Cracked Passwords List Leaked, were you cracked?

bcearl

full member

Activity: 168

Merit: 103

Quote from: andyb on June 29, 2011, 03:56:04 PM

I changed ALL my passwords to random characters after Mt.Gox got hacked (had planned it for a long time, but never got around to it), before this I was using the about 3 passwords for everything.

I did exactly the same, I also wanted to do it all the time.

My MtGox password was different from any other fortunately except this very forum. But it has a little similarity with my standard passwords, so I fear that people might crack those more easily.

kloinko1n

full member

Activity: 406

Merit: 100

Quote from: FractalUniverse on June 29, 2011, 03:10:21 PM

yes, my password was cracked but i was just testing mtgox with no intention of trading at that time, so it was very weak.

My password was NOT cracked.

My password consisted of 18 characters, of which only 9 alphabetical and of which 3 were capitals.
The rest consisted of 3 randomly chosen numerical characters and 6 non-alphanumerical characters.

The mtgox website wrote after 'the incident' that accounts with 'sufficiently complex passwords' would be re-instated automatically.
Well, that didn't happen. I had to reclaim my account, got a new password. And it worked for 1 day.
Now my password is invalidated and mtgox does not reply to my requests for a new password:
If I go through the "password forgotten" procedure at login, it says it has sent a new password to my email, but non ever arrived.
Now my IP is even blocked 'due to too many failed login attempts'.

There are BTCs and USDs in my account there and I am getting really pissed!

finack

member

Activity: 126

Merit: 10

Quote from: andyb on June 29, 2011, 03:56:04 PM

BUT they seem to have blacklisted the whole list from mtgox. I tried bulks of 10 from around the list, and they are all listed as "hacked"

That's the point of that url - they combined a bunch of lists of leaked account details - if your email is associated with any of them it tells you. Technically it's "has a hash of my password from a site been released publicly" it doesn't care whether the hash has been cracked or not, and rightly so.

andyb

newbie

Activity: 25

Merit: 0

my very simple password (6 numbers +username) wasn't in the list, so I believe that this list comes from phishing/key logging or something like that. I changed ALL my passwords to random characters after Mt.Gox got hacked (had planned it for a long time, but never got around to it), before this I was using the about 3 passwords for everything.

Quote from: xenon481 on June 29, 2011, 03:12:12 PM

Quote from: flashy on June 29, 2011, 08:29:27 AM

I would also check https://shouldichangemypassword.com/ It correctly reports I've hade my password compromised once on June 19, 2011. I got an email from Chase about my account on June 20, so it seems pretty accurate.

I asked it if the following passwords had been compromised and it told me they were safe.

- password
- password1
- password123
- p@ssw0rd
- P@ssw0rd
- love
- hackers
- superman

In https://shouldichangemypassword.com/ you should input the e-mail, not the password BUT they seem to have blacklisted the whole list from mtgox. I tried bulks of 10 from around the list, and they are all listed as "hacked"

jgraham

full member

Activity: 140

Merit: 100

Quote from: TheAlchemist on June 29, 2011, 10:50:46 AM

Man, I seriously underestimated the power of GPU password crackers!

I had an 11-character password which I thought was pretty good--b1Ackb0x3!1, and that was cracked. I'm pretty sure I didn't succumb to any phishing attempts.

Good thing I use 20+ characters for passphrases.

It depends. IIRC in the broadcast Mt. Gox mentioned that some of the older accounts were MD5 unsalted. In which case leetspeek pass isn't very good. Yours interestingly enough was salted.
IMHO this was simply bad luck in one of two senses:

i) Your password happened to be in some wordlist or is a simple permute of some worklist
ii) They started multiple crackers bruting specific keyspaces and yours was close to whatever the startpoint was for 11 char passwords.

By contrast I ran oclHashcat on my 6990 for my password and it seemed to say it would take 4 years to exhaust the keyspace but hey if someone here wants to divert some of their mining software to the cause they're welcome to show me the error of my ways. That would be pretty cool too....

Interesting side issue. If your organization uses google as a mail system and they perform password synchronization. They are shipping unsalted hashes to the big G (either SHA1 or MD5). I don't know how many people have access to encrypted hashes at Google but the sample seems large enough that it's only a matter of time before someone sees the money making potential there. (Password reset function + known gmail address + big ass hashing equipment = access to your Mt. Gox account).

phelix

legendary

Activity: 1708

Merit: 1020

Quote from: Chick on June 29, 2011, 02:54:24 PM

Quote from: Joise on June 29, 2011, 02:53:24 PM

There were other 8600 passwords from the database posted on Twitter...

Link?

+1

Jack of Diamonds

sr. member

Activity: 252

Merit: 251

Quote from: XIU on June 28, 2011, 06:57:28 PM

Quote from: Grinder on June 28, 2011, 05:33:32 PM

There are probably some kind of pattern in all the difficult looking passwords that the cracker happens to find through cleaver combinations of dictionary attacks, leet speek decoding, common combinations and brute forcing. For instance Ev3rL@NRDX11090821 = Everland (a place) RDX (an explosive) and a number. w@chtw00rdLanimret! = Watch word Lanimret!

I would also have thought some of these were safe, though.

Actually, "wachtwoord" means password in Dutch.

Yes, and Lanimret is terminal backwards.
Using an advanced dictionary attack that also takes in account the use of symbols and numbers as substitutes for words, passwords like that are easy to crack using multiple GPUs.

What you need to use is completely random, non-repeating ASCII characters that make zero logical sense.
Here I would agree with Vladimir; If you can remember your password then you're doing it wrong.

xenon481

sr. member

Activity: 406

Merit: 250

Quote from: flashy on June 29, 2011, 08:29:27 AM

I would also check https://shouldichangemypassword.com/ It correctly reports I've hade my password compromised once on June 19, 2011. I got an email from Chase about my account on June 20, so it seems pretty accurate.

I asked it if the following passwords had been compromised and it told me they were safe.

- password
- password1
- password123
- p@ssw0rd
- P@ssw0rd
- love
- hackers
- superman

FractalUniverse

hero member

Activity: 1034

Merit: 558

yes, my password was cracked but i was just testing mtgox with no intention of trading at that time, so it was very weak.

bcearl

full member

Activity: 168

Merit: 103

To crack mine in a year, if you assume lower letters only and know the two special characters (26+2), you need 161.6 THashes/sec.

After I tell you the exact set of characters, you still need 4.9 GHashes/sec for a year.

And I consider this one of my weakest passwords.

Chick

member

Activity: 70

Merit: 10

Quote from: Joise on June 29, 2011, 02:53:24 PM

There were other 8600 passwords from the database posted on Twitter...

Link?

Joise

newbie

Activity: 30

Merit: 0

There were other 8600 passwords from the database posted on Twitter...

phelix

legendary

Activity: 1708

Merit: 1020

Quote from: d.james on June 29, 2011, 11:45:09 AM

How long would it take for our total mining power to bruteforce that 60,000 list?

quite a long time.

I calculated this one alone to take more than half a year: K7mmI8lAsn1o0q

well, a little shorter with network speed rising like crazy

(data from posts above and bitcoinwatch)

nakowa

member

Activity: 83

Merit: 10

unfortunately, I was cracked, and lost 40 BTC...

bcearl

full member

Activity: 168

Merit: 103

With ASCII alone you have about 95 characters, that makes 6.5 bits of randomness per character.

If you have US international keyboard layout, you can make the following with the right ALT key:

Code:

¹²³¤€’¥×
äåéëþüúíóö«»¬
áßðfghïœø¶
æœ©®bñµç˙¿

with shift even more:

Code:

¡˝¯£¸¼½¾˘° ̣÷
ÄÅÉËÞÜÚÍÓÖ“”¦
Á§ÐFGHÏŒØ°¨
ÆŒ¢®BÑµÇˇ ̉

dserrano5

legendary

Activity: 1974

Merit: 1030

Quote from: fcmatt on June 29, 2011, 11:39:53 AM

2 times the character “ž”
2 times the character “®”
2 times the character “¯”
2 times the character “»”
2 times the character “Ø”

I would be using some of those fancy Unicode characters from some time now if I wasn't afraid that applications weren't able to handle them properly, thus locking myself out of websites. Coping with Unicode is hard.

Off the top of my head, and easily type'able with my actual keyboard setup/layout: — – « » ß þ Þ œ Œ æ Æ ø Ø …

bcearl

full member

Activity: 168

Merit: 103

Quote from: fcmatt on June 29, 2011, 11:24:25 AM

the password above is not exactly l33tsp34k as i know it and if i had to configure a password cracker
config file to attempt leetspeak cracking styles... i would not have guessed to match his style up.

it seems someone actually ran a gpu(s) password cracker for days on end.. if i had to guess.
i wonder what the time line is for that file being first noticed versus the file being in the wild for
anyone to get? Two weeks? 5 days? hmm

No, that's bullshit. That's the whole point I am trying to make here for weeks now. You should not assume that the attacker is stupid, if you want security.

Dictionary attack does not mean that the cracker uses the Oxford dictionary for English. They have password dictionaries, they are generated for that purpose and include much more than correctly spelled oxford words. And the tools can vary the words from the dictionary while testing by replacing letters by similar looking numbers and special chars.

Fact is: Your password was cracked within' a few days.

d.james

sr. member

Activity: 280

Merit: 250

Firstbits: 12pqwk

How long would it take for our total mining power to bruteforce that 60,000 list?

fcmatt

legendary

Activity: 2072

Merit: 1001

Quote from: ?? on ??

Quote from: fcmatt on June 29, 2011, 11:24:25 AM

Quote from: bcearl on June 29, 2011, 11:04:14 AM

Quote from: TheAlchemist on June 29, 2011, 10:50:46 AM

Man, I seriously underestimated the power of GPU password crackers!

I had an 11-character password which I thought was pretty good--b1Ackb0x3!1, and that was cracked. I'm pretty sure I didn't succumb to any phishing attempts.

Good thing I use 20+ characters for passphrases.

leetspeak is no good.

EDIT:
My password was also weak, but fortunately it wasn't cracked yet. (I would like to tell you what the password is like, but maybe I should not give hints.)

the password above is not exactly l33tsp34k as i know it and if i had to configure a password cracker
config file to attempt leetspeak cracking styles... i would not have guessed to match his style up.

it seems someone actually ran a gpu(s) password cracker for days on end.. if i had to guess.
i wonder what the time line is for that file being first noticed versus the file being in the wild for
anyone to get? Two weeks? 5 days? hmm

You don't even need a dictionary, all you need is a histogram to dramatically reduce the search space. That is why random is the only way to go.

You are right. That would be an excellent method to reduce the amount of work. But random may not really
help unless it is spitting out some very very odd characters people normally never use and probably do not
even know how to type in the USA. Do they output characters like this? (which i found on a webpage about
a histogram of a rainbow table website).

2 times the character “ž”
2 times the character “®”
2 times the character “¯”
2 times the character “»”
2 times the character “Ø”

phelix

legendary

Activity: 1708

Merit: 1020

Quote from: bcearl on June 29, 2011, 11:12:48 AM

Quote from: phelix on June 29, 2011, 11:08:01 AM

my password is not on the list. it was seven rather random letters/caps/numbers and I did not use it anywhere else.

my mtgox balance has been: 0 btc / 0 usd

I think I did not log on to mtgox for a while before the incident.

I have used the mtgox claim website just for the fun of it.

these salted hashes/passwords match, I checked it.

2754,$1$ul1uYRLP$OX0qFAuT9wu78ZdAApIeB.
2754,K7mmI8lAsn1o0q

10253,$1$Pdz6SDbH$X3Nz7dxhG6/bXCpcHPrlg1
10253,yT#g1Srm123

13434,$1$vWDRQAo.$kH6Rc9E6unn80S.UK0RHa/
13434,djcnbimil99332k

it would be a waste to crack these PWs. you could make plenty of coins instead.

the hackers will laugh their asses off if they read this thread and find everyone wondering. give us a hint already!

Enough people were stupid and used weak passwords, and the same passwords in mybitcoin.

You don't make that much money with mining!

according to the spreadsheet and crackrate bitcoin0918 posted above it would take more than 100years to crack K7mmI8lAsn1o0q on a mining rig of 4x 5870s.

and the chances to really find an account with money in it that (still) uses that password are rather low I think.

---correction---
probably that pw is more in the 5000years range on 4x 5870.

Topic: Cracked Passwords List Leaked, were you cracked? (Read 16402 times)