Bitcoin Forum
December 15, 2024, 09:36:09 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 2 [3] 4 »  All
  Print  
Author Topic: MCXNow Can See your passwords! REALSolid has access to all your Passwords  (Read 4752 times)
Zyl
Newbie
*
Offline Offline

Activity: 33
Merit: 0


View Profile
September 17, 2013, 11:33:06 AM
 #41

It's not about jealousy, it's about irresponsibility, and breaking trust with your clients.

RS is an obvious amateur when it comes to security.
MarpleTrading
Full Member
***
Offline Offline

Activity: 191
Merit: 100


View Profile WWW
September 17, 2013, 11:49:45 AM
 #42

It's not about jealousy, it's about irresponsibility, and breaking trust with your clients.

RS is an obvious amateur when it comes to security.


This is all about jealousy and envy.
Salting and hashing is absolutely no added security. I said it twice and will repeat this forever, EVERY SITE ADMIN HAS THE ABILITY TO SEE YOUR PASSWORDS.

At least RS is honest about it, and I cannot see how that is breaking trust.

I wished you people use your brain for once instead of saying what others are saying.

An easy to use API for price information from the most import crypto exchanges
https://www.cryptodb.com
ahmed_bodi
Hero Member
*****
Offline Offline

Activity: 518
Merit: 500

Bitrated user: ahmedbodi.


View Profile
September 17, 2013, 11:56:55 AM
 #43

It's not about jealousy, it's about irresponsibility, and breaking trust with your clients.

RS is an obvious amateur when it comes to security.


This is all about jealousy and envy.
Salting and hashing is absolutely no added security. I said it twice and will repeat this forever, EVERY SITE ADMIN HAS THE ABILITY TO SEE YOUR PASSWORDS.

At least RS is honest about it, and I cannot see how that is breaking trust.

I wished you people use your brain for once instead of saying what others are saying.

wrong, most can only see the hash. they would have to decrypt it to see the password
i use the exchange before but even i can tell you no matter how well it works the non hashing is the single flaw in there

Bitrated user: ahmedbodi.
MarpleTrading
Full Member
***
Offline Offline

Activity: 191
Merit: 100


View Profile WWW
September 17, 2013, 12:19:26 PM
 #44

It's not about jealousy, it's about irresponsibility, and breaking trust with your clients.

RS is an obvious amateur when it comes to security.


This is all about jealousy and envy.
Salting and hashing is absolutely no added security. I said it twice and will repeat this forever, EVERY SITE ADMIN HAS THE ABILITY TO SEE YOUR PASSWORDS.

At least RS is honest about it, and I cannot see how that is breaking trust.

I wished you people use your brain for once instead of saying what others are saying.

wrong, most can only see the hash. they would have to decrypt it to see the password
i use the exchange before but even i can tell you no matter how well it works the non hashing is the single flaw in there

The password is encrypted server side, hence you can see it period.

An easy to use API for price information from the most import crypto exchanges
https://www.cryptodb.com
ahmed_bodi
Hero Member
*****
Offline Offline

Activity: 518
Merit: 500

Bitrated user: ahmedbodi.


View Profile
September 17, 2013, 12:26:43 PM
 #45

doesnt make much of a difference where its encrypted. yes its possible to check its before its encrypted. thats nothing to say that the majorityof site admins will. you as a dev should know better than that

Bitrated user: ahmedbodi.
vinne81
Full Member
***
Offline Offline

Activity: 182
Merit: 100



View Profile
September 17, 2013, 12:36:22 PM
 #46


wrong, most can only see the hash. they would have to decrypt it to see the password
i use the exchange before but even i can tell you no matter how well it works the non hashing is the single flaw in there

Are you joking?? Of course they can see the password, it's the admin (or their software) that does the hashing in the first place.

Admin wanting to have passwords 101.
1) User enters passwords
2) Code on site logs cleartext password to a logfile, then hashes password into the database.

Non hashed passwords in the database only make the database more vulnerable should it be stolen. That's it. It doesn't make RS untrustworthy. Let's just hope his db is unstealable.
MarpleTrading
Full Member
***
Offline Offline

Activity: 191
Merit: 100


View Profile WWW
September 17, 2013, 12:55:35 PM
 #47

doesnt make much of a difference where its encrypted. yes its possible to check its before its encrypted. thats nothing to say that the majorityof site admins will. you as a dev should know better than that


I have never said nor have i implied that site admins ARE looking at the passwords. I merely stated that if they WISHED to, they COULD.
This was about trust and that trust is broken by not hashing and salting passwords.

That is utterly bullocks. Hashing is only helping if the DB is stolen and people are so foolish to have only one password for everything.
But even hashed passwords can be guessed and as a dev you should know that. Wink

Also RS' database is apparently encrypted in someway, so a potential thief still does not have access to the password right away.

An easy to use API for price information from the most import crypto exchanges
https://www.cryptodb.com
albitos
Newbie
*
Offline Offline

Activity: 7
Merit: 0


View Profile
September 29, 2013, 02:37:08 AM
 #48

Non hashed passwords in the database only make the database more vulnerable should it be stolen. That's it. It doesn't make RS untrustworthy. Let's just hope his db is unstealable.

There is no such thing and if he claims otherwise, than he's just being arrogant. But keeping passwords in cleartext is a real threat. In hosting companies there is a lot of people who have access to servers. It's much secure to make sure they can't just make a copy of your disk and start stealing accounts from stupid users who are too dumb to use diffrent passwords.

Don't get me wrong, I am using myself mcxnow and have no intention in undermining his credibility - just pointing how it works. I've created multiple applications and this kind of thing is Security 101.
woodrake
Full Member
***
Offline Offline

Activity: 153
Merit: 100



View Profile WWW
October 14, 2013, 02:57:40 PM
 #49

I don't see why this is a surprise? Of course a site run by a few individuals with zero regulatory oversight could have access to passwords. In fact I'd hazard that many IT companies who do not have solid information security management systems in place (eg. ISO27001) have the capability for rogue systems administrators and/or developers to capture user passwords. Many even likely have them stored in plain text so that they can easily send out reminder emails and such.

As with all sites, you should use a different, unique password for each one. We provide a free tool for the purpose, here.

Caveat emptor. RS has a somewhat questionable past and people should make up their own mind.

Kate.

MarpleTrading
Full Member
***
Offline Offline

Activity: 191
Merit: 100


View Profile WWW
October 14, 2013, 06:23:55 PM
 #50

[snip..]Salting and hashing is absolutely no added security.

.. I'd just like to point out, that if the server is compromised and the attacker can download the full database of passwords... then they have 11k accounts and passwords, some of which will no doubt be used on other sites aswell.

If the passwords are stored encrypted, then the attacked cannot download all 11k passwords at once and must put in some code to get the password - pre encryption - per login.

Thus, if time between attack and attack detection is 24 hours, the attacker will only have gathered the passwords of users who have logged in the last 24 hours - not all 11k.

Thus, quite obviously, storing passwords encrypted IS infact added security. Not doing this IS a flaw.

According to RS the passwords ARE ENCRYPTED, but it is a two encryption not a one way like hashing is.

An easy to use API for price information from the most import crypto exchanges
https://www.cryptodb.com
erk
Hero Member
*****
Offline Offline

Activity: 826
Merit: 500



View Profile
October 14, 2013, 08:30:03 PM
Last edit: October 14, 2013, 08:47:26 PM by erk
 #51

Here is some basic Internet info for noobs.

Assume the site owners, your ISP, your email provider can read or bypass your passwords as required.

Never use the same password on two different sites.

Assume everything you type is being recorded.

Do no click on email enclosures from people you don't know.



As for MCXnow, the site probably works better than most of the exchanges out there, it has some great features like earning interest on your deposits every 6 hours, and payban which is a real hoot.







bazzip
Full Member
***
Offline Offline

Activity: 136
Merit: 100


View Profile
October 16, 2013, 12:16:31 AM
 #52

Maybe youre saying he can hack Google Authenticator too?  This thread is retarded. 

DOGE wallet address:  DSyvezAiSdTjQpcTCDarNftZxw3nvSGFrv
trkmed
Newbie
*
Offline Offline

Activity: 31
Merit: 0


View Profile
October 17, 2013, 11:25:41 PM
 #53

2 month ago I tryed to recover my mcxnow password. I sent an email to admin and he asked me about the password, or to tell him what letters are in my password.

I suppose that my password was in clear text for him.


just take care...
redphlegm
Sr. Member
****
Offline Offline

Activity: 246
Merit: 250


My spoon is too big!


View Profile
October 18, 2013, 12:21:08 AM
 #54

One should always assume the admin can see what you store. I'm surprised that people are worried about this aspect when in reality the fact that in a large majority of cases they store significant amounts of crypto on the site in a shared wallet. What do you care more about - that he can see your stupid "hunter2" password or that he could, at any time, jank your funds? There has to be a certain level of trust at some point. If you don't trust him or mcxnow, go elsewhere. I hear there are some Russians that are pretty trustworthy with these kinds of things. Wink

Whiskey Fund: (BTC) 1whiSKeYMRevsJMAQwU8NY1YhvPPMjTbM | (Ψ) ALcoHoLsKUfdmGfHVXEShtqrEkasihVyqW
sheffters
Member
**
Offline Offline

Activity: 115
Merit: 10


View Profile
October 18, 2013, 12:28:03 AM
 #55


wrong, most can only see the hash. they would have to decrypt it to see the password
i use the exchange before but even i can tell you no matter how well it works the non hashing is the single flaw in there

Are you joking?? Of course they can see the password, it's the admin (or their software) that does the hashing in the first place.

Admin wanting to have passwords 101.
1) User enters passwords
2) Code on site logs cleartext password to a logfile, then hashes password into the database.

Non hashed passwords in the database only make the database more vulnerable should it be stolen. That's it. It doesn't make RS untrustworthy. Let's just hope his db is unstealable.

All my sites use JS client side to hash the password and send that over. That hash is then salted server side and rehashed to check against the db. No plain text password ever leaves client machine.
ninjaboon
Legendary
*
Offline Offline

Activity: 2128
Merit: 1002



View Profile WWW
October 18, 2013, 02:43:03 AM
 #56

Guys, since we are talking about security and passwords on Exchanges,
have there been any breakins at https://bter.com/ ?
Looks like a solid site to me.

erk
Hero Member
*****
Offline Offline

Activity: 826
Merit: 500



View Profile
October 18, 2013, 03:18:44 AM
 #57

It's not about jealousy, it's about irresponsibility, and breaking trust with your clients.

RS is an obvious amateur when it comes to security.



This is about RS establishing a long pattern of arrogant incompetence to fall back on when mcxNOW gets "hacked" and everybody's funds vaporize.


~BCX~


You wish.
Loki8
Full Member
***
Offline Offline

Activity: 146
Merit: 100


View Profile
October 18, 2013, 06:14:43 AM
 #58

It's not about jealousy, it's about irresponsibility, and breaking trust with your clients.

RS is an obvious amateur when it comes to security.


The crypto world is full of amateurs.

I am tired of these people who are unprofessional and who have no clue about business. I already lost much money with bitcoin-24, this site was made by an amateur, an unprofessional kid, and now he has problems with the justice... I learnt the lesson, I will never send my money on a site like this one without address nor name, even with btc-e, i am not sure that they are very professional.

The crypto world needs rules and professionalism!
erk
Hero Member
*****
Offline Offline

Activity: 826
Merit: 500



View Profile
October 18, 2013, 06:26:08 AM
 #59

It's not about jealousy, it's about irresponsibility, and breaking trust with your clients.

RS is an obvious amateur when it comes to security.


The crypto world is full of amateurs.

I am tired of these people who are unprofessional and who have no clue about business. I already lost much money with bitcoin-24, this site was made by an amateur, an unprofessional kid, and now he has problems with the justice... I learnt the lesson, I will never send my money on a site like this one without address nor name, even with btc-e, i am not sure that they are very professional.

The crypto world needs rules and professionalism!
Why are you involving yourself at all in crypto if you are that paranoid? Stick with fiat or cash under the bed if you don't trust bankers.

Loki8
Full Member
***
Offline Offline

Activity: 146
Merit: 100


View Profile
October 18, 2013, 07:07:07 AM
 #60

It's not about jealousy, it's about irresponsibility, and breaking trust with your clients.

RS is an obvious amateur when it comes to security.


The crypto world is full of amateurs.

I am tired of these people who are unprofessional and who have no clue about business. I already lost much money with bitcoin-24, this site was made by an amateur, an unprofessional kid, and now he has problems with the justice... I learnt the lesson, I will never send my money on a site like this one without address nor name, even with btc-e, i am not sure that they are very professional.

The crypto world needs rules and professionalism!
Why are you involving yourself at all in crypto if you are that paranoid? Stick with fiat or cash under the bed if you don't trust bankers.



I really don't like scammers and unprofessional people but fortunately, there are also professionals who do their job with competence. They are not numerous but they exist.
Pages: « 1 2 [3] 4 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!