Pages:
Author

Topic: Bitscalper passwords have been leaked - page 2. (Read 7607 times)

newbie
Activity: 38
Merit: 0
February 13, 2012, 10:36:46 PM
#40
Theymos is the Hero of Winterfell...
full member
Activity: 184
Merit: 100
Feel the coffee, be the coffee.
February 13, 2012, 09:40:21 PM
#39
No SSL for inputting passwords is a very bad omen in my book. I work in email security, so I am generally paranoid.
Too true Sad It amazes me that it is still impossible to send email in anything but unsecured form. Sure you can have SSL between the client and server on both ends, but in the middle its still unencrypted.

There is PGP. But you do have to set it up yourself. I guess the main reason it hasn't taken off is because most secure email is within a single organization or between trusted organizations. I'm a MS Exchange admin, and you definitely can configure encrypted server-server links, but both ends have to be set up for it.

End-to-end encryption and security is the way to go, but it needs user involvement and education.

For passwords, something like SRP over HTTPS would be just about bulletproof, except for the untrustable javascript crypto implementation.

See http://www.matasano.com/articles/javascript-cryptography/ for a full discussion of javascript cryptography.
legendary
Activity: 1260
Merit: 1000
Drunk Posts
February 13, 2012, 09:35:55 PM
#38
No SSL for inputting passwords is a very bad omen in my book. I work in email security, so I am generally paranoid.
Too true Sad It amazes me that it is still impossible to send email in anything but unsecured form. Sure you can have SSL between the client and server on both ends, but in the middle its still unencrypted.

There is PGP. But you do have to set it up yourself. I guess the main reason it hasn't taken off is because most secure email is within a single organization or between trusted organizations. I'm a MS Exchange admin, and you definitely can configure encrypted server-server links, but both ends have to be set up for it.
rjk
sr. member
Activity: 448
Merit: 250
1ngldh
February 13, 2012, 09:30:05 PM
#37
No SSL for inputting passwords is a very bad omen in my book. I work in email security, so I am generally paranoid.
Too true Sad It amazes me that it is still impossible to send email in anything but unsecured form. Sure you can have SSL between the client and server on both ends, but in the middle its still unencrypted.
full member
Activity: 184
Merit: 100
Feel the coffee, be the coffee.
February 13, 2012, 09:21:51 PM
#36
Here is what I posted when I checked out Bitscalper a little while ago.

I'm not putting a password on that website. There is no https.

I highly suggest that he invest in an SSL certificate.

He did not even hash his passwords. I'm glad I did not sign-up !
Why, do you use the same password for everything? Tongue

No, I use a password manager for everything valuable.

No SSL for inputting passwords is a very bad omen in my book. I work in email security, so I am generally paranoid.
rjk
sr. member
Activity: 448
Merit: 250
1ngldh
February 13, 2012, 09:18:56 PM
#35
Here is what I posted when I checked out Bitscalper a little while ago.

I'm not putting a password on that website. There is no https.

I highly suggest that he invest in an SSL certificate.

He did not even hash his passwords. I'm glad I did not sign-up !
Why, do you use the same password for everything? Tongue
full member
Activity: 184
Merit: 100
Feel the coffee, be the coffee.
February 13, 2012, 09:14:23 PM
#34
Here is what I posted when I checked out Bitscalper a little while ago.

I'm not putting a password on that website. There is no https.

I highly suggest that he invest in an SSL certificate.

He did not even hash his passwords. I'm glad I did not sign-up !
legendary
Activity: 1358
Merit: 1002
February 13, 2012, 07:35:58 PM
#33
Theymos, have you seen the leaked logins or are you just spreading FUD?

I have the logins. I'll release technical details once it's fixed.

Here's me logged into the admin account (you can see I tried to withdraw his 851 BTC -- still pending):
http://i.imgur.com/l92H3.png

 Shocked

And btc-e was also compromised https://bitcointalksearch.org/topic/m.747080
administrator
Activity: 5222
Merit: 13032
February 13, 2012, 07:29:38 PM
#32
Theymos, have you seen the leaked logins or are you just spreading FUD?

I have the logins. I'll release technical details once it's fixed.

Here's me logged into the admin account (you can see I tried to withdraw his 851 BTC -- still pending):
http://i.imgur.com/l92H3.png
legendary
Activity: 1358
Merit: 1002
February 13, 2012, 07:02:57 PM
#31
I call bullshit on this one...

Theymos, have you seen the leaked logins or are you just spreading FUD?

PS: I have no bitcoin on bitscalper, but I made an account there and got some profits out a while back.
legendary
Activity: 1386
Merit: 1004
February 13, 2012, 05:15:23 PM
#30
Bitscalper didn't use any hashing, so every password got out. As for Mt. Gox back then, try this link: How secure is my password?

Wow.  Glad it was unique.  It says years so I guess it was not too bad.  Thanks, good link
hero member
Activity: 607
Merit: 500
February 13, 2012, 05:13:02 PM
#29
Bitscalper didn't use any hashing, so every password got out. As for Mt. Gox back then, try this link: How secure is my password?
legendary
Activity: 1386
Merit: 1004
February 13, 2012, 05:08:20 PM
#28
Didn't gox have a similar thing occur once?

No, they used md5 hashed passwords, but they were unsalted, so weak passwords got cracked when the db leaked.
While I have changed my password, had a unique one for that site and withdrew (though it has not arrived), how well would a 11 char password hold up?
hero member
Activity: 607
Merit: 500
February 13, 2012, 05:04:31 PM
#27
Didn't gox have a similar thing occur once?

No, they used md5 hashed passwords, but they were unsalted, so weak passwords got cracked when the db leaked.
hero member
Activity: 1778
Merit: 504
WorkAsPro
February 13, 2012, 04:26:46 PM
#26
Didn't gox have a similar thing occur once?
full member
Activity: 176
Merit: 100
February 13, 2012, 11:31:17 AM
#25
People should have seen this comming.
By now, the coins are probably already gone.
sr. member
Activity: 352
Merit: 250
Firstbits: 1m8xa
February 13, 2012, 10:21:28 AM
#24
Plaintext passwords? Seriously?
legendary
Activity: 2126
Merit: 1001
February 13, 2012, 09:57:26 AM
#23
Being paranoid: Please trust (your local) keepass (keepassx in linux) instead of a website.. We just saw what you may get in trusting an external entity ;-)

Ente
hero member
Activity: 574
Merit: 500
February 13, 2012, 08:32:32 AM
#22
I use separate password for everything, thanks to last pass. I am a bit paranoid, so my main banking account has its own password that I don't store anywhere and a RSA key that is locked in a safe.

Use last pass or similar website to manage your passwords.
hero member
Activity: 896
Merit: 1000
Buy this account on March-2019. New Owner here!!
February 13, 2012, 08:14:24 AM
#21
damn, I knew this was too good to be true. This is the reason I only deposited 5 btc

(grew to 5.3532907242433 within a couple weeks)

Luckily I have been using separate passwords on every single site since MTGox got hacked back in june.

Pages:
Jump to: