cablepair
|
|
February 13, 2012, 01:14:24 PM |
|
damn, I knew this was too good to be true. This is the reason I only deposited 5 btc
(grew to 5.3532907242433 within a couple weeks)
Luckily I have been using separate passwords on every single site since MTGox got hacked back in june.
|
|
|
|
vampire
|
|
February 13, 2012, 01:32:32 PM |
|
I use separate password for everything, thanks to last pass. I am a bit paranoid, so my main banking account has its own password that I don't store anywhere and a RSA key that is locked in a safe.
Use last pass or similar website to manage your passwords.
|
|
|
|
Ente
Legendary
Offline
Activity: 2126
Merit: 1001
|
|
February 13, 2012, 02:57:26 PM |
|
Being paranoid: Please trust (your local) keepass (keepassx in linux) instead of a website.. We just saw what you may get in trusting an external entity ;-)
Ente
|
|
|
|
Matoking
|
|
February 13, 2012, 03:21:28 PM |
|
Plaintext passwords? Seriously?
|
|
|
|
splatster
|
|
February 13, 2012, 04:31:17 PM |
|
People should have seen this comming. By now, the coins are probably already gone.
|
|
|
|
alan2here
|
|
February 13, 2012, 09:26:46 PM |
|
Didn't gox have a similar thing occur once?
|
|
|
|
M4v3R
|
|
February 13, 2012, 10:04:31 PM |
|
Didn't gox have a similar thing occur once?
No, they used md5 hashed passwords, but they were unsalted, so weak passwords got cracked when the db leaked.
|
|
|
|
Littleshop
Legendary
Offline
Activity: 1386
Merit: 1004
|
|
February 13, 2012, 10:08:20 PM |
|
Didn't gox have a similar thing occur once?
No, they used md5 hashed passwords, but they were unsalted, so weak passwords got cracked when the db leaked. While I have changed my password, had a unique one for that site and withdrew (though it has not arrived), how well would a 11 char password hold up?
|
|
|
|
M4v3R
|
|
February 13, 2012, 10:13:02 PM |
|
Bitscalper didn't use any hashing, so every password got out. As for Mt. Gox back then, try this link: How secure is my password?
|
|
|
|
Littleshop
Legendary
Offline
Activity: 1386
Merit: 1004
|
|
February 13, 2012, 10:15:23 PM |
|
Wow. Glad it was unique. It says years so I guess it was not too bad. Thanks, good link
|
|
|
|
Raoul Duke
aka psy
Legendary
Offline
Activity: 1358
Merit: 1002
|
|
February 14, 2012, 12:02:57 AM |
|
I call bullshit on this one...
Theymos, have you seen the leaked logins or are you just spreading FUD?
PS: I have no bitcoin on bitscalper, but I made an account there and got some profits out a while back.
|
|
|
|
theymos (OP)
Administrator
Legendary
Offline
Activity: 5334
Merit: 13303
|
|
February 14, 2012, 12:29:38 AM |
|
Theymos, have you seen the leaked logins or are you just spreading FUD?
I have the logins. I'll release technical details once it's fixed. Here's me logged into the admin account (you can see I tried to withdraw his 851 BTC -- still pending): https://i.imgur.com/l92H3.png
|
1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
|
|
|
|
jothan
Full Member
Offline
Activity: 184
Merit: 100
Feel the coffee, be the coffee.
|
|
February 14, 2012, 02:14:23 AM |
|
Here is what I posted when I checked out Bitscalper a little while ago. I'm not putting a password on that website. There is no https.
I highly suggest that he invest in an SSL certificate.
He did not even hash his passwords. I'm glad I did not sign-up !
|
Bitcoin: the only currency you can store directly into your brain.
What this planet needs is a good 0.0005 BTC US nickel.
|
|
|
rjk
Sr. Member
Offline
Activity: 448
Merit: 250
1ngldh
|
|
February 14, 2012, 02:18:56 AM |
|
Here is what I posted when I checked out Bitscalper a little while ago. I'm not putting a password on that website. There is no https.
I highly suggest that he invest in an SSL certificate.
He did not even hash his passwords. I'm glad I did not sign-up ! Why, do you use the same password for everything?
|
|
|
|
jothan
Full Member
Offline
Activity: 184
Merit: 100
Feel the coffee, be the coffee.
|
|
February 14, 2012, 02:21:51 AM |
|
Here is what I posted when I checked out Bitscalper a little while ago. I'm not putting a password on that website. There is no https.
I highly suggest that he invest in an SSL certificate.
He did not even hash his passwords. I'm glad I did not sign-up ! Why, do you use the same password for everything? No, I use a password manager for everything valuable. No SSL for inputting passwords is a very bad omen in my book. I work in email security, so I am generally paranoid.
|
Bitcoin: the only currency you can store directly into your brain.
What this planet needs is a good 0.0005 BTC US nickel.
|
|
|
rjk
Sr. Member
Offline
Activity: 448
Merit: 250
1ngldh
|
|
February 14, 2012, 02:30:05 AM |
|
No SSL for inputting passwords is a very bad omen in my book. I work in email security, so I am generally paranoid.
Too true It amazes me that it is still impossible to send email in anything but unsecured form. Sure you can have SSL between the client and server on both ends, but in the middle its still unencrypted.
|
|
|
|
mb300sd
Legendary
Offline
Activity: 1260
Merit: 1000
Drunk Posts
|
|
February 14, 2012, 02:35:55 AM |
|
No SSL for inputting passwords is a very bad omen in my book. I work in email security, so I am generally paranoid.
Too true It amazes me that it is still impossible to send email in anything but unsecured form. Sure you can have SSL between the client and server on both ends, but in the middle its still unencrypted. There is PGP. But you do have to set it up yourself. I guess the main reason it hasn't taken off is because most secure email is within a single organization or between trusted organizations. I'm a MS Exchange admin, and you definitely can configure encrypted server-server links, but both ends have to be set up for it.
|
1D7FJWRzeKa4SLmTznd3JpeNU13L1ErEco
|
|
|
jothan
Full Member
Offline
Activity: 184
Merit: 100
Feel the coffee, be the coffee.
|
|
February 14, 2012, 02:40:21 AM |
|
No SSL for inputting passwords is a very bad omen in my book. I work in email security, so I am generally paranoid.
Too true It amazes me that it is still impossible to send email in anything but unsecured form. Sure you can have SSL between the client and server on both ends, but in the middle its still unencrypted. There is PGP. But you do have to set it up yourself. I guess the main reason it hasn't taken off is because most secure email is within a single organization or between trusted organizations. I'm a MS Exchange admin, and you definitely can configure encrypted server-server links, but both ends have to be set up for it. End-to-end encryption and security is the way to go, but it needs user involvement and education. For passwords, something like SRP over HTTPS would be just about bulletproof, except for the untrustable javascript crypto implementation. See http://www.matasano.com/articles/javascript-cryptography/ for a full discussion of javascript cryptography.
|
Bitcoin: the only currency you can store directly into your brain.
What this planet needs is a good 0.0005 BTC US nickel.
|
|
|
markio
Newbie
Offline
Activity: 38
Merit: 0
|
|
February 14, 2012, 03:36:46 AM |
|
Theymos is the Hero of Winterfell...
|
|
|
|
|