Bitcoin Forum>Economy>Marketplace>Service Discussion
Pages:
Author

Topic: Coinchat doesn't salt or use a strong hash algo - page 3. (Read 32223 times)

🏰 TradeFortress 🏰
vip
Activity: 1316
Merit: 1043
👻
Re: Coinchat doesn't salt or use a strong hash algo
July 12, 2013, 04:14:15 AM
#46
Inputs used bcrypt since the start, we've been looking into & implementing alternative security like GPG or password derivatives for signing transactions too.

Quote
Just because bitcoin-qt does something doesn't make it correct.

Most, if not a figure very close to 100% of software in the world does not use absolute best practices. People should be demanding absolute best practices for sites handling money like storing Bitcoins for example, and that's a valid point - but like I said before, Inputs.io uses bcrypt and that is the ONLY site that stores bitcoins.

Demanding that for a web chatroom not recommended to be used for sensitive communications isn't what you should be wasting your time with.

If you compromise someone's coinchat or coinlenders account - cool. Now withdraw to Inputs.io and try to compromise that!

Quote
When did inputs.io become Bitcoins? So you claiming that inputs.io is now bitcoin?

No, just that it actually handles Bitcoins.
gweedo
legendary
Activity: 1498
Merit: 1000
Re: Coinchat doesn't salt or use a strong hash algo
July 12, 2013, 04:10:58 AM
#45
Quote from: 🏰 TradeFortress 🏰 on July 12, 2013, 04:08:47 AM
I'm not talking about bitcoins. I'm talking about web security basics / best practices, which you violated many times for BitcoinLister. Including things like your architecture and code layouts. Every developer does that for hacky / pet projects really.

Aren't you arguing over a CHATROOM? Instead of Bitcoins (ie Inputs.io)?

Also, soon, the next time users sign into CoinLenders, they will be hashed and salted with data from /dev/random (so it's guaranteed to be all from environmental noise instead of some from PRNGs). I'm not doing this right now because it's impractical to get long salts for thousands of users from a blocking source.

When did inputs.io become Bitcoins? So you claiming that inputs.io is now bitcoin?
davout
legendary
Activity: 1372
Merit: 1008
1davout
Re: Coinchat doesn't salt or use a strong hash algo
July 12, 2013, 04:09:15 AM
#44
Quote from: 🏰 TradeFortress 🏰 on July 12, 2013, 03:43:10 AM
My Little Pony Forums needs to implement GPG auth! (We're implementing GPG signing for logging in for inputs too)

bitcoin-qt uses a random salt that scales according to host computational power for wallet encryption, FYI.
Using a salt to protect a password from being looked up in rainbow tables is useless.
Just because bitcoin-qt does something doesn't make it correct.

Quote from: DeathAndTaxes on July 12, 2013, 03:44:19 AM
Care to clarify?  The purpose of salt is to prevent pre-execution attack (i.e. rainbow tables).
Yes, thing is, that's not really how passwords are cracked nowadays.
I strongly encourage you to read this and this, you'll see how it actually happens.

Quote from: DeathAndTaxes on July 12, 2013, 03:44:19 AM
There is absolutely no reason not to salt passwords as in no possible way would it reduce security.
Usually when you do something thinking "it can't hurt" it means that you don't really understand what you're doing.

Quote from: DeathAndTaxes on July 12, 2013, 03:44:19 AM
Furthermore many key derivitive functions like bcrypt have integrated support for generating and storing salt.  It no requires no additional work.
Yup, and that's precisely why the "should we use salts" question is completely outdated, you don't hash, use salts or whatever, you do the right thing, you use bcrypt.

Quote from: DeathAndTaxes on July 12, 2013, 03:44:19 AM
I take it bitcoin-central doesn't salt passwords to protects users?
We actually switched to bcrypt before you even registered on bitcointalk.
🏰 TradeFortress 🏰
vip
Activity: 1316
Merit: 1043
👻
Re: Coinchat doesn't salt or use a strong hash algo
July 12, 2013, 04:08:47 AM
#43
I'm not talking about bitcoins. I'm talking about web security basics / best practices, which you violated many times for BitcoinLister. Including things like your architecture and code layouts. Every developer does that for hacky / pet projects really.

Aren't you arguing over a CHATROOM? Instead of Bitcoins (ie Inputs.io)?

Also, soon, the next time users sign into CoinLenders, they will be hashed and salted with data from /dev/random (so it's guaranteed to be all from environmental noise instead of some from PRNGs). I'm not doing this right now because it's impractical to get long salts for thousands of users from a blocking source.
favdesu
legendary
Activity: 1764
Merit: 1000
Re: Coinchat doesn't salt or use a strong hash algo
July 12, 2013, 04:06:56 AM
#42
tbh, I can't see any problems, as long as inputs is safe, since it's acting as the master account.

only issues are bad jurisdiction and doxing by the hopefully only one person with access to the db.
🏰 TradeFortress 🏰
vip
Activity: 1316
Merit: 1043
👻
Re: Coinchat doesn't salt or use a strong hash algo
July 12, 2013, 04:00:23 AM
#41
gweedo: you have multiple security vulnerabilities on your sites like BitcoinLister.

I've already admitted that some of my sites weren't best practices, but that does not matter in the slightest when talking about Bitcoins because Inputs.io. And CoinLenders now uses a user specific salt generated from /dev/urandom.

No, I am not posting my entire source code or database.

Now the only thing remaining is coinchat. I'd love for you to bitch more about how a pet project chatroom doesn't use best practices, especially when it uses Inputs.io and has an effect of about nil!

(Keep in mind that this forum does not use a user specific salt.)
gweedo
legendary
Activity: 1498
Merit: 1000
Re: Coinchat doesn't salt or use a strong hash algo
July 12, 2013, 03:57:01 AM
#40
Lets just bring this back on topic, cause we have gone off topic for a bit. TradeFortress now has 2 bad practices on his sites. Sounds like he just experimented learned as he went, and never updated his previous sites. Which we all can be guilty of and  as soon as he proves that is fix, which isn't too much work. I will gladly remove all my post and threads.

I will how ever not be extorted and forced to do anything. I don't care if he tries and hack my paper wallets LMAO joke. But seriously extortion and trust system abuse isn't the route he should be taking.
🏰 TradeFortress 🏰
vip
Activity: 1316
Merit: 1043
👻
Re: Coinchat doesn't salt or use a strong hash algo
July 12, 2013, 03:55:49 AM
#39
Quote from: DeathAndTaxes on July 12, 2013, 03:45:45 AM
It was more a "why", why make it more insecure than necessary?  Proper password security also protects your users if the site is compromised and users (being users) ended up using the same password on multiple sites, possibly even your other sites.

Took a while but CoinLenders now hashes passwords 3 times (for legacy reasons), including once with a user specific randomly generated salt collected from environmental noise (/dev/urandom, I'm using the non blocking version for now because /dev/random is impractical as a quick update for thousands of users).

Still a mostly pointless change as (i) we tell users to not reuse passwords in large font, but yes some users don't listen and (ii) Inputs.io is required.

Difference this will make in practice due to CoinLender's Inputs.io requirement: close to zero

Difference this makes to forum posters: ??
escrow.ms
legendary
Activity: 1274
Merit: 1004
Re: Coinchat doesn't salt or use a strong hash algo
July 12, 2013, 03:46:10 AM
#38
Quote from: DeathAndTaxes on July 12, 2013, 03:44:19 AM
Quote from: davout on July 12, 2013, 03:39:38 AM
If you're still using salts in 2013 you're an idiot, no exceptions.

Care to clarify?  The purpose of salt is to prevent pre-execution attack (i.e. rainbow tables).

There is absolutely no reason not to salt passwords as in no possible way would it reduce security.  It limits the attacker to one attempt on one account per operation which can never be slower without salt.  Furthermore many key derivitive functions like bcrypt have integrated support for generating and storing salt.  It no requires no additional work.  


I take it bitcoin-central doesn't salt passwords to protects users?

I think he's talking about static ie single salt.
DeathAndTaxes
donator
Activity: 1218
Merit: 1079
Gerald Davis
Re: Coinchat doesn't salt or use a strong hash algo
July 12, 2013, 03:45:45 AM
#37
Quote from: 🏰 TradeFortress 🏰 on July 12, 2013, 03:41:09 AM
Quote from: DeathAndTaxes on July 12, 2013, 03:37:58 AM
So one site has no salt, one site uses a weak static salt and one site does it "right"?

That makes sense.

I could remove login checks for CoinLenders and nobody will be able to steal a single coin (because you're only able to transfer them to your Inputs account)

It was more a "why", why make it more insecure than necessary?  Proper password security also protects your users if the site is compromised and users (being users) ended up using the same password on multiple sites, possibly even your other sites.

DeathAndTaxes
donator
Activity: 1218
Merit: 1079
Gerald Davis
Re: Coinchat doesn't salt or use a strong hash algo
July 12, 2013, 03:44:19 AM
#36
Quote from: davout on July 12, 2013, 03:39:38 AM
If you're still using salts in 2013 you're an idiot, no exceptions.

Care to clarify?  The purpose of salt is to prevent pre-execution attack (i.e. rainbow tables).

There is absolutely no reason not to salt passwords as in no possible way would it reduce security.  It limits the attacker to one attempt on one account per operation which can never be slower without salt.  Furthermore many key derivitive functions like bcrypt have integrated support for generating and storing salt.  It no requires no additional work. 


I take it bitcoin-central doesn't salt passwords to protects users?
🏰 TradeFortress 🏰
vip
Activity: 1316
Merit: 1043
👻
Re: Coinchat doesn't salt or use a strong hash algo
July 12, 2013, 03:43:10 AM
#35
Quote from: davout on July 12, 2013, 03:39:38 AM
If you're still using salts in 2013 you're an idiot, no exceptions.

My Little Pony Forums needs to implement GPG auth! (We're implementing GPG signing for logging in for inputs too)

bitcoin-qt uses a random salt that scales according to host computational power for wallet encryption, FYI.
🏰 TradeFortress 🏰
vip
Activity: 1316
Merit: 1043
👻
Re: Coinchat doesn't salt or use a strong hash algo
July 12, 2013, 03:41:09 AM
#34
Quote from: DeathAndTaxes on July 12, 2013, 03:37:58 AM
So one site has no salt, one site uses a weak static salt and one site does it "right"?

That makes sense.

I could remove login checks for CoinLenders and nobody will be able to steal a single coin (because you're only able to transfer them to your Inputs account)
davout
legendary
Activity: 1372
Merit: 1008
1davout
Re: Coinchat doesn't salt or use a strong hash algo
July 12, 2013, 03:39:38 AM
#33
If you're still using salts in 2013 you're an idiot, no exceptions.
DeathAndTaxes
donator
Activity: 1218
Merit: 1079
Gerald Davis
Re: Coinchat doesn't salt or use a strong hash algo
July 12, 2013, 03:37:58 AM
#32
Quote from: 🏰 TradeFortress 🏰 on July 12, 2013, 03:36:26 AM
Quote
Wait what?  Salt should be random and per record/account.  Anything less doesn't prevent a parallel execution attack.

Yeah, that's the best practice. I use a user unique salt for Inputs. For CoinLenders it is one salt. This doesn't matter because you need to get into a Inputs account to get coins from CL anyway.

So one site has no salt, one site uses a weak static salt and one site does it "right"?

That makes sense.
🏰 TradeFortress 🏰
vip
Activity: 1316
Merit: 1043
👻
Re: Coinchat doesn't salt or use a strong hash algo
July 12, 2013, 03:36:26 AM
#31
Quote
Wait what?  Salt should be random and per record/account.  Anything less doesn't prevent a parallel execution attack.

Yeah, that's the best practice. I use a user unique salt for Inputs. For CoinLenders it is one salt. This doesn't matter because you need to get into a Inputs account to get coins from CL anyway.
DeathAndTaxes
donator
Activity: 1218
Merit: 1079
Gerald Davis
Re: Coinchat doesn't salt or use a strong hash algo
July 12, 2013, 03:35:28 AM
#30
Quote from: 🏰 TradeFortress 🏰 on July 12, 2013, 03:26:01 AM
2) I am not disclosing my salt

Wait what?  Salt should be random and per record/account.  Anything less doesn't prevent a parallel execution attack.
gweedo
legendary
Activity: 1498
Merit: 1000
Re: Coinchat doesn't salt or use a strong hash algo
July 12, 2013, 03:32:57 AM
#29
https://bitcointalksearch.org/topic/warning-gweedo-extorts-full-database-of-sensitive-financial-site-spreads-fud-254808

LMAO you locked it LMAO

Quote from: 🏰 TradeFortress 🏰 on July 12, 2013, 03:30:53 AM
Also, if you want your negative trust rating removed you just need to stop making false statements. Like the topic of this post.

When you prove to me that you have taken the necessary security. Then i will stop making statements against you. Extorting my trust rating doesn't look good for you btw. Wink I don't care about rep, I still do my business like I will always.

 Just a prime example that power always get abused.
escrow.ms
legendary
Activity: 1274
Merit: 1004
Re: Coinchat doesn't salt or use a strong hash algo
July 12, 2013, 03:32:35 AM
#28
Let me grab some popcorn.
🏰 TradeFortress 🏰
vip
Activity: 1316
Merit: 1043
👻
Re: Coinchat doesn't salt or use a strong hash algo
July 12, 2013, 03:30:53 AM
#27
Also, if you want your negative trust rating removed you just need to stop making false statements. Like the topic of this post.
Pages:
Bitcoin Forum>Economy>Marketplace>Service Discussion
Jump to: