Uh, the salt is right there in the file. Look at line 1. Password hash is $1$E1xAsgR1$vPt0d/L3f81Ys3SxJ7rIh/
The bold part is the salt for that hash.
The italic part is md5(password + salt)
Topic: ALL mtgox password has been compromised, change asap, everywhere you used it - page 3. (Read 17594 times)
June 19, 2011, 03:24:15 PM
June 19, 2011, 03:20:31 PM
It would appear that almost all the acounts are hashed with unique salts. The issue is, it is still easy to crack any of the weaker passwords with this, thanks to GPU MD5 crackers. Most bitcoin miners have soo much GPU power anyway...
Some passwords from earlier accounts appear to have NO SALT. That, or salt is derived from username. I don't know, sinc eI've not tried cracking any, and do not want to.
Some passwords from earlier accounts appear to have NO SALT. That, or salt is derived from username. I don't know, sinc eI've not tried cracking any, and do not want to.
June 19, 2011, 03:17:25 PM
Bit_Happy: PM sent. I'm 99% certain it's legit.
Exactly. When you see a DB leak for a site you're a member of, you don't sit around wondering how strong the hashing mechanism is you start changing your passwords. If you only used the password on MtGox, oh well you don't really have anything to do right now. If you reused the same password anywhere else, stop thinking about how strong the hash is and change your freakin' password - the effort required for the latter is much less than the former and then it's done... from your perspective the information that's leaked is no longer valid. Whether it takes 2 minutes or 2 years to crack your password is irrelevant if you've already changed it someplace else.
Password hashing isn't meant so that a bunch of fools can sit and think "I'm safe" - it's to buy you time between when the credentials are taken, and when they're useful... to give you a chance to make them not useful.
It's not entirely clear if the attacker got access to the Mt.Gox source code, but at the moment it's probably safer to assume the salt was compromised as well.
Exactly. When you see a DB leak for a site you're a member of, you don't sit around wondering how strong the hashing mechanism is you start changing your passwords. If you only used the password on MtGox, oh well you don't really have anything to do right now. If you reused the same password anywhere else, stop thinking about how strong the hash is and change your freakin' password - the effort required for the latter is much less than the former and then it's done... from your perspective the information that's leaked is no longer valid. Whether it takes 2 minutes or 2 years to crack your password is irrelevant if you've already changed it someplace else.
Password hashing isn't meant so that a bunch of fools can sit and think "I'm safe" - it's to buy you time between when the credentials are taken, and when they're useful... to give you a chance to make them not useful.
June 19, 2011, 03:16:05 PM
Change them asap, anywhere you used it.
If anyone out there is still using the same password on more than one site then take this opportunity to stop doing that. Get some kind of password manager and use a different random password of the maximum length and complexity each web site you register on allows. 
June 19, 2011, 03:15:37 PM
It's not entirely clear if the attacker got access to the Mt.Gox source code, but at the moment it's probably safer to assume the salt was compromised as well.
It's definitely NOT safe, someone just showed me a big list of cracked mtgox passwords on IRC channels. It's likely that salt has already been discovered.
June 19, 2011, 03:15:06 PM
They have my username and the email I signed up with. I cannot confirm that it is my password. The hash must be salted.
June 19, 2011, 03:13:42 PM
They have my username and the email I signed up with. I cannot confirm that it is my password. The hash must be salted.
June 19, 2011, 03:11:52 PM
Emails received, thanks all.
I wasn't going to bother with Rapidshare.
Remember all the trolls a week ago. It was possible that, everyone screaming about this is phony, but now I know for certain.
Bit_Happy, if you had an account on MtGox you could easily verify it. My account was on there.
Thanks guys for the info on the strength of the encryption.
Thanks guys for the info on the strength of the encryption.
I wasn't going to bother with Rapidshare.
Remember all the trolls a week ago. It was possible that, everyone screaming about this is phony, but now I know for certain.
June 19, 2011, 03:09:53 PM
It's not entirely clear if the attacker got access to the Mt.Gox source code, but at the moment it's probably safer to assume the salt was compromised as well.
June 19, 2011, 03:05:37 PM
Bit_Happy, if you had an account on MtGox you could easily verify it. My account was on there. Edit: not same username as here.
Thanks guys for the info on the strength of the encryption.
Thanks guys for the info on the strength of the encryption.
June 19, 2011, 03:03:36 PM
This still might be a phony spreedsheet.
Let's see some real proof now!
But I'm not sure you are telling the truth (no offense)
I want real proof, please send me an email, same username as this forum.
I'm waiting for real proof, now....
Edit:
Now I have real proof, thank you.
Let's see some real proof now!
I waited through the crappy Rapidshare wait time and finally downloaded the file.
I can confirm that my Mt. Gox username and password are here! This is real.
I can confirm that my Mt. Gox username and password are here! This is real.
But I'm not sure you are telling the truth (no offense)
I want real proof, please send me an email, same username as this forum.
I'm waiting for real proof, now....
Edit:
Now I have real proof, thank you.
June 19, 2011, 03:03:05 PM
This explains all the recent vague topics about 'my MtGox account got hacked'. The hacker went through each of them, and when he found one that had 500k bitcoins.. well you know what happened.
June 19, 2011, 03:01:32 PM
If the salt hasn't been compromised, then the passwords should be safe, no?
No, absolutely not. I have already seen cracked mtgox passwords being shared in the IRC channels. Do not take a chance, change them as soon as possible, everywhere you used it.
June 19, 2011, 02:58:45 PM
mmh how can i login and change my password, i only see the login to the support section
June 19, 2011, 02:58:07 PM
Argh, fuck everything about this. Really MtGox? Really? You aren't playing nice. Also hacker who did this? Screw you too. #superbummed
June 19, 2011, 02:56:54 PM
If the salt hasn't been compromised, then the passwords should be safe, no?
June 19, 2011, 02:53:35 PM
I waited through the crappy Rapidshare wait time and finally downloaded the file.
I can confirm that my Mt. Gox username and password are here! This is real.
I can confirm that my Mt. Gox username and password are here! This is real.
June 19, 2011, 02:53:18 PM
Everybody with password lengths of less than 8 characters are totally screwed now.
Change your passwords everywhere as soon as you can!
Change your passwords everywhere as soon as you can!
June 19, 2011, 02:53:07 PM
lol wow that password hash is just begging to be cracked. That kind of length of total output hash is like the luggage lock of electronic security... Even salted sufficiently that is just not adequate.
I would like to echo the previous poster who said they have stronger encryption in a game they develop...
I would like to echo the previous poster who said they have stronger encryption in a game they develop...
June 19, 2011, 02:46:45 PM
Man from the future, you seem to know this stuff. How hard would it be for people to bruteforce or crack a reasonably strong password with the encryption in the MtGox file? Say 10 characters alphanumeric.
If the hacker also got their hand on the mtgox sourcecode, it's pretty trivial to crack, probably 5-10 accounts per hour depending on password strength.
Jump to: