Bitcoin Forum
December 10, 2016, 08:46:28 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 4 5 6 [7] 8 9 »  All
  Print  
Author Topic: MtGox account compromised  (Read 108238 times)
DarkMatter
Member
**
Offline Offline

Activity: 86


Stop breeding! Save the Earth! www.vhemt.org


View Profile WWW
February 02, 2011, 10:39:14 AM
 #121

Somewhat off-topic, but regarding this from a few pages earlier:

Considering the actual situation (I'm sorry for the user using a common dictionary word as his "bank" account password, and mtgox not having any dictionary attack protection implementation ... ), I just noticed a great drop of the BTC available for free at http://freebitcoins.appspot.com. It dropped about 300BTC in 36hrs. Should we worry?

The faucet is now empty. 

No one even answered me, what the hell Smiley
Anyway, the faucet is closed for maintenance.
"Faucet closed for repairs

Sorry, the Bitcoin Faucet is temporarily closed for repairs. It should reopen in a day or two. Thanks for your patience."

Feed The Troll!! | 1JKdTyUjxo5VJoaQKjp4oUnXqdSSErC1mp
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481402788
Hero Member
*
Offline Offline

Posts: 1481402788

View Profile Personal Message (Offline)

Ignore
1481402788
Reply with quote  #2

1481402788
Report to moderator
1481402788
Hero Member
*
Offline Offline

Posts: 1481402788

View Profile Personal Message (Offline)

Ignore
1481402788
Reply with quote  #2

1481402788
Report to moderator
1481402788
Hero Member
*
Offline Offline

Posts: 1481402788

View Profile Personal Message (Offline)

Ignore
1481402788
Reply with quote  #2

1481402788
Report to moderator
Cdecker
Hero Member
*****
Offline Offline

Activity: 487



View Profile WWW
February 02, 2011, 11:03:17 AM
 #122

You are safe, even a very advanced rainbow table attack would not break strong 16 char pass. basically anything randomish above 12 chars and even with a good mix of chars above 8 could be considered fairly secure.

Just mix into the pass some spaces, brackets, other weird symbols, numbers, upppercase and lowercase letters and anything above 8 chars will be good.
Not a really good comparison since you'd have to have the hash of the password, and we could compile a rainbow table for almost anything. One way to defeat Rainbow tables is salting the password hashes (you are salting your passwords MtGox aren't you?) Cheesy

Want to see what developers are chatting about? http://bitcoinstats.com/irc/bitcoin-dev/logs/
Bitcoin-OTC Rating
Anonymous
Guest

February 02, 2011, 11:24:32 AM
 #123

You havent seen the double rainbow attack yet.  Tongue
sirius
Bitcoiner
Staff
Sr. Member
****
Offline Offline

Activity: 429



View Profile
February 02, 2011, 12:01:55 PM
 #124

Cool. What bank does this? If you don't mind sharing...

Every bank in Finland. Also, all banks here support instant, irrevocable online payments from their customers with a simple interface. There are 3rd party services that have accounts in every bank, let the customer choose which to use, and forward the payment to the merchant. It would be very useful if there was an international service like that.

Identifi - Decentralized address book with trust ratings
I'm not a forum admin - please contact theymos instead.
ribuck
Donator
Legendary
*
Offline Offline

Activity: 826


View Profile
February 02, 2011, 02:42:31 PM
 #125

Something else I think that people forget is changing your password often.
But then you have to write the passwords down, which kind of defeats the purpose. Sure, you can store them encrypted on your computer, but what about when you are travelling?

I use a fairly strong basic password, plus a rule to modify it for each site. This just gives me two things to remember: the password and the rule. The rule is not straightforward to apply, but I can do it in my head if I have to.

The only thing that messes this up is the occasional site that has some stupid password rule (e.g. no punctuation allowed).
kiba
Legendary
*
Offline Offline

Activity: 980


View Profile
February 02, 2011, 02:45:43 PM
 #126

What about public key infrastructure?

Drifter
Sr. Member
****
Offline Offline

Activity: 367


View Profile
February 02, 2011, 03:00:20 PM
 #127

Something else I think that people forget is changing your password often.
But then you have to write the passwords down, which kind of defeats the purpose. Sure, you can store them encrypted on your computer, but what about when you are travelling?

I use the portable version of Keepass for the passwords I need if traveling. Very useful and I always have my USB on me. You could also have lastpass save your passwords and they would be available anywhere with an internet connection.


I just rather have one master password than passwords with any sort of pattern. Some of my passwords are 50 characters long for paranoia sake. It would be good if I had a password I could memorize, but I usually think if a password is easy enough to remember, it's just not good enough.

 

ShadowOfHarbringer
Legendary
*
Offline Offline

Activity: 1470


Bringing Legendary Har® to you since 1952


View Profile
February 02, 2011, 04:27:57 PM
 #128

Yeah, I specifically don't keep anything in my mtgox account because it seems insecure, same reason I don't trust mybitcoin. I keep my own computer secured, and past that, so if I keep my wallet on my computer and have an encrypted backup, I should be good.

Yeah, todays encryption capabilities can make your home a digital Fort Knox, so why use banks ?
This is exactly the reason why bitcoin is so awesome.

davout
Legendary
*
Offline Offline

Activity: 1358


1davout


View Profile WWW
February 02, 2011, 04:35:39 PM
 #129

Because I don't want to sign a transaction with five PGP keys, a fingerprint and a sample of my DNA each time i want to buy some coffee.

cryptofo
Newbie
*
Offline Offline

Activity: 28


View Profile
February 02, 2011, 06:28:08 PM
 #130

Hi Friends,
I just wanted to let everyone know that Jed replaced half my bitcoins.  He is a scholar and a gentleman.  He didn't have to, but he did.  50/50 split responsibility.  Much respect and gratitude to Jed and all the work he has done to support the bitcoin community.  I have learned a valuable lesson in when it comes to not using bonehead passwords.  Thank you to everyone who has chimed in on this topic and extra extra thanks to bitdragon and freemarketagenda and anyone else who donated a few bitcoins to my openalcohol.org project.  Thank you all.  Me loves Bitcoin.
markm
Legendary
*
Offline Offline

Activity: 1792



View Profile WWW
February 02, 2011, 07:36:57 PM
 #131

Some of the "traffic exchanges" would reject the very password I had still in my paste buffer and upon looking more closely at the plaintext email I saw it wasn't working because they had lowercased it. Ouch.

It was actually a while before passwords longer than 8 characters were even allowed in many programs. Even some Minix or Unix or Linux cant remember which types of things (maybe that Atari unix) used to only actually use the first so many characters, though they were at least consistent in that they chopped them when you tried to use them too instead of making you guess how many characters they actually had chosen to use.

I have seen that latter though at least once I just can't remember where.

Three failures and you're out a minute or more only allows about 1440 * 3 tries on any given account per day of brute force. Luckily for the brutes there are so many sites out there that three tries on each account at each site that has login can keep them busy a minute probably easy. (?)

Your bank doesn't tell you to use the last 4 digits of your social insurance number as your PIN so you'll remember it easily???

-MarkM-

Browser-launched Crossfire client now online (select CrossCiv server for Galactic  Milieu)
Free website hosting with PHP, MySQL etc: http://hosting.knotwork.com/
theymos
Administrator
Legendary
*
Offline Offline

Activity: 2506


View Profile
February 02, 2011, 07:58:20 PM
 #132

I have seen that latter though at least once I just can't remember where.

The Linux/Unix "default" behavior is to use crypt() to DES-encrypt a truncated password as you described. Probably almost all Linux distros modify this behavior to something more secure, though.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
markm
Legendary
*
Offline Offline

Activity: 1792



View Profile WWW
February 02, 2011, 10:18:26 PM
 #133

How did they guess she'd tell the truth? Isn't she some kind of political figure? Hahaha.

No but seriously, keeping track of which pet I had and what school I was at according to which place other than MI5 who likely can find out the true info gets to be a lot to keep track of.

-MarkM- (That's a "five" not a "bee", by the way. Smiley Cheesy)

(And since I can put the burden of knowing the right answer on them, why tell them either? Hahaha cool. Wink)



Browser-launched Crossfire client now online (select CrossCiv server for Galactic  Milieu)
Free website hosting with PHP, MySQL etc: http://hosting.knotwork.com/
Hal
VIP
Sr. Member
*
Offline Offline

Activity: 314



View Profile
February 03, 2011, 01:15:03 AM
 #134

Almost everyone had transactions from "united". It does NOT mean that your account was compromised. It does mean that the attacker has your username. It was just them using the merchant API to send you 0 BTC.
Does this mean the merchant API has/had a way of discovering account names? And this involved sending a dummy transaction of 0 to each account? Has this been fixed?

Hal Finney
Mahkul
Sr. Member
****
Offline Offline

Activity: 420


Be silent, or be silenced.


View Profile WWW
February 03, 2011, 01:18:26 AM
 #135

Almost everyone had transactions from "united". It does NOT mean that your account was compromised. It does mean that the attacker has your username. It was just them using the merchant API to send you 0 BTC.
Does this mean the merchant API has/had a way of discovering account names? And this involved sending a dummy transaction of 0 to each account? Has this been fixed?

I was just going to ask the same question.

Bitalo.com coming soon!

1MAHKULzqZb4evFFg9157LvnJhJQQbeYo7
hacim
Member
**
Offline Offline

Activity: 64


View Profile
February 05, 2011, 03:57:03 PM
 #136

the attacker would be able to bruteforce passwords at a rate of 1+ billion per second with one HD 5970. Iterated hashing like Linux's standard MD5-crypt slows this attack by multiple orders of magnitude.)

Do you know of any software that can utilize a GPU to do brute-force password cracking (such as john the ripper, but GPU-capable)?

15yns1RVpBHZ8uj8mGVUJVCyPh5ieW3FQx
LZ
Staff
Legendary
*
Offline Offline

Activity: 1456


Satoshi everywhere!


View Profile WWW
February 05, 2011, 06:44:36 PM
 #137

You should ask this in another forum. Otherwise we will have a bad reputation.

"Never invest unless you can afford to lose your entire investment." © S3052
hacim
Member
**
Offline Offline

Activity: 64


View Profile
February 06, 2011, 03:55:42 PM
 #138

Ah, sorry I didn't quite realize how that would come out. I'm not wanting something like that to actually compromise accounts, more for enforcing password strength policies. but yeah, I can see how my message could be seen as sketchy!

15yns1RVpBHZ8uj8mGVUJVCyPh5ieW3FQx
LZ
Staff
Legendary
*
Offline Offline

Activity: 1456


Satoshi everywhere!


View Profile WWW
February 07, 2011, 09:20:11 PM
 #139

Code:
https://mtgox.com/users/login?username=my_login&password=my_password
MTGOX! WAKEUP!!!

"Never invest unless you can afford to lose your entire investment." © S3052
Keefe
Hero Member
*****
Offline Offline

Activity: 681


View Profile
February 07, 2011, 09:32:34 PM
 #140

Code:
https://mtgox.com/users/login?username=my_login&password=my_password
MTGOX! WAKEUP!!!

Is it really a problem, having the password in the url when https is used? I thought that the browser checks the certificate and starts encrypting before the url is transmitted.

Pages: « 1 2 3 4 5 6 [7] 8 9 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!