MtGox account compromised

[DarkMatter]

Somewhat off-topic, but regarding this from a few pages earlier:

Considering the actual situation (I'm sorry for the user using a common dictionary word as his "bank" account password, and mtgox not having any dictionary attack protection implementation ... ), I just noticed a great drop of the BTC available for free at http://freebitcoins.appspot.com. It dropped about 300BTC in 36hrs. Should we worry?

The faucet is now empty. 

No one even answered me, what the hell
Anyway, the faucet is closed for maintenance.
"Faucet closed for repairs

Sorry, the Bitcoin Faucet is temporarily closed for repairs. It should reopen in a day or two. Thanks for your patience."

[1714598450]

1714598450

[1714598450]

1714598450

[1714598450]

1714598450

[1714598450]

1714598450

[1714598450]

1714598450

[Cdecker]

You are safe, even a very advanced rainbow table attack would not break strong 16 char pass. basically anything randomish above 12 chars and even with a good mix of chars above 8 could be considered fairly secure.

Just mix into the pass some spaces, brackets, other weird symbols, numbers, upppercase and lowercase letters and anything above 8 chars will be good.

Not a really good comparison since you'd have to have the hash of the password, and we could compile a rainbow table for almost anything. One way to defeat Rainbow tables is salting the password hashes (you are salting your passwords MtGox aren't you?)

[Anonymous]

You havent seen the double rainbow attack yet. 

[sirius]

Cool. What bank does this? If you don't mind sharing...

Every bank in Finland. Also, all banks here support instant, irrevocable online payments from their customers with a simple interface. There are 3rd party services that have accounts in every bank, let the customer choose which to use, and forward the payment to the merchant. It would be very useful if there was an international service like that.

[ribuck]

Something else I think that people forget is changing your password often.

But then you have to write the passwords down, which kind of defeats the purpose. Sure, you can store them encrypted on your computer, but what about when you are travelling?

I use a fairly strong basic password, plus a rule to modify it for each site. This just gives me two things to remember: the password and the rule. The rule is not straightforward to apply, but I can do it in my head if I have to.

The only thing that messes this up is the occasional site that has some stupid password rule (e.g. no punctuation allowed).

[kiba]

What about public key infrastructure?

[Drifter]

Something else I think that people forget is changing your password often.

But then you have to write the passwords down, which kind of defeats the purpose. Sure, you can store them encrypted on your computer, but what about when you are travelling?

I use the portable version of Keepass for the passwords I need if traveling. Very useful and I always have my USB on me. You could also have lastpass save your passwords and they would be available anywhere with an internet connection.


I just rather have one master password than passwords with any sort of pattern. Some of my passwords are 50 characters long for paranoia sake. It would be good if I had a password I could memorize, but I usually think if a password is easy enough to remember, it's just not good enough.

 

[ShadowOfHarbringer]

Yeah, I specifically don't keep anything in my mtgox account because it seems insecure, same reason I don't trust mybitcoin. I keep my own computer secured, and past that, so if I keep my wallet on my computer and have an encrypted backup, I should be good.

Yeah, todays encryption capabilities can make your home a digital Fort Knox, so why use banks ?
This is exactly the reason why bitcoin is so awesome.

[davout]

Because I don't want to sign a transaction with five PGP keys, a fingerprint and a sample of my DNA each time i want to buy some coffee.

[cryptofo]

Hi Friends,
I just wanted to let everyone know that Jed replaced half my bitcoins.  He is a scholar and a gentleman.  He didn't have to, but he did.  50/50 split responsibility.  Much respect and gratitude to Jed and all the work he has done to support the bitcoin community.  I have learned a valuable lesson in when it comes to not using bonehead passwords.  Thank you to everyone who has chimed in on this topic and extra extra thanks to bitdragon and freemarketagenda and anyone else who donated a few bitcoins to my openalcohol.org project.  Thank you all.  Me loves Bitcoin.

[markm]

Some of the "traffic exchanges" would reject the very password I had still in my paste buffer and upon looking more closely at the plaintext email I saw it wasn't working because they had lowercased it. Ouch.

It was actually a while before passwords longer than 8 characters were even allowed in many programs. Even some Minix or Unix or Linux cant remember which types of things (maybe that Atari unix) used to only actually use the first so many characters, though they were at least consistent in that they chopped them when you tried to use them too instead of making you guess how many characters they actually had chosen to use.

I have seen that latter though at least once I just can't remember where.

Three failures and you're out a minute or more only allows about 1440 * 3 tries on any given account per day of brute force. Luckily for the brutes there are so many sites out there that three tries on each account at each site that has login can keep them busy a minute probably easy. (?)

Your bank doesn't tell you to use the last 4 digits of your social insurance number as your PIN so you'll remember it easily???

-MarkM-

[theymos]

I have seen that latter though at least once I just can't remember where.

The Linux/Unix "default" behavior is to use crypt() to DES-encrypt a truncated password as you described. Probably almost all Linux distros modify this behavior to something more secure, though.

[markm]

How did they guess she'd tell the truth? Isn't she some kind of political figure? Hahaha.

No but seriously, keeping track of which pet I had and what school I was at according to which place other than MI5 who likely can find out the true info gets to be a lot to keep track of.

-MarkM- (That's a "five" not a "bee", by the way. )

(And since I can put the burden of knowing the right answer on them, why tell them either? Hahaha cool. )

[Hal]

Almost everyone had transactions from "united". It does NOT mean that your account was compromised. It does mean that the attacker has your username. It was just them using the merchant API to send you 0 BTC.

Does this mean the merchant API has/had a way of discovering account names? And this involved sending a dummy transaction of 0 to each account? Has this been fixed?

[Mahkul]

Almost everyone had transactions from "united". It does NOT mean that your account was compromised. It does mean that the attacker has your username. It was just them using the merchant API to send you 0 BTC.

Does this mean the merchant API has/had a way of discovering account names? And this involved sending a dummy transaction of 0 to each account? Has this been fixed?

I was just going to ask the same question.

[hacim]

the attacker would be able to bruteforce passwords at a rate of 1+ billion per second with one HD 5970. Iterated hashing like Linux's standard MD5-crypt slows this attack by multiple orders of magnitude.)

Do you know of any software that can utilize a GPU to do brute-force password cracking (such as john the ripper, but GPU-capable)?

[LZ]

You should ask this in another forum. Otherwise we will have a bad reputation.

[hacim]

Ah, sorry I didn't quite realize how that would come out. I'm not wanting something like that to actually compromise accounts, more for enforcing password strength policies. but yeah, I can see how my message could be seen as sketchy!

[LZ]

Code:

https://mtgox.com/users/login?username=my_login&password=my_password

MTGOX! WAKEUP!!!

[Keefe]

Code:

https://mtgox.com/users/login?username=my_login&password=my_password

MTGOX! WAKEUP!!!

Is it really a problem, having the password in the url when https is used? I thought that the browser checks the certificate and starts encrypting before the url is transmitted.