Topic: Cracking the passwords: Don't blame the MtGox, USERS ARE STUPID (Read 5270 times)

Lol, users aren't very smart
My password is longer than yours. ^^

I couldnt agree more! The entire mtgox fiasco is getting ridiculous, and I really feel sorry for the users stuck in the middle

Unfortunately, Im still a "newbie" so I cant join the discussion in the proper thread, but I thought I was going a bit crazy when I read this.
I seriously find it hard to believe that MagicalTux was running his operation by following every industry standard. First, industry standard under whos jurisdiction? As far as I have been able to tell for the past 6 months, bitcoin is not operating under anybody's jurisidiction and mtgox certainly is not either. Second, I guarantee this kind of leak of data would not have occurred under any "industry standard" exchange. I actually really appreciate that an audit was occurring. It provides confidence to the users and bitcoin as a whole, but why was it occurring against live data? And if live data, why was access to personal user data left available. This could have been restricted without impacting a software audit. Third, no "industry standard" exchange would ever hire a security company that cannot secure itself. What background check did MagicalTux perform on this company? I would have a hard time believing this was a fluke, a first time occurrance for this "security" company. Has this company been named public? Hopefully so! I hope none of my software gets anywhere near them. Fourth, how was trading even still occurring if there were known SQL injections that were possible on the site even before the "hack" happened? How could MagicalTux allow a trusted exchange to continue running with this kind of information? Fifth, excusing a potential injection vulnerability and and trusting an "industry standard" seal of approval, how did this massive selloff continue for so long? 30mins+? Why were big flashing alarms not going off? Why was there no automated mechanism to automatically halt trading?

Im not calling for a witchhunt or that there is some massive conspiracy, but MagicalTux needs to stop saying things like "no funds were stolen" and "followed every industry standard." These things are clearly not the case based on what everybody saw happen. I also think the community deserves actual, definitive answers and somebody needs to own up to it. If MagicalTux did everything in his power to secure mtgox, to insure that mtgox was secure and provided without a doubt an industry standard platofrm for the users, roll it back(!!), but if MagicalTux allowed trading to continue (which is what happened) because of negligence, all of those transactions should stick. It doesnt matter that a single person bought so much at such a low price. Every user before 'Kevin' was in on the same exact ride. $20..15..2..1...0101. If the platform allowed the trades, they should be valid. It was the negligence of the owner, maybe even the firm performing the audit, that allowed every bit of this to happen. Im not 100% clear on the timeline of the exploits and leak; were databases leaked before the audit firm? But one of two parties are responsible. I hope for MagicalTux's sake that it was the audit firm so that he can sue the pants off of them, but if this enormous account was listed in an earlier leak, I think MagicalTux is the only party responsible and has to accept because there was plenty of talk prior to the crash occurring.

There is the fundamental economical factor in security: the more security the higher the cost for the attacker/criminal.
The fundamental question is: Is all the time and effort really worth it?
By keep adding layers of security we are elevating the costs of obtaining their reward, and once the costs are higher than the reward, the interest dissipates.
As soon as it is perceived that "it isn't worth it", the attention of the attackers will drift towards less secured sites with similar rewards (other exchanges, maybe) with lower costs (Vulnerable sites)

The potential rewards from a bitcoin exchange makes it really worth the attempt of hacking it.
But a dedicated attacker will always find a way to penetrate it if the costs are disregarded (ie. if the challenge itself is their reward/have a personal vendetta against the site/etc...)

This happens with all kind of security: both real world (locks, safes, buildings) and digital (websites, servers, networks).
As financial institution/organizations where the moolas are flowing security should be the number one priority.
You wouldn't expect a bank transporting money on bicycles, right? Or a bank depositing money in baskets instead of a safe.
It is evident that the investment on security measures are of the utmost importance in a financial institution.

That's why it is unforgivable the gross negligence of MtGox. They were focused on doing business, amassing millions of dollars and their security was a joke. They were too focused on the functionality of the site: Websockets? Great, we all appreciate it. Dwolla? Great, that is awesome. API?, bravo, excellent job. But they ignored the most vital thing: security.

What "Bitter Ender" suggests is actually pretty much standard in everywhere.
Although bruteforcing through HTTP is not really common these days, it is a very basic feature that has to be taken care of, because if you don't do it, some asshole will certainly try it. And a percentage of those assholes might succeed at it.
Using captcha to filter out simple automation is a must these days, even if there are sophisticated OCR bots out there.
Temporally suspending accounts/notifying repeated incorrect login trials, are also a very basic standard protocol in most financial sites.
Requesting a PIN number (even if you are logged in) to confirm transactions are also a standard procedure.

These measures are not really that hard to implement.
MtGox can't say that this attack wasn't preventable, it was fully preventable.
I don't bitch about their negligence, shit happens and rapid growth is hard to manage. I get that.
But to keep lying to us, making STUPID and PATHETIC excuses (Force Majeure? SRSLY?) IS UNACCEPTABLE.

A new spokesperson won't fix it, as someone suggested before.
With this move we can see their moral integrity: they are willing to keep lying to save face instead of being upfront and honest.
How can they ever expect us to trust them?

How safe is lastpass?

This system would be completely ineffective against someone that seriously wanted to get in. All they would need to do is keep changing proxies, not store cookies, etc. It is nice that some software enforces password strength, but in reality, password strength is up to the user. Software can enforce password strength all they want, but if a user is constantly using the same "strong" password, it eventually becomes weak in the grand scheme of things. Look at the users complaining about their mybitcoin accounts being drained. What was the issue? Yep, they reused the same password. The only liability on the software (and software provider) is to secure their software. This entire mtgox explosion never would have happened if it werent for poor security practices -- same with every other exploit we have seen during the past couple of months.

As pointed out by others up-thread real financial institutions like banks have multi-layered security procedures. I haven't used Mt Gox yet so I'm not going to trash-talk their log-in security; but if it is anything like any of the banks I've used a weak password would not be an open-sesame to a hacker.

First the hacker bot would have to guess a user-name. "A" Not recognized. "B" not recognized. "C" not recognized. At what point should the log-in system cut off the bot and direct it to call customer service? Suppose it gets lucky at "AA" So now it has to provide a password. Perhaps it has a list of common passwords to try first. "Password" not it. "password" nope. "PASSWORD" -- Message from system: "Too many log-in attempts. Please call customer service." If Mt Gox allowed password cracking bots to run wild on their system (and I doubt that they did) they need to be shut down now.

Modern banking systems work fine with ordinary everyday people, if Bitcoins require computer security geeks to use them safely, while "idiots" lose their life savings, Bitcoins are going back to zero.

LastPass +1 here.
Even generates amazingly strong passwords for you, using upper/lower/number/special characters. Should take forever to bruteforce

The many small bitcoin businesses are going to have to go through the painful learning curve of acquiring information the banks already know. (We already went through that pain.) Transactions have to be analyzed for suspicious patterns. Users will do very dumb things if the system lets them. And blaming the problems on the users is only fair if there was nothing you reasonably could have done to protect them.

Banks analyze transactions for suspicious patterns and have 24/7 monitoring centers with trained staff who can lock a system down if it appears to be doing things it shouldn't be doing. I don't think every little Bitcoin mom&pop needs that. But automated transactions with nobody minding the store is scary. Perhaps these businesses could take some lessons from the inherent security in bitcoins themselves.

Well lets see, it seems that UNIX went through this same debate 30+ years ago - the conclusion was (pay attention now): "IF IT IS ON YOUR HARD DRIVE IT CAN BE STOLEN!"

Of course you can keep a password list on your desktop (or posted in the cafeteria see http://thedailywtf.com/ ), but that really is the same as wearing a "kick me" sign on your butt and whining when you get kicked!

That is why ALL passwords on EVERY system today (even Win 7  ) are encrypted!

USB drives are ONLY safer if you keep them in your pocket until they are needed.

HINT: carefully read Symantec's superb STUXNET analysis - then ask the Iranian government about "secure" USB drives. NO I will not give you citations - do your own homework!

AMEN!!

Amen.

I have said it before and I will say it again. Plug your ears.

GET AND USE A RELIABLE PASSWORD MANAGER!!!

I suggest LastPass, it is easy to use.
You can have it automatically input your user ID and password to a site as soon as you get to the page.

Still to hard? You can get it to log in for you.

Want to know the first part of the password that I use for this forum?  It is A&Vyg followed by at least 5 more letters.  I had to look it up through LastPass.

I can not tell you the passwords of any site that I use, because I don't know them (LastPass does). I can tell you that it is a strong password.

I can also tell you that birds are going to fly, fish are going to swim and hackers are going to hack.

Can I get an Amen.

You get bad grades at school don't you? Do you need some Ritalin?
The point here is not showing any kind of technical prowess, you dimwit.
The point is to show how stupid people are choosing weak passwords.

MtGox isn't a forum, isn't a social network. MTGox is a eWallet, you store your money and bitcoins there.
Choosing 123456 as your password is plainly braindead.
Neither salting nor strong algorithms will help you in any way if your password SUCKS.

Btw, who said I am wasting CPU cycles? You are a waste of proteins.
Cheers

Thanks, bitsalame. I shall have to think through a different strategy.

And why are you wasting CPU cycles to do that when it's already been done a thousand times over by a thousand more talented, better informed individuals than yourself?


Edit: I've got to admit, you are FANTASTIC at running a password cracking program. Really gettin in there and executin them .exe's!

Check my post history, you newbie.
I was the first bringing the news of Mt.Gox being hacked to this newbie forum, and I was one of the first ones bitching about Mt.Gox.
Mt.Gox was lame, but the users are lamer. I am reaching 1000 cracked passwords, all of them salted, and I am just beginning.

Last cracked account:
User: Musashi6
Pass: Hackworth6

L O L

Exactly!

Of course not, if he did he would be shouting down mt. gox like any other reasonable human being.

It is better to forget and generate a new one through the "recover password" options that all site offer.
I forgot my banking password a several times, but I created new ones later.
I keep relying on my forgetfulness as a measure to keep changing the passwords. Whenever I forget about it, I just create a new one.

Regarding to storing the passwords in a text/doc file, it is horrible. That is the digital version of postits.
Follow the advises of the previous posters: 1password or any password management program would be infinitely better.

In these password management programs, you just have to memorize one password, the pass management program's. There you store all the passwords you want securely and randomly generated.
It has its strong and weak points theoretically, but in practice it enhances your security tenfold.

Cheers

you do understand the difference between cracking 1 password and unlocking 500 of them because they are the exact same password and being forced to crack all of them right?
thats my point.