i_rape_bitcoins (OP)
Member
 Offline
Activity: 70
Merit: 10
|
 |
June 06, 2012, 07:13:12 PM |
|
This morning, a dump of unique passwords from LinkedIn databases had been posted. From the dump, it is revealed that password hashes did not include a salt. This allows the attacker to generate a rainbow table that is valid with all the hashes. So expect your password compromised. (feel the same as if your password were leaked plain-text)If you have a LinkedIn account and use the same password for other services (such as mtgox), please change your password. If you are unsure, visit LeakedIn to check. More news here: https://news.ycombinator.com/item?id=4073309 |
~I_RAPE_BITCOINS~
|
|
|
|
|
|
|
|
|
|
|
|
Transactions must be included in a block to be properly completed. When you send a transaction, it is broadcast to miners. Miners can then optionally include it in their next blocks. Miners will be more inclined to include your transaction if it has a higher transaction fee.
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
kjlimo
Legendary
Offline
Activity: 2086
Merit: 1031
|
|
June 06, 2012, 07:29:22 PM |
|
And remember to always salt your passwords  Who salts a password? Is that something I have to do when creating a password, or is that directed at the password manager to make sure to salt the passwords? |
|
|
|
mcorlett
Donator
Sr. Member
Offline
Activity: 308
Merit: 250
|
|
June 06, 2012, 07:30:12 PM |
|
Is that something I have to do when creating a password, or is that directed at the password manager to make sure to salt the passwords?
The latter. |
|
|
|
|
ErebusBat
|
|
June 06, 2012, 07:31:56 PM |
|
Who salts a password? Is that something I have to do when creating a password, or is that directed at the password manager to make sure to salt the passwords?
kjlimo, It is, unfortunately, up to the website operator to do. The safest thing you can do as a consumer is user a random password at each site. |
|
|
|
|
TangibleCryptography
|
|
June 06, 2012, 07:37:38 PM |
|
Honestly I feel it is going to take companies being force to publicly disclose their exact mechanism for storing passwords and face civil penalties for inaccurate disclosures. I mean it is 2012 not 1971. There is absolutely no possible excuse for not using bcypt (or similar) much less not even salting the passwords. Security through obscurity is no security at all.
Maybe we can get such information from Bitcoin websites via public pressure.
So major Bitcoin businesses and exchanges how are you storing your passwords?
MtGox?
CampBX?
Bitcointalk?
Bitmit?
Deepbit?
Bitcoinica?
Any volunteers?
|
|
|
|
|
|
nimda
|
|
June 06, 2012, 07:47:34 PM |
|
Goddammit, I can't find a mirror of the leak.
Oh, found it. This is fun.
|
|
|
|
|
weex
Legendary
Offline
Activity: 1102
Merit: 1014
|
|
June 06, 2012, 07:52:31 PM |
|
CoinDL and ExchB both use salt and multiple rounds of hashing.
|
|
|
|
|
|
realnowhereman
|
|
June 06, 2012, 07:55:28 PM |
|
If you have a LinkedIn account and use the same password for other services (such as mtgox), please change your password. If you are unsure, visit LeakedIn to check. Seriously people: don't go to LEAKEDin and type your password. Whether it's honest or not, you gain nothing from potentially handing your password over to some random site on the Internet. |
1AAZ4xBHbiCr96nsZJ8jtPkSzsg1CqhwDa
|
|
|
i_rape_bitcoins (OP)
Member
Offline
Activity: 70
Merit: 10
|
|
June 06, 2012, 08:07:39 PM |
|
If you have a LinkedIn account and use the same password for other services (such as mtgox), please change your password. If you are unsure, visit LeakedIn to check. Seriously people: don't go to LEAKEDin and type your password. Whether it's honest or not, you gain nothing from potentially handing your password over to some random site on the Internet. "Just provide your password ( which we hash with JavaScript; view source to verify) or a SHA-1 hash of your password below, and we'll check." browser hashes password -----sends to server-----> server replies if hash matches.
|
~I_RAPE_BITCOINS~
|
|
|
theymos
Administrator
Legendary
Offline
Activity: 5166
Merit: 12864
|
|
June 06, 2012, 08:08:27 PM |
|
Bitcointalk?
SMF uses SHA-1 hashes salted with the username. Not the greatest, though better than LinkedIn. ( I'm trying to improve our password security.) |
1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
|
|
|
|
realnowhereman
|
|
June 06, 2012, 08:11:25 PM |
|
"Just provide your password (which we hash with JavaScript; view source to verify) or a SHA-1 hash of your password below, and we'll check."
browser hashes password -----sends to server-----> server replies if hash matches.
Oh that's okay then... as long as it says "we're honest" on the website, it must be fine. |
1AAZ4xBHbiCr96nsZJ8jtPkSzsg1CqhwDa
|
|
|
mcorlett
Donator
Sr. Member
Offline
Activity: 308
Merit: 250
|
|
June 06, 2012, 08:14:00 PM |
|
"Just provide your password (which we hash with JavaScript; view source to verify) or a SHA-1 hash of your password below, and we'll check."
browser hashes password -----sends to server-----> server replies if hash matches.
Oh that's okay then... as long as it says "we're honest" on the website, it must be fine. The source is available for anyone to read. |
|
|
|
|
epetroel
|
|
June 06, 2012, 08:18:37 PM |
|
I expect that they didn't get all user's passwords.
I downloaded the leaked text file and verified that the hash of my password was NOT in there. Checked the hash of another friend from work here, and his wasn't either. So either they didn't get all the passwords, they got all the passwords but didn't release all of them, or the list is a fake. Probably one of the first two (i doubt it's a fake)
EDIT: Also, usernames were not included in the file. So either they don't have the usernames to go with the passwords or more likely they have them but just didn't release them. Probably just waiting to sell the username+password hash list to the highest bidder.
|
|
|
|
|
Serge
Legendary
Offline
Activity: 1050
Merit: 1000
|
|
June 06, 2012, 08:48:49 PM |
|
they got 6.5mil out of 150million users
|
|
|
|
|
|
epetroel
|
|
June 06, 2012, 08:55:35 PM |
|
they got 6.5mil out of 150million users
Well, there were 6.5 million distinct passwords. Considering many users pick the same bad passwords, that very likely represents a lot more than 6.5 million users. |
|
|
|
|
|
Serenata
|
|
June 06, 2012, 09:03:00 PM |
|
Who salts a password? Is that something I have to do when creating a password, or is that directed at the password manager to make sure to salt the passwords?
kjlimo, It is, unfortunately, up to the website operator to do. The safest thing you can do as a consumer is user a random password at each site. Cool tool for the job > Keepass |
|
|
|
justusranvier
Legendary
Offline
Activity: 1400
Merit: 1009
|
|
June 06, 2012, 09:03:20 PM |
|
The safest thing you can do as a consumer is user a random password at each site.
Doing that is much easier with a dedicated password manager, like LastPass. |
|
|
|
|
Xenland
Legendary
Offline
Activity: 980
Merit: 1003
I'm not just any shaman, I'm a Sha256man
|
|
June 06, 2012, 09:08:00 PM |
|
http://CheaperInBitcoins.com salts its passwords with 254 random characters uniquly per account, along with appending another salt that is the customers ID# multiplied by an undisclosed number on top of requiring users/merchants/customers a password of 10 characters or more. so to visualise the hashing it would look something like this in pseudo code hash("sha512", <random 254 characters> (<user_id> * <undisclosed number>) <customer/username password>)
|
|
|
|
|
|
Steve
|
|
June 06, 2012, 09:08:50 PM |
|
"Just provide your password (which we hash with JavaScript; view source to verify) or a SHA-1 hash of your password below, and we'll check."
browser hashes password -----sends to server-----> server replies if hash matches.
Oh that's okay then... as long as it says "we're honest" on the website, it must be fine. The source is available for anyone to read. Just change your password on linkedin, then you don't need to worry about if the source is read able or anything. Problem Solved  Uhhh…as well as every other site where you may have happened to use the same username and password. People really do need a way of testing whether specific passwords are in that list…because many may have forgotten what password they used (with browser autofill, etc) and if they reset it, well, that doesn't tell them which password has been compromised. Otherwise, they may need to change every password on every site, which can be tedious. Just more justification to use unique, generated passwords on every site. |
|
|
|
|
Steve
|
|
June 06, 2012, 09:16:04 PM |
|
The safest thing you can do as a consumer is user a random password at each site.
Doing that is much easier with a dedicated password manager, like LastPass. I prefer to use something that generates a password from a master instead of storing any passwords anywhere. Here's one such solution: http://passwordmaker.org/passwordmaker.htmlYou enter a master password and other details (like the domain name and user id) then it uses a hash function to generate a password that doesn't need to be stored anywhere. It does all of that on the client, in the browser and you can access it from any computer with an internet connection and a browser (only on a computer you trust of course). |
|
|
|
|
