approach for its sign-in accounts (it also supports OpenID) - the password is hashed multiple rounds along with a server specific id (so hashes will not be the same for others that implement a CIYAM system) and finally concatenated with a UUID and hashed again (so a replay attack is not possible).

Yet you do email resets. While you said you do offer options to "beef that up" the default situation is highly insecure. Please go find a bank that does automatic password resets via email with no other authentication. It's highly insecure yet accepted as ok by some here why?

Yip just checked many banks do email password resets google it. If you don't have the link http://google.com Oh wait Google does email password resets. Let me check another super insecure company http://Amazon.com OMG password resets what is with the insecurity!

Notice how Realsolid calls people 'laymen' without even knowing the background of the person he is speaking to (myself - 1st class maths degree from an ivy league university and have been a web developer for years). The least Realsolid should do is warn on the new user registration page that he can read the passwords as this will stop most people from re-using passwords. That is the ethically correct thing to do imo until he follows the industry standard of hashing and salting passwords rather than reversible encryption/decryption.

[CIYAM]

Wrong. Here's your solution: Store a user's GPG public key in encrypted form, or hell, even in plaintext. If they request a password reset, do a challenge/response.

No need to encrypt the public key (it is *public* after all) so all that is needed is to create a new random password and then GPG email it (unless the user has had their GPG private key stolen in which case you are no better off than any other automatic reset).

[laughingbear]

RS, unless you provide one of these for every user that signs up, your security is total shit!

http://360biometrics.com/iris_image_capture_scanner/crossmatch/I_SCAN_2_Dual_Iris_Capture_Scanner.php


Shit.... I guess a hacker "could" steal our eyes.

I guess the only thing we can do is use a unique password

[usahero]

I guess the only thing we can do is use a unique password

And when unique passwords gets logged by keylogger, Google Authenticator is there to help you protect your funds.

No need to flame, added security should result in higher share-fee payouts.

[laughingbear]

I guess the only thing we can do is use a unique password

And when unique passwords gets logged by keylogger, Google Authenticator is there to help you protect your funds.

No need to flame, added security should result in higher share-fee payouts.

you are right... I should not try and stir up a bunch of problems over a stupid non issue.

[DeathAndTaxes]

I guess the only thing we can do is use a unique password

That is naive.  Say the company (any company) grows and eventually multiple people will have access to the password list.  If it is hashed that provides a level of security against internal theft/abuse.  If it isn't then an employee steals your login credentials, goes home, logs in as you with your unique secure password and withdraws all your coins. 

There is a reason hashed passwords is a security standard.   Password resuse is on vulnerability but it isn't the only one.

[TheRealSolid]

That is naive.  Say the company (any company) grows and eventually multiple people will have access to the password list.  If it is hashed that provides a level of security against internal theft/abuse.  If it isn't then an employee steals your login credentials, goes home, logs in as you with your unique secure password and withdraws all your coins. 

There is a reason hashed passwords is a security standard.   Password resuse is on vulnerability but it isn't the only one.

No such threat exists currently because only one person has access to any such data (myself). Employees of any company are expected to treat data in a secure fashion. My bank for instance knows my password and all security questions. Any employee I call has access to that data. More factors of authentication is always good and helps restrict what employees can do though, which I've added in the next update.

I think the biggest weakness with any of these systems is the human element which is why I reduced the need for them to the bare essentials. Handling 10 minutes of support a day for over 7000 accounts isn't too hard for me atm but thinking longer term if the site is very successful then new arrangements will have to be made because I always want to restrict that human element, the biggest weakness.

[korobass]

I've lost my password for mcx account. How can I recover it? I've already sent an email with description of my problem to mcx support address, but didn't get response. I've also tried to contact RealSolid on IRC channel, but didn't get any response. Is there a chance to recover lost password for my account ? Anyone have similar situation on mcx site ?