Zyl
Newbie
 Offline
Activity: 33
Merit: 0
|
 |
September 17, 2013, 11:33:06 AM |
|
It's not about jealousy, it's about irresponsibility, and breaking trust with your clients.
RS is an obvious amateur when it comes to security.
|
|
|
|
|
|
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
|
MarpleTrading
|
|
September 17, 2013, 11:49:45 AM |
|
It's not about jealousy, it's about irresponsibility, and breaking trust with your clients.
RS is an obvious amateur when it comes to security.
This is all about jealousy and envy. Salting and hashing is absolutely no added security. I said it twice and will repeat this forever, EVERY SITE ADMIN HAS THE ABILITY TO SEE YOUR PASSWORDS. At least RS is honest about it, and I cannot see how that is breaking trust. I wished you people use your brain for once instead of saying what others are saying. |
|
|
|
|
ahmed_bodi
|
|
September 17, 2013, 11:56:55 AM |
|
It's not about jealousy, it's about irresponsibility, and breaking trust with your clients.
RS is an obvious amateur when it comes to security.
This is all about jealousy and envy. Salting and hashing is absolutely no added security. I said it twice and will repeat this forever, EVERY SITE ADMIN HAS THE ABILITY TO SEE YOUR PASSWORDS. At least RS is honest about it, and I cannot see how that is breaking trust. I wished you people use your brain for once instead of saying what others are saying. wrong, most can only see the hash. they would have to decrypt it to see the password i use the exchange before but even i can tell you no matter how well it works the non hashing is the single flaw in there |
Bitrated user: ahmedbodi.
|
|
|
|
MarpleTrading
|
|
September 17, 2013, 12:19:26 PM |
|
It's not about jealousy, it's about irresponsibility, and breaking trust with your clients.
RS is an obvious amateur when it comes to security.
This is all about jealousy and envy. Salting and hashing is absolutely no added security. I said it twice and will repeat this forever, EVERY SITE ADMIN HAS THE ABILITY TO SEE YOUR PASSWORDS. At least RS is honest about it, and I cannot see how that is breaking trust. I wished you people use your brain for once instead of saying what others are saying. wrong, most can only see the hash. they would have to decrypt it to see the password i use the exchange before but even i can tell you no matter how well it works the non hashing is the single flaw in there The password is encrypted server side, hence you can see it period. |
|
|
|
|
ahmed_bodi
|
|
September 17, 2013, 12:26:43 PM |
|
doesnt make much of a difference where its encrypted. yes its possible to check its before its encrypted. thats nothing to say that the majorityof site admins will. you as a dev should know better than that
|
Bitrated user: ahmedbodi.
|
|
|
|
vinne81
|
|
September 17, 2013, 12:36:22 PM |
|
wrong, most can only see the hash. they would have to decrypt it to see the password
i use the exchange before but even i can tell you no matter how well it works the non hashing is the single flaw in there
Are you joking?? Of course they can see the password, it's the admin (or their software) that does the hashing in the first place. Admin wanting to have passwords 101.1) User enters passwords 2) Code on site logs cleartext password to a logfile, then hashes password into the database. Non hashed passwords in the database only make the database more vulnerable should it be stolen. That's it. It doesn't make RS untrustworthy. Let's just hope his db is unstealable. |
|
|
|
|
|
MarpleTrading
|
|
September 17, 2013, 12:55:35 PM |
|
doesnt make much of a difference where its encrypted. yes its possible to check its before its encrypted. thats nothing to say that the majorityof site admins will. you as a dev should know better than that
I have never said nor have i implied that site admins ARE looking at the passwords. I merely stated that if they WISHED to, they COULD. This was about trust and that trust is broken by not hashing and salting passwords. That is utterly bullocks. Hashing is only helping if the DB is stolen and people are so foolish to have only one password for everything. But even hashed passwords can be guessed and as a dev you should know that.  Also RS' database is apparently encrypted in someway, so a potential thief still does not have access to the password right away. |
|
|
|
albitos
Newbie
Offline
Activity: 7
Merit: 0
|
|
September 29, 2013, 02:37:08 AM |
|
Non hashed passwords in the database only make the database more vulnerable should it be stolen. That's it. It doesn't make RS untrustworthy. Let's just hope his db is unstealable.
There is no such thing and if he claims otherwise, than he's just being arrogant. But keeping passwords in cleartext is a real threat. In hosting companies there is a lot of people who have access to servers. It's much secure to make sure they can't just make a copy of your disk and start stealing accounts from stupid users who are too dumb to use diffrent passwords. Don't get me wrong, I am using myself mcxnow and have no intention in undermining his credibility - just pointing how it works. I've created multiple applications and this kind of thing is Security 101. |
|
|
|
|
|
woodrake
|
|
October 14, 2013, 02:57:40 PM |
|
I don't see why this is a surprise? Of course a site run by a few individuals with zero regulatory oversight could have access to passwords. In fact I'd hazard that many IT companies who do not have solid information security management systems in place (eg. ISO27001) have the capability for rogue systems administrators and/or developers to capture user passwords. Many even likely have them stored in plain text so that they can easily send out reminder emails and such. As with all sites, you should use a different, unique password for each one. We provide a free tool for the purpose, here. Caveat emptor. RS has a somewhat questionable past and people should make up their own mind. Kate. |
|
|
|
|
MarpleTrading
|
|
October 14, 2013, 06:23:55 PM |
|
[snip..]Salting and hashing is absolutely no added security.
.. I'd just like to point out, that if the server is compromised and the attacker can download the full database of passwords... then they have 11k accounts and passwords, some of which will no doubt be used on other sites aswell. If the passwords are stored encrypted, then the attacked cannot download all 11k passwords at once and must put in some code to get the password - pre encryption - per login. Thus, if time between attack and attack detection is 24 hours, the attacker will only have gathered the passwords of users who have logged in the last 24 hours - not all 11k. Thus, quite obviously, storing passwords encrypted IS infact added security. Not doing this IS a flaw. According to RS the passwords ARE ENCRYPTED, but it is a two encryption not a one way like hashing is. |
|
|
|
|
erk
|
|
October 14, 2013, 08:30:03 PM
Last edit: October 14, 2013, 08:47:26 PM by erk |
|
Here is some basic Internet info for noobs.
Assume the site owners, your ISP, your email provider can read or bypass your passwords as required.
Never use the same password on two different sites.
Assume everything you type is being recorded.
Do no click on email enclosures from people you don't know.
As for MCXnow, the site probably works better than most of the exchanges out there, it has some great features like earning interest on your deposits every 6 hours, and payban which is a real hoot.
|
|
|
|
|
|
bazzip
|
|
October 16, 2013, 12:16:31 AM |
|
Maybe youre saying he can hack Google Authenticator too? This thread is retarded.
|
DOGE wallet address: DSyvezAiSdTjQpcTCDarNftZxw3nvSGFrv
|
|
|
trkmed
Newbie
Offline
Activity: 31
Merit: 0
|
|
October 17, 2013, 11:25:41 PM |
|
2 month ago I tryed to recover my mcxnow password. I sent an email to admin and he asked me about the password, or to tell him what letters are in my password.
I suppose that my password was in clear text for him.
just take care...
|
|
|
|
|
redphlegm
Sr. Member
Offline
Activity: 246
Merit: 250
My spoon is too big!
|
|
October 18, 2013, 12:21:08 AM |
|
One should always assume the admin can see what you store. I'm surprised that people are worried about this aspect when in reality the fact that in a large majority of cases they store significant amounts of crypto on the site in a shared wallet. What do you care more about - that he can see your stupid "hunter2" password or that he could, at any time, jank your funds? There has to be a certain level of trust at some point. If you don't trust him or mcxnow, go elsewhere. I hear there are some Russians that are pretty trustworthy with these kinds of things. |
Whiskey Fund: (BTC) 1whiSKeYMRevsJMAQwU8NY1YhvPPMjTbM | (Ψ) ALcoHoLsKUfdmGfHVXEShtqrEkasihVyqW
|
|
|
sheffters
Member
Offline
Activity: 115
Merit: 10
|
|
October 18, 2013, 12:28:03 AM |
|
wrong, most can only see the hash. they would have to decrypt it to see the password
i use the exchange before but even i can tell you no matter how well it works the non hashing is the single flaw in there
Are you joking?? Of course they can see the password, it's the admin (or their software) that does the hashing in the first place. Admin wanting to have passwords 101.1) User enters passwords 2) Code on site logs cleartext password to a logfile, then hashes password into the database. Non hashed passwords in the database only make the database more vulnerable should it be stolen. That's it. It doesn't make RS untrustworthy. Let's just hope his db is unstealable. All my sites use JS client side to hash the password and send that over. That hash is then salted server side and rehashed to check against the db. No plain text password ever leaves client machine. |
|
|
|
|
ninjaboon
Legendary
Offline
Activity: 2114
Merit: 1002
|
|
October 18, 2013, 02:43:03 AM |
|
Guys, since we are talking about security and passwords on Exchanges, have there been any breakins at https://bter.com/ ? Looks like a solid site to me. |
|
|
|
|
erk
|
|
October 18, 2013, 03:18:44 AM |
|
It's not about jealousy, it's about irresponsibility, and breaking trust with your clients.
RS is an obvious amateur when it comes to security.
This is about RS establishing a long pattern of arrogant incompetence to fall back on when mcxNOW gets "hacked" and everybody's funds vaporize. ~BCX~ You wish. |
|
|
|
|
|
Loki8
|
|
October 18, 2013, 06:14:43 AM |
|
It's not about jealousy, it's about irresponsibility, and breaking trust with your clients.
RS is an obvious amateur when it comes to security.
The crypto world is full of amateurs. I am tired of these people who are unprofessional and who have no clue about business. I already lost much money with bitcoin-24, this site was made by an amateur, an unprofessional kid, and now he has problems with the justice... I learnt the lesson, I will never send my money on a site like this one without address nor name, even with btc-e, i am not sure that they are very professional. The crypto world needs rules and professionalism! |
|
|
|
|
|
erk
|
|
October 18, 2013, 06:26:08 AM |
|
It's not about jealousy, it's about irresponsibility, and breaking trust with your clients.
RS is an obvious amateur when it comes to security.
The crypto world is full of amateurs. I am tired of these people who are unprofessional and who have no clue about business. I already lost much money with bitcoin-24, this site was made by an amateur, an unprofessional kid, and now he has problems with the justice... I learnt the lesson, I will never send my money on a site like this one without address nor name, even with btc-e, i am not sure that they are very professional. The crypto world needs rules and professionalism! Why are you involving yourself at all in crypto if you are that paranoid? Stick with fiat or cash under the bed if you don't trust bankers. |
|
|
|
|
|
Loki8
|
|
October 18, 2013, 07:07:07 AM |
|
It's not about jealousy, it's about irresponsibility, and breaking trust with your clients.
RS is an obvious amateur when it comes to security.
The crypto world is full of amateurs. I am tired of these people who are unprofessional and who have no clue about business. I already lost much money with bitcoin-24, this site was made by an amateur, an unprofessional kid, and now he has problems with the justice... I learnt the lesson, I will never send my money on a site like this one without address nor name, even with btc-e, i am not sure that they are very professional. The crypto world needs rules and professionalism! Why are you involving yourself at all in crypto if you are that paranoid? Stick with fiat or cash under the bed if you don't trust bankers. I really don't like scammers and unprofessional people but fortunately, there are also professionals who do their job with competence. They are not numerous but they exist. |
|
|
|
|
|
