Pages:
Author

Topic: DIRECT DOWNLOAD LINK FOR LEAKED MT. GOX ACCOUNT DATABASE (CSV FILE) - page 3. (Read 36695 times)

sr. member
Activity: 308
Merit: 250
If they cant get the passwords because they're hashed, then... ummm, how did they do it?

What do you think Bitcoin miners are doing? Cracking hashes.

What do you think the passwords are protected with? Hashes.

So it's easy to crack hashes passwords, takes a few minutes per password, as long as it takes to crack a new Bitcoin block (about 10 minutes) is how long it takes to crack a hashed password.

That's not quite accurate.  Miners are tweaking one value in a block of data in order to find any password WITHIN THE DIFFICULTY.  Finding a hash that is lower than a set value is far easier than finding a very specific existing password.  Essentially, cracking the password would be solving the highest difficulty block possible.  (Also, Miners are working on SHA256, much harder to crack than simple MD5...)
member
Activity: 76
Merit: 10
Is it possible to get the list of names etc in alphabetical order?
full member
Activity: 154
Merit: 100
Quote
[Update - 2:06 GMT] What we know and what is being done.

    It appears that someone who performs audits on our system and had read-only access to our database had their computer compromised. This allowed for someone to pull our database. The site was not compromised with a SQL injection as many are reporting, so in effect the site was not hacked.
    Two months ago we migrated from MD5 hashing to freeBSD MD5 salted hashing. The unsalted user accounts in the wild are ones that haven't been accessed in over 2 months and are considered idle. Once we are back up we will have implemented SHA-512 multi-iteration salted hashing and all users will be required to update to a new strong password.
    We have been working with Google to ensure any gmail accounts associated with Mt.Gox user accounts have been locked and need to be reverified.
    Mt.Gox will continue to be offline as we continue our investigation, at this time we are pushing it to 8:00am GMT.
    When Mt.Gox comes back online, we will be putting all users through a new security measure to authenticate the users. This will be a mix of matching the last IP address that accessed the account, verifying their email address, account name and old password. Users will then be prompted to enter in a new strong password.

https://support.mtgox.com/entries/20208066-huge-bitcoin-sell-off-due-to-a-compromised-account-rollback
newbie
Activity: 27
Merit: 0
Isn't it ironic that bitcoin mining is essentially also cracking a hash?

No, because that is not at all what bitcoin mining is.
newbie
Activity: 14
Merit: 0
My Gmail account reported suspicious activity and I had to reset my password there. I'm using http://howsecureismypassword.net/ to determine the strength. >600yrs to crack on a normal PC it says. So maybe 60 yrs on a mining rig, good enough for now!

You are using http://howsecureismypassword.net/ and entering your password there?

Let's keep finger crossed the admin of that site is not logging the requests anywhere!  Or his hosting, or possible his and your ISP and all ISP in between if this checker is in http instead https. And people able to buy forged SSL certs for MITM attacks even if it is https.



Why would you enter your actual passwords into it anyway? At least use a substitution cipher on your password. And if that enhances the security of your password because it contains dictionary words, you're just an idiot.  Tongue
sr. member
Activity: 700
Merit: 250

Incorrect. The amount of time it takes is related to the complexity of the password. "monkey" will be found in seconds, but something like "efweug#%_#Tsafwef24g" will take years.

Wow, glad I changed my password to "efweug#%_#Tsafwef24g" just 2 days ago!

hehe 12390ßqweuio789456 was mine
jr. member
Activity: 56
Merit: 1
Yeah that's smart, going to some website to check your password LOL. You can bet your ass some people will have referrers pointing back to here and the site will connect the dots, find the password file, tie hash to entered pass, look up email address in file, hack mail and fish for balance when Mt.Gox comes back.
full member
Activity: 136
Merit: 100
Does anyone with perhaps a hair more experience than myself recognize the format of these hashes? I can recognize base 64 encoded fields with "$" as a delimiter easily enough, but I haven't taken the time to explicitly generate various hashes from my known password, b64 encode them and compare the results. I can do this later today if I've got the time but I'm kind of hoping that someone else already has Smiley

The above exercise, if nothing matches, could also prove whether Mt. Gox was actually salting their hashes, which seems doubtful looking at the CSV.

Really though I'm with speeder, let's at least identify enough people and their signup dates in this list to imply some good network growth numbers that we might otherwise not have access to.
Input the salt and the password here and check under md5(unix).
http://www.insidepro.com/hashes.php?lang=eng

the format in the csv is $1$salt$password.
member
Activity: 94
Merit: 10
It would take
About 14 sextillion years
for a desktop PC to crack your password

lol, sexy...

member
Activity: 70
Merit: 10
My Gmail account reported suspicious activity and I had to reset my password there. I'm using http://howsecureismypassword.net/ to determine the strength. >600yrs to crack on a normal PC it says. So maybe 60 yrs on a mining rig, good enough for now!

You are using http://howsecureismypassword.net/ and entering your password there?

Let's keep finger crossed the admin of that site is not logging the requests anywhere!  Or his hosting, or possible his and your ISP and all ISP in between if this checker is in http instead https. And people able to buy forged SSL certs for MITM attacks even if it is https.



Chill, its all server-side. Look at the js. Smiley
member
Activity: 70
Merit: 10
My Gmail account reported suspicious activity and I had to reset my password there. I'm using http://howsecureismypassword.net/ to determine the strength. >600yrs to crack on a normal PC it says. So maybe 60 yrs on a mining rig, good enough for now!

You are using http://howsecureismypassword.net/ and entering your password there?

Let's keep finger crossed the admin of that site is not logging the requests anywhere!  Or his hosting, or possible his and your ISP and all ISP in between if this checker is in http instead https. And people able to buy forged SSL certs for MITM attacks even if it is https.

member
Activity: 70
Merit: 10
My Gmail account reported suspicious activity and I had to reset my password there. I'm using http://howsecureismypassword.net/ to determine the strength. >600yrs to crack on a normal PC it says. So maybe 60 yrs on a mining rig, good enough for now!

Mine says 7 decillion years

Repeated asdf over & over!

About 7 septendecillion years.
member
Activity: 100
Merit: 10
My Gmail account reported suspicious activity and I had to reset my password there. I'm using http://howsecureismypassword.net/ to determine the strength. >600yrs to crack on a normal PC it says. So maybe 60 yrs on a mining rig, good enough for now!

Mine says 7 decillion years
member
Activity: 70
Merit: 10
MTGOX BREAKING NEWS

We will do one hour with the TradeHill guys LIVE via Skype.... ... BLAH BLAH BLAH

I'm trying to figure out why you think it is acceptable to keep posting this in every thread.  Did you get dropped on your head a lot as a child?

Media whore'ing opportunities like this happen once a lifetim^H^H^Hmonth in bitcoin land!  Gotta make every second and eyeball count!
newbie
Activity: 23
Merit: 0
My Gmail account reported suspicious activity and I had to reset my password there. I'm using http://howsecureismypassword.net/ to determine the strength. >600yrs to crack on a normal PC it says. So maybe 60 yrs on a mining rig, good enough for now!
sr. member
Activity: 280
Merit: 250
Anybody check that csv file for viruses? Or did we just get compromised again?
I don't have excel so opened it in notepad it's clean
hero member
Activity: 532
Merit: 500
FIAT LIBERTAS RVAT CAELVM
It's clean data. Just a CSV file. Open in Google docs if you're paranoid.

Edit: Too much Starcraft.
newbie
Activity: 24
Merit: 0
Anybody check that csv file for viruses? Or did we just get compromised again?
kjj
legendary
Activity: 1302
Merit: 1026
MTGOX BREAKING NEWS

We will do one hour with the TradeHill guys LIVE via Skype.... at 9pm to 10pm ET tonight.

Then, we will do one hour with the MtGox guys LIVE via telephone from Tokyo.... at 10pm to 11pm ET tonight.

Go to http://onlyonetv.com and click the "Watch Live" button now... and join in the Live Chatroom.

See All Time Zones here:  http://goo.gl/ZqQRq

I'm trying to figure out why you think it is acceptable to keep posting this in every thread.  Did you get dropped on your head a lot as a child?
hero member
Activity: 532
Merit: 500
FIAT LIBERTAS RVAT CAELVM
No, they are not secure.  They're slightly MORE secure, assuming good, long, semi-random password with lots of special characters.   Seeing the kinds of passwords a trivial cracking attempt busted I'd say a good portion of the userbase are NOT computer security experts and are NOT picking secure passwords.  Those kinds of people are likely to be re-using the passwords elsewhere and are now going to be in a world of hurt thanks to mtgox.

Length and option set trumps entropy and # of special characters.
!....1gOd1....! is more secure than as#^%^*($)! despite being easier to remember, and based on a dictionary word.
Pages:
Jump to: