Topic: Bitscalper passwords have been leaked - page 2. (Read 7575 times)
Theymos is the Hero of Winterfell...
No SSL for inputting passwords is a very bad omen in my book. I work in email security, so I am generally paranoid.
Too true 
It amazes me that it is still impossible to send email in anything but unsecured form. Sure you can have SSL between the client and server on both ends, but in the middle its still unencrypted.There is PGP. But you do have to set it up yourself. I guess the main reason it hasn't taken off is because most secure email is within a single organization or between trusted organizations. I'm a MS Exchange admin, and you definitely can configure encrypted server-server links, but both ends have to be set up for it.
End-to-end encryption and security is the way to go, but it needs user involvement and education.
For passwords, something like SRP over HTTPS would be just about bulletproof, except for the untrustable javascript crypto implementation.
See http://www.matasano.com/articles/javascript-cryptography/ for a full discussion of javascript cryptography.
No SSL for inputting passwords is a very bad omen in my book. I work in email security, so I am generally paranoid.
Too true It amazes me that it is still impossible to send email in anything but unsecured form. Sure you can have SSL between the client and server on both ends, but in the middle its still unencrypted.There is PGP. But you do have to set it up yourself. I guess the main reason it hasn't taken off is because most secure email is within a single organization or between trusted organizations. I'm a MS Exchange admin, and you definitely can configure encrypted server-server links, but both ends have to be set up for it.
No SSL for inputting passwords is a very bad omen in my book. I work in email security, so I am generally paranoid.
Too true It amazes me that it is still impossible to send email in anything but unsecured form. Sure you can have SSL between the client and server on both ends, but in the middle its still unencrypted. Here is what I posted when I checked out Bitscalper a little while ago.
He did not even hash his passwords. I'm glad I did not sign-up !
Why, do you use the same password for everything? I'm not putting a password on that website. There is no https.
I highly suggest that he invest in an SSL certificate.
I highly suggest that he invest in an SSL certificate.
He did not even hash his passwords. I'm glad I did not sign-up !
No, I use a password manager for everything valuable.
No SSL for inputting passwords is a very bad omen in my book. I work in email security, so I am generally paranoid.
Here is what I posted when I checked out Bitscalper a little while ago.
He did not even hash his passwords. I'm glad I did not sign-up !
Why, do you use the same password for everything? I'm not putting a password on that website. There is no https.
I highly suggest that he invest in an SSL certificate.
I highly suggest that he invest in an SSL certificate.
He did not even hash his passwords. I'm glad I did not sign-up !
Here is what I posted when I checked out Bitscalper a little while ago.
He did not even hash his passwords. I'm glad I did not sign-up !
I'm not putting a password on that website. There is no https.
I highly suggest that he invest in an SSL certificate.
I highly suggest that he invest in an SSL certificate.
He did not even hash his passwords. I'm glad I did not sign-up !
Theymos, have you seen the leaked logins or are you just spreading FUD?
I have the logins. I'll release technical details once it's fixed.
Here's me logged into the admin account (you can see I tried to withdraw his 851 BTC -- still pending):
http://i.imgur.com/l92H3.png
And btc-e was also compromised https://bitcointalksearch.org/topic/m.747080
Theymos, have you seen the leaked logins or are you just spreading FUD?
I have the logins. I'll release technical details once it's fixed.
Here's me logged into the admin account (you can see I tried to withdraw his 851 BTC -- still pending):
http://i.imgur.com/l92H3.png
I call bullshit on this one...
Theymos, have you seen the leaked logins or are you just spreading FUD?
PS: I have no bitcoin on bitscalper, but I made an account there and got some profits out a while back.
Theymos, have you seen the leaked logins or are you just spreading FUD?
PS: I have no bitcoin on bitscalper, but I made an account there and got some profits out a while back.
Bitscalper didn't use any hashing, so every password got out. As for Mt. Gox back then, try this link: How secure is my password?
Wow. Glad it was unique. It says years so I guess it was not too bad. Thanks, good link
Bitscalper didn't use any hashing, so every password got out. As for Mt. Gox back then, try this link: How secure is my password?
Didn't gox have a similar thing occur once?
No, they used md5 hashed passwords, but they were unsalted, so weak passwords got cracked when the db leaked.
Didn't gox have a similar thing occur once?
No, they used md5 hashed passwords, but they were unsalted, so weak passwords got cracked when the db leaked.
Didn't gox have a similar thing occur once?
People should have seen this comming.
By now, the coins are probably already gone.
By now, the coins are probably already gone.
Plaintext passwords? Seriously?
Being paranoid: Please trust (your local) keepass (keepassx in linux) instead of a website.. We just saw what you may get in trusting an external entity ;-)
Ente
Ente
I use separate password for everything, thanks to last pass. I am a bit paranoid, so my main banking account has its own password that I don't store anywhere and a RSA key that is locked in a safe.
Use last pass or similar website to manage your passwords.
Use last pass or similar website to manage your passwords.
damn, I knew this was too good to be true. This is the reason I only deposited 5 btc
(grew to 5.3532907242433 within a couple weeks)
Luckily I have been using separate passwords on every single site since MTGox got hacked back in june.
(grew to 5.3532907242433 within a couple weeks)
Luckily I have been using separate passwords on every single site since MTGox got hacked back in june.
Jump to: