Bitcoin Forum
March 19, 2024, 05:08:00 AM *
News: Latest Bitcoin Core release: 26.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 [49] 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 »
  Print  
Author Topic: [Emergency ANN] Bitcoinica site is taken offline for security investigation  (Read 224548 times)
rjk
Sr. Member
****
Offline Offline

Activity: 448
Merit: 250


1ngldh


View Profile
May 18, 2012, 01:14:09 PM
 #961

May I remind everyone of the following quote from Bitcoinica's blogspot page:

Quote
IDENTIFYING DOCUMENTS
 All identifying documents for verified customers are stored on separate servers at a separate data center and separately encrypted. Even full access to website database would not give the attacker access to this data.
 
USER INFORMATION
 Other user information that you've provided upon account creation is stored in the database. If the attacker has full access to the database, they would have access to this information. This would include your username, email and account history, but not information about your banking details outside of Bitcoinca.

As far as I can see, other than username, email, and transaction history, none of the information you are supplying on the claims form is had by the cracker(s). I agree that asking for the password would have been a good idea, since it would theoretically take the idiots that stole the database a while to recover them, assuming the users didn't use dictionary passwords or the like.

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!
The grue lurks in the darkest places of the earth. Its favorite diet is adventurers, but its insatiable appetite is tempered by its fear of light. No grue has ever been seen by the light of day, and few have survived its fearsome jaws to tell the tale.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
1710824880
Hero Member
*
Offline Offline

Posts: 1710824880

View Profile Personal Message (Offline)

Ignore
1710824880
Reply with quote  #2

1710824880
Report to moderator
1710824880
Hero Member
*
Offline Offline

Posts: 1710824880

View Profile Personal Message (Offline)

Ignore
1710824880
Reply with quote  #2

1710824880
Report to moderator
1710824880
Hero Member
*
Offline Offline

Posts: 1710824880

View Profile Personal Message (Offline)

Ignore
1710824880
Reply with quote  #2

1710824880
Report to moderator
muyuu
Donator
Legendary
*
Offline Offline

Activity: 980
Merit: 1000



View Profile
May 18, 2012, 01:15:27 PM
 #962

BTW, where is the mass leak or the "hackers" are just FUDging with us ?

Give them time to try their dictionary attacks and bruteforcing. They might also be waiting just in case they see some opportunity from the claim procedures and aftermath.

Looks obvious to me that they're going to deal with it on a case-by-case basis. A bit of a poker game, "some me what you have and I'll come back to you" - obviously they won't waste much time with people claiming 2BTC.

But like I said before... the policies may suggest the guys at bitcoinica are not sure the hackers don't have the actual passwords (or are just playing it safe for the people who used unsafe ones). If you read their first announcement... they also told users to change reused passwords from other services, make your own conclusions.

Quote
PASSWORDS
Bitcoinica uses the most stringent best practices for password security.* Therefore, it is extremely unlikely that even full database access would give the attacker knowledge of your Bitcoinica password. It is always best not to reuse passwords among different online services and we recommend changing passwords if you have done this.

Obviously there is nothing wrong about this, but cynical me could think they may not be so sure about their "most stringent best practices for password security".

GPG ID: 7294199D - OTC ID: muyuu (470F97EB7294199D)
forum tea fund BTC 1Epv7KHbNjYzqYVhTCgXWYhGSkv7BuKGEU DOGE DF1eTJ2vsxjHpmmbKu9jpqsrg5uyQLWksM CAP F1MzvmmHwP2UhFq82NQT7qDU9NQ8oQbtkQ
cryptoanarchist
Legendary
*
Offline Offline

Activity: 1120
Merit: 1003



View Profile
May 18, 2012, 01:18:25 PM
 #963

Reading through this thread is only confirming what I suspected about Bitcoinica.

Funny how after how much they exaggerated their volume, the price has been completely unaffected by them closing. The 420 sale at Silk Road affected the price more!

I'm all about giving people the benefit of the doubt, but after looking at all the evidence, can there be any? Seems to me that anyone else did something like what Bitcoinica is doing they would already have the "scammer" tag

I'm grumpy!!
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218
Merit: 1063


Gerald Davis


View Profile
May 18, 2012, 01:18:51 PM
Last edit: May 18, 2012, 01:40:42 PM by DeathAndTaxes
 #964

From hash and salt, they can brute-force a collision if you don't have a secure enough password. This is why I said "reproduce your hash" before or something to that effect.

Rest assured many people don't have secure passwords, and they need a procedure for everybody.

Come on this is just going round and round being stupid.

Verification by password:
Attacker only has hash (if he gained access to db).
Attacker can only brute force weak passwords.

Verification by account data
Attacker has all of this data in plain text.
No brute required.  He simply looks up the record and submits a claim.

So you are arguing the second method is better because the hacker might have the hash and might be able to brute force some of the account passwords?


They don't necessarily need to compare it to anything. They force you to give something that a hacker cannot give, and they can compare it to your bank account when they reimburse you. They can spot fishy stuff too, like the IPs you connect to. For instance if you connect from Russia often and your name is John Smith and have a phone from AT&T they may ask you about that.


You do understand that they shouldn't use the same salt again now right? and that if they don't, they cannot compare hashes. Also, as above.

Salt isn't a secret.  Of course they can use the same salt to verify an old password.  If the open the site they can force all users to change their password on first login and rehash with new salt.  Still even that is unlikely to be necessary.  The ONLY purpose of salt is to avoid (or more technically make it computationally infeasible) precomputation attack.

If they had a large enough salt (32 bit) and a different salt per user (i.e. the standard down for 20+ years) then the attacker knowing the salt is of no material value.  Salt isn't a secret.
muyuu
Donator
Legendary
*
Offline Offline

Activity: 980
Merit: 1000



View Profile
May 18, 2012, 01:25:35 PM
 #965


What?  They don't need my password literally.  They have my password hash, which even someone with a copy of the database can't turn into the actual password.  Therefore to verify I am who I say I am, I supply my password (just like when I logged in normally), it is then hashed and compared with what is in the database.  This is the only piece of information that the hacker with a copy of the database cannot supply.  Therefore every other request on the claim form is validating only that I am either (a) the genuine owner or (b) someone who had access to the database.  Since that (b) group is no longer limited to "Bitcoinica Staff", it should be considered untrustworthy.

From hash and salt, they can brute-force a collision if you don't have a secure enough password. This is why I said "reproduce your hash" before or something to that effect.

This point applies to many of your bullet points.

Rest assured many people don't have secure passwords, and they need a procedure for everybody.

People with weak passwords had weak passwords before the hack.

How about doing what Mt.Gox did?  If, when you enter your password at the claim stage and analyser detects it is "weak", you get put in the "needs far more strenuous verfication" pile.  For those of us with strong passwords, why are we being punished for the weak passwords of others?

Obviously you are right but it's still in Bitcoinica's best interests that these people don't get f*cked because they would still be ultimately responsible for it.

As for the point about MtGox, sure, but Bitcoinica don't do this do they.

I also think you trivialise how hard "reproducing your hash" is.  I don't think you know what salting is for either.  The salt could be written in giant letters on Bitcoinica's front page and it would make no difference.  The job of a salt is not be to be a secret, it is to ensure that the hash for user A is different from the hash for user B even if the passwords the users pick are the same.  It's common to write the salt in an unhashed form along with the password hash into the database.  Ideally, it is a random number selected at the time of password selection.

Given that it's not a secret, it really doesn't matter if the attacker knows it or not.  It doesn't change the difficulty of the brute forcing; it simply makes rainbow tables useless.

Yes and no. Salt is not secret but it's also not public or fixed, simply because you then give more time for bruteforcing.

I don't trivialise it, I know how long does it take since I do have a mining rig capable of bruteforcing passwords at a respectable rate even in bcrypt. There are people out there in Bitcoinica's DB with 4 and 5 letter passwords. How much would you bet about that? With time you can bruteforce longer passwords, which is what they may be doing right now.


Your email may be compromised since long ago. Obviously if you already are well secured then no problem, but periodically changing passwords does reduce the chances of an opportunistic intrusion.

That is nothing to do with the Bitcoinica hack then, is it?  So certainly shouldn't form part of Bitcoinica's claim policy.

Surely not, I reckon I added that just a suggestion in case you had not changed passwords in a long time? Hope you didn't take it personally, huh.


As for suggestions like asking for the latest transfer etc... pointless, the hackers have all that. They know all the wallet addresses, they can even just look up the blockchain now, even if they didn't get this info from the database.

I'm glad you've shifted over to my point of view on this.  As I said earlier: the only thing potentially able to identify me securely is my password; and that is the one thing the claim form doesn't ask for.
I agreed with this point all along, this was not directed at you but aurumxchange who just made this point before.

GPG ID: 7294199D - OTC ID: muyuu (470F97EB7294199D)
forum tea fund BTC 1Epv7KHbNjYzqYVhTCgXWYhGSkv7BuKGEU DOGE DF1eTJ2vsxjHpmmbKu9jpqsrg5uyQLWksM CAP F1MzvmmHwP2UhFq82NQT7qDU9NQ8oQbtkQ
elux
Legendary
*
Offline Offline

Activity: 1458
Merit: 1006



View Profile
May 18, 2012, 01:28:04 PM
 #966


For the future (and it wouldn't be a bad idea if all identity-requiring businesses did this), you should supply a field where we can upload a GPG public key that matches the email address.  Then you should send all emails encrypted to that key, but more importantly ... the owner of the address has a way of proving their identity in a way that is significantly harder to forge than a JPG of a passport.


Okay. Sounds brilliant. Is this infeasible for some reason?
muyuu
Donator
Legendary
*
Offline Offline

Activity: 980
Merit: 1000



View Profile
May 18, 2012, 01:32:47 PM
 #967

From hash and salt, they can brute-force a collision if you don't have a secure enough password. This is why I said "reproduce your hash" before or something to that effect.

Rest assured many people don't have secure passwords, and they need a procedure for everybody.

Come on this is just going round and round being stupid.

Verification by password:
Attacker only has hash (if he gained access to db).
Attacker can only brute force weak passwords.

Verification by account data
Attacker has all of this data in plain text.
No brute required.  He simply looks up the record and submits a claim.

So you are arguing the second method is better because the hacker might have the hash and might be able to brute force some of the account passwords?

WUT? Where did I argue this?

My argument can be summarised like this: even hashed and salted passwords are not good enough when your whole DB is compromised and you need a method so nobody gets burnt. (Simply because there will always be people with unsafe passwords).

Surely they could also be asking for the password, cannot see why not.

GPG ID: 7294199D - OTC ID: muyuu (470F97EB7294199D)
forum tea fund BTC 1Epv7KHbNjYzqYVhTCgXWYhGSkv7BuKGEU DOGE DF1eTJ2vsxjHpmmbKu9jpqsrg5uyQLWksM CAP F1MzvmmHwP2UhFq82NQT7qDU9NQ8oQbtkQ
muyuu
Donator
Legendary
*
Offline Offline

Activity: 980
Merit: 1000



View Profile
May 18, 2012, 01:36:04 PM
 #968


WUT? Where did I argue this?

My argument can be summarised like this: even hashed and salted passwords are not good enough when your whole DB is compromised and you need a method so nobody gets burnt.

Surely they could also be asking for the password, cannot see why not.

NOTHING is "too good" when your database has been compromised, but salted passwords that need to be brute forced as sure as fuck are better than asking "what was the amount of your last withdrawal".


Obviously, never said the opposite. As for the amount of the last withdrawal, the only thing I've said about this is that I think it's a bad idea.

 Huh

GPG ID: 7294199D - OTC ID: muyuu (470F97EB7294199D)
forum tea fund BTC 1Epv7KHbNjYzqYVhTCgXWYhGSkv7BuKGEU DOGE DF1eTJ2vsxjHpmmbKu9jpqsrg5uyQLWksM CAP F1MzvmmHwP2UhFq82NQT7qDU9NQ8oQbtkQ
realnowhereman
Hero Member
*****
Offline Offline

Activity: 504
Merit: 502



View Profile
May 18, 2012, 01:37:30 PM
 #969

How about doing what Mt.Gox did?  If, when you enter your password at the claim stage and analyser detects it is "weak", you get put in the "needs far more strenuous verfication" pile.  For those of us with strong passwords, why are we being punished for the weak passwords of others?

Obviously you are right but it's still in Bitcoinica's best interests that these people don't get f*cked because they would still be ultimately responsible for it.

As for the point about MtGox, sure, but Bitcoinica don't do this do they.

Note I said that the weak password would put them in the "needs more verification" pile, not the "you're fucked" pile.

I think you misunderstood my suggestion... The strength check is done at "claim time", so Bitcoinica could quite easily do this right now.  The password is the same so if it was weak when the user set it, it's weak now.  If it's strong, then mark the claim "finished" and move on.

Given that it's not a secret, it really doesn't matter if the attacker knows it or not.  It doesn't change the difficulty of the brute forcing; it simply makes rainbow tables useless.

Yes and no. Salt is not secret but it's also not public or fixed, simply because you then give more time for bruteforcing.

There are two different types of bruteforcing.  There is bruteforcing the login dialog and bruteforcing the password hashes.  The salt is always stored plain-text with the hashes, and it is the hashes that the salt protects.  The salt, for these purposes, is known, and changing it doesn't change the difficulty of the brute force because it would always be known if you can see the hash.

I don't trivialise it, I know how long does it take since I do have a mining rig capable of bruteforcing passwords at a respectable rate even in bcrypt. There are people out there in Bitcoinica's DB with 4 and 5 letter passwords. How much would you bet about that? With time you can bruteforce longer passwords, which is what they may be doing right now.

Quite so; my question is still why those of us with strong passwords are being punished for the few with weak passwords?  That's not even the question really; because the password hasn't been used at all as part of the claim.

Your email may be compromised since long ago. Obviously if you already are well secured then no problem, but periodically changing passwords does reduce the chances of an opportunistic intrusion.

That is nothing to do with the Bitcoinica hack then, is it?  So certainly shouldn't form part of Bitcoinica's claim policy.

Surely not, I reckon I added that just a suggestion in case you had not changed passwords in a long time? Hope you didn't take it personally, huh.

As it happens, I haven't.  I don't believe in changing passwords regularly.  There is plenty of evidence to suggest that it actually weakens security.  You are better off picking (a) a strong password and (b) a different password for each site.

I certainly didn't take your suggestion personally though; I don't think we actually fundamentally disagree -- but I do think our discussion here is useful and might be interesting for others (and hopefully someone at Bitcoinica is watching too).

1AAZ4xBHbiCr96nsZJ8jtPkSzsg1CqhwDa
rjk
Sr. Member
****
Offline Offline

Activity: 448
Merit: 250


1ngldh


View Profile
May 18, 2012, 01:39:46 PM
 #970

(and hopefully someone at Bitcoinica is watching too).

Wanna bet?

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!
realnowhereman
Hero Member
*****
Offline Offline

Activity: 504
Merit: 502



View Profile
May 18, 2012, 01:40:49 PM
 #971

(and hopefully someone at Bitcoinica is watching too).
Wanna bet?

Disappointingly... no.  I suspect you would win.

1AAZ4xBHbiCr96nsZJ8jtPkSzsg1CqhwDa
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218
Merit: 1063


Gerald Davis


View Profile
May 18, 2012, 01:42:05 PM
 #972

Also, guess what happens when there is a "Claim process" vs. giving the money back by normal salted password channels? Many people, for many reasons, do not end up filling a claim (Small amount does not warrant the effort, privacy concerns, fill in the blank) OR their claim does not get approved (because they can't remember specifics, they are unwilling to send their passport scan to a company that got broke in twice in less than a year, etc.) Result? As a merchant, you get to keep a lot of the money that you would have had to otherwise pay out. In this case, you get to pay a lot less of the stolen funds that would have otherwise had to pay.

Sadly I think you are right on the reason for the detailed (and technically dubious) claim form. 

DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218
Merit: 1063


Gerald Davis


View Profile
May 18, 2012, 01:48:25 PM
Last edit: May 18, 2012, 02:02:35 PM by DeathAndTaxes
 #973

Hey all future site operators .... Looking at this disaster from the outside you likely (hopefully) are thinking to yourself how do "I" avoid this same mess in a giant debacle.

Simple.  Have a failsafe "bug out" address (backed up off site daily) ..... wait for it .... encrypted with the user's own password. 

When user signs up ask them for a payout address in the event of attack, govt shutdown, internal strife, zombie apocalypse, etc.
Take this "bug out" address, encrypt it with the user's password and store in the credentials table.  

Tada.  Instant claim form.
username
password
2nd factor authentication (you are a solid secure site so of course you are using 2 factor authentication right?)

Validate credentials against the login table.  If valid then use the the password to decrypt the user supplied bug out address.  If the process fails then forward user to manual verification process.  If the "bug out" address decrypts successfully then display the address to the user for verification as ... wait for it ... read only cash out option.

Quote
You are about to emergency cash out 123.45 BTC to Address 1hjkfdhaf8f3nkjhjkdhsfjk3.   Are you sure?  This action can not be reversed.  Ensure you have access to Address 1hjkfdhaf8f3nkjhjkdhsfjk3 before continuing.  We strongly recommend you test the address above by sending a token amount to and from that address before continuing. xyz Inc not responsible for any funds unrecoverable due to lost/stolen/corrupt private key. 

[ ] Yes. Cash me out now.  I take personal responsibility for access to 1hjkfdhaf8f3nkjhjkdhsfjk3.
[ ] No. Do NOT cash me out.  I no longer have access to this address.  I will use the manual verification procedure.
muyuu
Donator
Legendary
*
Offline Offline

Activity: 980
Merit: 1000



View Profile
May 18, 2012, 01:53:19 PM
 #974

As it happens, I haven't.  I don't believe in changing passwords regularly.  There is plenty of evidence to suggest that it actually weakens security.  You are better off picking (a) a strong password and (b) a different password for each site.

I certainly didn't take your suggestion personally though; I don't think we actually fundamentally disagree -- but I do think our discussion here is useful and might be interesting for others (and hopefully someone at Bitcoinica is watching too).

See, I do all that as well. Don't reuse passwords, use strong passwords AND also change them every so often (well, within reason).

As for judgement, after I saw their continued VPS policy and some of their posts here, my judgement told me to pull off everything from the site. Got you beaten there by judgement, didn't I Grin

I think you misunderstood my suggestion... The strength check is done at "claim time", so Bitcoinica could quite easily do this right now.  The password is the same so if it was weak when the user set it, it's weak now.  If it's strong, then mark the claim "finished" and move on.

Well, I didn't know this. I haven't filled in the claim since I don't have any US$ or BTC in Bitcoinica any more Grin see the previous point for reference.

Good point though.

GPG ID: 7294199D - OTC ID: muyuu (470F97EB7294199D)
forum tea fund BTC 1Epv7KHbNjYzqYVhTCgXWYhGSkv7BuKGEU DOGE DF1eTJ2vsxjHpmmbKu9jpqsrg5uyQLWksM CAP F1MzvmmHwP2UhFq82NQT7qDU9NQ8oQbtkQ
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218
Merit: 1063


Gerald Davis


View Profile
May 18, 2012, 01:53:52 PM
Last edit: May 18, 2012, 02:06:29 PM by DeathAndTaxes
 #975

My argument can be summarised like this: even hashed and salted passwords are not good enough when your whole DB is compromised and you need a method so nobody gets burnt. (Simply because there will always be people with unsafe passwords).

1) Nothing else they are asking will provide any significant security.

2) If weak passwords are a problem .... don't let user use weak passwords to begin with.  Tada problem solved.  Check user's password against complexity requirements and a blacklist of commonly used weak passwords.

3) If the site uses 2nd factor authentication then weakness of the password is immaterial.  For example brute forcing the weak passwords doesn't help the attack if the account is protected by yubi-key or google authentication.


As indicated above some weak passwords don't make cashing out strong accounts by automated method.
muyuu
Donator
Legendary
*
Offline Offline

Activity: 980
Merit: 1000



View Profile
May 18, 2012, 01:57:40 PM
 #976

My argument can be summarised like this: even hashed and salted passwords are not good enough when your whole DB is compromised and you need a method so nobody gets burnt. (Simply because there will always be people with unsafe passwords).

1) Nothing else they are asking will provide any security.
2) If weak passwords are a problem .... don't let user use weak passwords to begin with.  Tada problem solved.

Check user's password against complexity requirements and a blacklist of commonly used weak passwords.

Honestly though, having everybody handing their ID, phones and passports would filter most trivial attempts at cashing out illegitimately via the claim process.

Not that I'd give them any of that. LOL

So it does provide some safety (at an expense I wouldn't be willing to take myself, but that's besides the point).

GPG ID: 7294199D - OTC ID: muyuu (470F97EB7294199D)
forum tea fund BTC 1Epv7KHbNjYzqYVhTCgXWYhGSkv7BuKGEU DOGE DF1eTJ2vsxjHpmmbKu9jpqsrg5uyQLWksM CAP F1MzvmmHwP2UhFq82NQT7qDU9NQ8oQbtkQ
realnowhereman
Hero Member
*****
Offline Offline

Activity: 504
Merit: 502



View Profile
May 18, 2012, 02:01:06 PM
 #977

As for judgement, after I saw their continued VPS policy and some of their posts here, my judgement told me to pull off everything from the site. Got you beaten there by judgement, didn't I Grin

You certainly do.  I hadn't paid attention to the fact that they'd moved from a VPS to a VPS and done nothing else to fix a security hole.  I've learned lessons from this, even if Bitcoinica didn't/hasn't.

I think you misunderstood my suggestion... The strength check is done at "claim time", so Bitcoinica could quite easily do this right now.  The password is the same so if it was weak when the user set it, it's weak now.  If it's strong, then mark the claim "finished" and move on.

Well, I didn't know this. I haven't filled in the claim since I don't have any US$ or BTC in Bitcoinica any more Grin see the previous point for reference.

You didn't miss anything.  It's not on the claim form, it just should be.  It was on Mt.Gox's claim form after their hack last year though; and it was a good idea then.

1AAZ4xBHbiCr96nsZJ8jtPkSzsg1CqhwDa
muyuu
Donator
Legendary
*
Offline Offline

Activity: 980
Merit: 1000



View Profile
May 18, 2012, 02:09:41 PM
 #978


You didn't miss anything.  It's not on the claim form, it just should be.  It was on Mt.Gox's claim form after their hack last year though; and it was a good idea then.


Well, they only took 5-6 solid days to make this form though, how could they possibly do anything more sophisticated than a plain HTML form. It has some twitter bootstrap CSS too, I reckon.

GPG ID: 7294199D - OTC ID: muyuu (470F97EB7294199D)
forum tea fund BTC 1Epv7KHbNjYzqYVhTCgXWYhGSkv7BuKGEU DOGE DF1eTJ2vsxjHpmmbKu9jpqsrg5uyQLWksM CAP F1MzvmmHwP2UhFq82NQT7qDU9NQ8oQbtkQ
M4v3R
Hero Member
*****
Offline Offline

Activity: 607
Merit: 500


View Profile
May 18, 2012, 03:37:26 PM
 #979

muyuu, your argument about bruteforcing the passwords is not entirely correct, because Bitcoinica uses bcrypt. This means that difficulty of cracking even simplier passwords rises dramatically (from minutes to days), and somewhat complex (7+ chars or so) passwords are safe, because it would take years to brute them. That's why I think the a password should be primary method of verification in the claim process.
muyuu
Donator
Legendary
*
Offline Offline

Activity: 980
Merit: 1000



View Profile
May 18, 2012, 04:18:26 PM
Last edit: May 18, 2012, 04:31:28 PM by muyuu
 #980

muyuu, your argument about bruteforcing the passwords is not entirely correct, because Bitcoinica uses bcrypt. This means that difficulty of cracking even simplier passwords rises dramatically (from minutes to days), and somewhat complex (7+ chars or so) passwords are safe, because it would take years to brute them. That's why I think the a password should be primary method of verification in the claim process.

Not really. I'm sure there's CUDA code and openCL code to dramatically improve on that. (About x10 last time I checked for a single mid-range GPU vs a multicore CPU)

Might want to ask in the Lite-coin community, but maybe you won't be told much about it.

Long story short, bcrypt slows down bruteforcing vs SHA but not remotely as much as often advertised.

GPG ID: 7294199D - OTC ID: muyuu (470F97EB7294199D)
forum tea fund BTC 1Epv7KHbNjYzqYVhTCgXWYhGSkv7BuKGEU DOGE DF1eTJ2vsxjHpmmbKu9jpqsrg5uyQLWksM CAP F1MzvmmHwP2UhFq82NQT7qDU9NQ8oQbtkQ
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 [49] 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 »
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!