|
Garrett Burgwardt
|
 |
February 01, 2011, 01:08:49 AM |
|
True, but I'm not worth attacking. Somone intent on stealing bitcoins would go after mtgox and mybitcoin accounts before trying to find me.
|
|
|
|
|
caveden
Legendary
 Offline
Activity: 1106
Merit: 1004
|
|
February 01, 2011, 08:05:31 AM |
|
2. Google keepass, download install (on clean system), use.
3. If you can remember a password it is too weak. Generate all your passwords, do not reuse the passwords.
Okay, but then you need to store your passwords somewhere, and you'll want to encrypt them... then you need a password-protected key... in a moment you'll have to remember one good password at least... But yeah, having generated password for sites seems a good idea... |
|
|
|
|
caveden
Legendary
Offline
Activity: 1106
Merit: 1004
|
|
February 01, 2011, 08:08:46 AM |
|
mtgox should not have allowed dictionary attacks to take place. Ask them to sort this out for you.
Normally security-sensitive sites like banks block an account after a number of unsuccessful login attempts, and then require some sort of positive identification to unblock. Another interesting thing is doing like facebook, which asks several questions each time you login form an "unusual" IP... it would probably be useless for Tor users as they would not have an "usual" IP in the first place, but it's something. These things are annoying but it's quite less annoying than having your account stolen like that... |
|
|
|
|
|
tcatm
|
|
February 01, 2011, 08:11:37 AM |
|
Offtopic: For easy to remember and secure passwords https://www.pwdhash.com/ works pretty good. There are browser extensions for most browsers. |
|
|
|
|
Mike Hearn
Legendary
Offline
Activity: 1526
Merit: 1134
|
|
February 01, 2011, 09:57:05 AM |
|
MtGox could/should also implement Facebook/Google logins. These companies provide "industrial strength" authentication systems that are secure against things like dictionary attacks, password theft etc. Might as well reuse their investment.
|
|
|
|
|
ribuck
Donator
Hero Member
Offline
Activity: 826
Merit: 1060
|
|
February 01, 2011, 10:24:56 AM |
|
MtGox could/should also implement Facebook/Google logins.
Good idea. OpenID, in other words. Google even offers two-factor authentication to some of its users (password plus mobile phone confirmation). |
|
|
|
|
|
bitdragon
|
|
February 01, 2011, 10:57:03 AM |
|
please explain as many are more proficient than myself in this area:
using facebook login? that is the facebook connect thing? so that you could login to mtgox using fb credentials? doesn't sound very appealing... does that mean that :
a) fb can login to your mtgox as they authenticate your credentials?
b) prone to censorship if fb decides a site is no good and does not let you login?
c) same password for all sites, thus you compromise all accounts if one pwd is lost?
thank you for your help in understanding;
|
|
|
|
|
Nefario
|
|
February 01, 2011, 11:00:12 AM |
|
MtGox could/should also implement Facebook/Google logins.
Good idea. OpenID, in other words. Google even offers two-factor authentication to some of its users (password plus mobile phone confirmation). Or he should not use passwords at all an use gpgauth. http://www.curetheitch.com/projects/gpgauth/Right now there is no working plugin for browser but there should be soon, from what I have read. It is also not just a technology, program but a process, protocol for authentication. Password based authentication has many weaknesses, a move to keypair based authentication is the better thing to do. Then things like dictionary attacks, stealing passwords after breaking in, and rainbow attacks, and storing passwords will not be a problem. Any news from mtgox and getting his bitcoins back? |
PGP key id at pgp.mit.edu 0xA68F4B7C To get help and support for GLBSE please email support@glbse.com |
|
|
|
mtgox
|
|
February 01, 2011, 11:32:44 AM |
|
> Any news from mtgox and getting his bitcoins back?
Yeah it is unfortunate. I've contacted Liberty Reserve about it. I fixed it so they can't use this attack anymore. I think his and one other account (I've emailed you) were the only two compromised. Anyone with a decent password would be safe.
|
|
|
|
Mike Hearn
Legendary
Offline
Activity: 1526
Merit: 1134
|
|
February 01, 2011, 12:18:45 PM |
|
please explain as many are more proficient than myself in this area:
using facebook login? that is the facebook connect thing? so that you could login to mtgox using fb credentials? doesn't sound very appealing... does that mean that :
a) fb can login to your mtgox as they authenticate your credentials?
b) prone to censorship if fb decides a site is no good and does not let you login?
c) same password for all sites, thus you compromise all accounts if one pwd is lost?
thank you for your help in understanding;
a) Yes b) Yes c) Yes However, a lot of account hijacking takes place because third party sites are compromised. Facebook is very, very unlikely to be hacked in the same way that MtGox or PlentyOfFish is hacked. If you have a robust password and use a major ID provider to log into sites with, you're at risk of malware and maybe if you don't pay attention phishing, but otherwise you won't be hit by third party site breakins. That's what you want. Of course you can also create a new password for every single website, but most people don't do that, it's too inconvenient. |
|
|
|
|
slush
Legendary
Offline
Activity: 1386
Merit: 1097
|
|
February 01, 2011, 12:28:50 PM |
|
Facebook is very, very unlikely to be hacked in the same way that MtGox or PlentyOfFish is hacked.
I'm not paranoic, but don't trust anyone's security just because it's big player. Facebook logins can be hacked, too. Personally I also use facebook login to some pages, but I'll think twice to use it for my bank account login (which mtgox is)... |
|
|
|
ribuck
Donator
Hero Member
Offline
Activity: 826
Merit: 1060
|
|
February 01, 2011, 12:37:58 PM |
|
c) same password for all sites, thus you compromise all accounts if one pwd is lost?
Yes, although in practice most people already compromise (almost) all accounts if they lose the password to their email account, due to the easy availability of password reminder/reset facilities. A bank does need something more than most other sites. I would be happy to pay a fee to have two-factor authentication on my MtGox account. |
|
|
|
|
sirius
Bitcoiner
Sr. Member
Offline
Activity: 429
Merit: 1002
|
|
February 01, 2011, 12:57:48 PM |
|
A bank does need something more than most other sites. I would be happy to pay a fee to have two-factor authentication on my MtGox account.
My bank snail mails lists of 300 one-use keys you need when logging in. A quicker but perhaps more expensive option is to send the keys in SMS. |
|
|
|
|
barbarousrelic
|
|
February 01, 2011, 01:27:11 PM |
|
So were the hacked accounts and the extremely high-value Bitcoin transactions related or not?
|
Do not waste your time debating whether Bitcoin can work. It does work.
"Early adopters will profit" is not a sufficient condition to classify something as a pyramid or Ponzi scheme. If it was, Apple and Microsoft stock are Ponzi schemes.
There is no such thing as "market manipulation." There is only buying and selling.
|
|
|
ribuck
Donator
Hero Member
Offline
Activity: 826
Merit: 1060
|
|
February 01, 2011, 01:31:09 PM |
|
So were the hacked accounts and the extremely high-value Bitcoin transactions related or not?
It seems unlikely, because the hacker apparently sold bitcoins. This would have tended to lower the MtGox price, not raise it. |
|
|
|
|
|
Nefario
|
|
February 01, 2011, 01:31:39 PM |
|
A bank does need something more than most other sites. I would be happy to pay a fee to have two-factor authentication on my MtGox account.
My bank snail mails lists of 300 one-use keys you need when logging in. A quicker but perhaps more expensive option is to send the keys in SMS. An application for your mobile phone that generates a lot of one time passwords, and then encrypts using the servers public key and sends the list to the server to be used. You can then use the passwords when you need, as long as you don't lose your phone. But I think authentication using public/private keys is better, as long as you don't lose your key or let it get compromised. |
PGP key id at pgp.mit.edu 0xA68F4B7C To get help and support for GLBSE please email support@glbse.com |
|
|
sandos
Sr. Member
Offline
Activity: 440
Merit: 250
#SWGT CERTIK Audited
|
|
February 01, 2011, 02:19:21 PM |
|
When was this bruteforcing done? I have a weird (I think) transaction on my mt gox account: When Type Description Delta BTC Delta USD Total BTC Total USD
01/24/11 00:17 Payment Process united 0 0 0 0 |
|
|
|
|
riX
|
|
February 01, 2011, 04:02:59 PM |
|
When was this bruteforcing done? I have a weird (I think) transaction on my mt gox account: When Type Description Delta BTC Delta USD Total BTC Total USD
01/24/11 00:17 Payment Process united 0 0 0 0 Me too: (Where it says "Withdraw Paypal" I actually withdrew some LRUSD to Liberty Reserve..) When Type Description Delta BTC Delta USD Total BTC Total USD
01/30/11 18:54 Withdraw Paypal U------- 0 -x.x x.x x.x
01/30/11 --:-- Sold BTC xxx.xx for 0.xxxx -x.x x.x x.x x.x
01/30/11 --:-- Sold BTC xxx.xx for 0.xxxx -x.x x.x x.x x.x
01/24/11 15:00 Payment Process united 0 0 x.x x.x
01/24/11 00:17 Payment Process united 0 0 x.x x.x
01/23/11 --:-- Withdraw BTC --- -x.x 0 x.x x.x |
|
|
|
|
Anonymous
Guest
|
|
February 01, 2011, 04:05:23 PM |
|
Alright, who do we go to for an accurate exchange rate now?
|
|
|
|
|
|
Astro
|
|
February 01, 2011, 05:00:44 PM |
|
Any site that stores or trades bitcoins should implement the option of some kind of security token or OTP technology. I've had good success with Yubikeys. http://www.yubico.com/yubikey |
|
|
|
|
|
