Topic: Cracking the passwords: Don't blame the MtGox, USERS ARE STUPID - page 2. (Read 5270 times)

Mt. Gox is a joke and so are you for valiantly defending them as they take you to the cleaners. Enjoy!

The thousands of passwords that I ALREADY CRACKED are all salted ones.
It doesn't matter if it is Blowfish, SHA-1 or whatever algorithm, if you are using 123456 as your password, you'll be more more fuckable than a horny bitch.

Can someone please enlighten me of the dangers of keeping passdwords in word.doc files on the harddisk, and is it safer to keep them on usb flashdrives, even if they are regularly connected to the computer?

It's not that I can't remember a complicated password; however IF one were to forget it at some critical point of time...under duress

i'm sorry but not storing passwords without decent salts as well as decent hashes is the fault of mtgox.

getting access to a database that isn't salted is like hitting a goldmine because of the fact that so many people use the same passwords (iloveyou, password etc) when you get access to an unsalted hash user databaseit would look like this (sort by password, or whatever they call their password column):
8e6c488d2eb01fc691470ceb3a6f700c
8e6c488d2eb01fc691470ceb3a6f700c
8e6c488d2eb01fc691470ceb3a6f700c
746dd6c349cb2e97923be477e8d96423
746dd6c349cb2e97923be477e8d96423
(insert tons of other random md5's)
since they aren't salted you instantly see that there are multiple passwords that have the exact same hash (and therefore the exact same password) so if you crack one of them, you've cracked all of them..

with salted hashes you have a random salt combined with the hash up there to create a new salted hash, which generally means that every 'password' that a person who has access to the database sees is 100% unique (since each user gets a random salt and that salt is added to their password to create a salted password)

so if for example you have a database of 100,000 users all salted and hashed passwords, no 2 passwords will be cracked at the exact same time, it would take more time to crack a decent amount of passwords unlike with what happened to a bunch of mtgox accounts (which they admitted were there, but claim they are older accounts and their passwords are salted and hashed properly)

not only that but not requiring more advanced passwords is the fault of the site, not of the user.

Ahahah
http://img28.imageshack.us/img28/1282/mymtgoxpassword.jpg
http://twitter.com/BitcoinHumor

It may end up on a sticky note on the monitor but that leads to a single user having their account stolen for their own stupidity. Failing to enforce a strong password policy leads to MANY users having their accounts compromised for the SITE'S stupidity.

Not every individual user is perhaps best served by strong password policies, but the user-base as a whole certainly is and for a site with some 60,000 users, a utilitarian approach that protected 59,900 of them would have been preferred and in fact would likely have stopped this attack, provided the compromised account was not one of the few old enough to have an un-salted hash. Even if Mr (or Mrs?) 500,000 BTC had written their forcibly-made-stronger password on a post-it next to their mousepad that would be meaningless to an attacker with a database dump who would not have physical access to said post-it.

Nice to know, a little statistics for the curious

That principle is wrong from the very basics.
You can't increase security through forcing a human being. Idiots are particularly clever to circumvent a foolproof design.
If you force arbitrary formatting of a password, they WILL write it down and paste it on the monitor, making it available to anyone who walks by by the office.

We must break the paradigm of "strong=difficult passwords". You shouldn't force anyone, you must invite them to adopt it.
We must make "strong=easy passwords" for the users, that is easy for the user to remember and computationally difficult to crack.
The first two examples I give in my previous post are damn easy once you "get it" and it is a nightmare for the cracker.

A password like this: "De345tgfr." it's a nightmare for a cracker.
Try typing it in the keyboard (go ahead, type it with one finger).
As you can see, forms a determined and easy to remember pattern on the keyboard.
It is damn easy to remember because I exploit the "procedural memory" (your "finger memory").
That is the first method I discuss in my previous post.

The RSA SecureID type of security is the ideal one for the end user... there are more experimental and sophisticated methods of authetications based on the fingerprinting of your typing rhythm: you type a text in a particular way, and that becomes a very precise biometric data.
I tested a few solutions (web based) and they are really amazing in their accuracy.

But until those solutions become standarized and open to the public, the people should be security conscious.
Forcing them is not the solution, educating them is.
Regards,

True that.

But then on the other hand programmers should implement rules where password should at least consist 2 lower case letters, 2 upper case letters, 2 numbers, 2 symbols, and a minimum of 8 characters as a requirement for password. But then again people would just make their passwords simple like qqWW11@@ or maybe even qwER12#$.

I understand all too well that if people are allowed to choose ANY password at all, they will usually choose a weak one. The onus of security is not typically placed on the user, it is up to the institution to FORCE the user to choose a minimum acceptable level of security. This is why every major OS has systems built in to enforce password length, complexity and expiration requirements. Users cannot always be counted on to choose methods and systems which are in their best interests.

It's yet another extension of that classic rule of programming: "Always assume your user is an idiot (even if your only user is yourself)"

People are just plain dumb, cheap, and lazy. Use a password generator that can generate a password using letters, numbers, and symbol. Then use those password managers (1password or whatever) and that's it. It's that simple.

And when the people who use simple password gets hacked, they blame on the site that got hacked. People need to understand that there's nothing in this world that can't be hacked. It only takes time for one to be able to hack something. A site can only take precautions and implement firewalls to prevent one from hacking.

It's just super annoying that one would just blame someone that their user account got stolen because of their stupid password like 123456.

My point was that people are going to use easy passwords....always, no matter what. 

I know I read it earlier.  But after re-reading and seeing the influx of users and blah blah, it should be a damn sticky and people shouldn't be allowed to reply to it unless they add content to it.

There are lots of users out there who have weak passwords. It stands to reason that there will be some user accounts on Mt. Gox that would also have weak passwords.

This is why experts in the field suggest using a password manager like LastPass or 1Password.

My point is that for the betterment of humanity, they should die.
Haha, I am kidding.
The message is clear: remember you are dealing with money here. Be security aware, or don't cry later when someone steals all your stash.

I have no worries for myself, my password would take two millenniums to be cracked (in a Class F, in a home PC it would take EONs).
But the problem is that if such a great amount of users are insecure, actually indirectly they would affect the stability of the whole market... like what just happened in MtGox.
Such unsafety wouldn't facilitate the wide adoption of the currency.

I don't care if a dumb fool loses his/her bitcoins.
But if a great percentage of it are dumb people, it may harm the bitcoin economy seriously in the long run.
So YES, it matters to me... my message can be summarized as: "SECURE YOURSELF OR GTFO"

You're stating that since someone is calling out names, it will hinder wide adoption?  I find that very hard to believe, and also, after reaching out to enough users, what is said in these forums won't matter to the regular user, as they won't be active on the forums anyway.

And your point is???

Deal with the real word, not what you wish it were!

"In theory there is no difference between theory and practice, in practice there is!" - I said this some time ago look it up if you care! 

I know this happens on every site, but I'd guess a large number of these people are just testing out the exchange and didn't really give a shit if they were hacked because they didn't have anything in there.

Good post man, keep up the good work!

Yeah, I burned my lips because it didn't say that the coffee was hot! It is the system's fault, they should have put a label on the cup!
The hair drier should say that it is not waterproof!
Do you really need to put stop signs in a wall to stop your car?
This society is becoming more moronic than ever.

Common sense + Ignorance = Stupid sense
This really makes me feel that we are towards an Idiocracy