Topic: ALL mtgox password has been compromised, change asap, everywhere you used it - page 2. (Read 17598 times)
June 19, 2011, 04:37:37 PM
So, MtGox does not us salt... It's really bad. The only good thing they can do is to reset all passwords and revalidate accounts through emails. But in case of passwords that match email ones situation becomes even worse...
June 19, 2011, 04:32:34 PM
ZOMG!
testt, letmein, phildick, nandgate, football, spotty...
REALLY PEOPLE???
and a ton of people used "bitcoin" as their password, lol
June 19, 2011, 04:30:57 PM
Someone with a network should email everyone on the list and let them know.
+1 Issue is you'd probably en dup on spam blacklists. 
nowadays you can't even send a sixty thousand emails any more...I don't want my VPS blocked from emails, it needs to do ones for the services on it!
June 19, 2011, 04:27:12 PM
Someone with a network should email everyone on the list and let them know.
+1 Issue is you'd probably en dup on spam blacklists.
nowadays you can't even send a sixty thousand emails any more... June 19, 2011, 04:23:53 PM
jesus christ look at those terrible passwords.....
June 19, 2011, 04:14:41 PM
OK, somehow I am on that list. I remember considering signing up for mtgox, but never fully went through with it, and they didnt recognize my email when I tried to use the reset password form, I got the "that email isnt registered here" message. However, I DID get an email from them just a few minutes ago. And my email is on that list. It doenst make sense to me.
I use long passwords, and several different ones for the sites I frequent, and Ive gone and changed most of them, but now Im really paranoid.
I use long passwords, and several different ones for the sites I frequent, and Ive gone and changed most of them, but now Im really paranoid.
June 19, 2011, 04:08:19 PM
If the salt hasn't been compromised, then the passwords should be safe, no?
That sentence doesn't make sense at all.
June 19, 2011, 04:06:27 PM
June 19, 2011, 04:04:00 PM
If the salt hasn't been compromised, then the passwords should be safe, no?
It's not entirely clear if the attacker got access to the Mt.Gox source code, but at the moment it's probably safer to assume the salt was compromised as well.
there is no >the salt< in this case it's 59231 password hashes with 59219 >different< salts. and ~1700 simple md5 hashes.well look at what some of the users have in there rigs and there are programs like Extreme GPU Bruteforcer out there that can do up to 700million passwords a sec on a geforce 250 and with what people here have in there rigs it would not take long at all.
we're talking about md5crypt a.k.a MD5(Unix) a.k.a. FreeBSD MD5 ...not simple md5()!with a decent gpu you'll be lucky to get ~1.5Mhash/s per gpu, not 700M. On a single HD4870 i'll get ~640.0k/s , that's nothing.
anything else than a wordlist attack is pretty useless on these hashes. so if you have a at least decent 8char pass, you should be fine.
if you're one of the poor guys, who's pass was encrypted with simple md5()...well good luck then. but the rest shouldn't worry too much.
however everyone still should change his password when they are back online
Except that an account with 500k and other accounts were hacked and it's true. So you're opinion that it's all ok is bs.
June 19, 2011, 04:00:15 PM
Someone with a network should email everyone on the list and let them know.
Issue is you'd probably en dup on spam blacklists.
June 19, 2011, 03:59:19 PM
Someone with a network should email everyone on the list and let them know.
June 19, 2011, 03:52:53 PM
If the salt hasn't been compromised, then the passwords should be safe, no?
It's not entirely clear if the attacker got access to the Mt.Gox source code, but at the moment it's probably safer to assume the salt was compromised as well.
there is no >the salt< in this case it's 59231 password hashes with 59219 >different< salts. and ~1700 simple md5 hashes.well look at what some of the users have in there rigs and there are programs like Extreme GPU Bruteforcer out there that can do up to 700million passwords a sec on a geforce 250 and with what people here have in there rigs it would not take long at all.
we're talking about md5crypt a.k.a MD5(Unix) a.k.a. FreeBSD MD5 ...not simple md5()!with a decent gpu you'll be lucky to get ~1.5Mhash/s per gpu, not 700M. On a single HD4870 i get ~640.0k/s , that's nothing.
anything else than a wordlist attack is pretty useless on these hashes. so if you have a at least decent 8char pass, you should be fine.
if you're one of the poor guys, who's pass was encrypted with simple md5()...well good luck then. but the rest shouldn't worry too much.
however everyone still should change his password when they are back online
June 19, 2011, 03:45:26 PM
it would have been nice to keep emails encoded mtgox...
June 19, 2011, 03:43:03 PM
Some passwords appear to be without a salt.
For example, check user id #156. Google for the hash shown as "password" in accounts.csv. Find the password on a forum. (The forum post that comes up on the google search might shed some light on the guy who hacked mtgox?)
So... Anyone with a plain md5 hash (no $-signs) as password in accounts.csv should be worried.
For example, check user id #156. Google for the hash shown as "password" in accounts.csv. Find the password on a forum. (The forum post that comes up on the google search might shed some light on the guy who hacked mtgox?)
So... Anyone with a plain md5 hash (no $-signs) as password in accounts.csv should be worried.
June 19, 2011, 03:40:37 PM
I'm certainly never using MtGox again. Who uses MD5 for password hashing nowadays?
User #8 is quitting?? Craziness.
June 19, 2011, 03:38:17 PM
This is why all websites should be using bcrypt for password hashing. It's an adaptive hashing function that can be made to perform slower over time as computers get faster. Authentication on websites does not require a fast hashing function for just this reason.
I use 1Password for password management. It was Mac only until recently - there is now a Windows version out there. I had to double check whether I was following my own best practices but I did use a unique password for mtgox.
I use 1Password for password management. It was Mac only until recently - there is now a Windows version out there. I had to double check whether I was following my own best practices but I did use a unique password for mtgox.
June 19, 2011, 03:30:58 PM
I'm certainly never using MtGox again. Who uses MD5 for password hashing nowadays?
June 19, 2011, 03:28:20 PM
well look at what some of the users have in there rigs and there are programs like Extreme GPU Bruteforcer out there that can do up to 700million passwords a sec on a geforce 250 and with what people here have in there rigs it would not take long at all.
Anyway change ya passwords to be safe and if you use the same password on another site change that as well (use a different password this time)
Anyway change ya passwords to be safe and if you use the same password on another site change that as well (use a different password this time)
June 19, 2011, 03:26:22 PM
Looks like the kind of hashes that come out of phpass.
I guess that means if the attackers managed to get hold of the salt, I'm prone to change my password.
I guess that means if the attackers managed to get hold of the salt, I'm prone to change my password.
June 19, 2011, 03:24:58 PM
I'm not that worried, my password is quite long and secure.
Jump to: