If you do not include a salt, and just hash the password several times, you won't be making it harder, but easier, for an attacker to get the password.
And make sure the hash includes special characters, not just alphanumeric ones.
Just my 2 cents
Topic: Giving away free bitcoins!!! (Read 2361 times)
Also, make sure the salt is included in both of the hash calculations. That will make the process safer.
If you do not include a salt, and just hash the password several times, you won't be making it harder, but easier, for an attacker to get the password.
And make sure the hash includes special characters, not just alphanumeric ones.
Just my 2 cents
If you do not include a salt, and just hash the password several times, you won't be making it harder, but easier, for an attacker to get the password.
And make sure the hash includes special characters, not just alphanumeric ones.
Just my 2 cents
Please, please, please, please, please, please, please, please, please, please, please, please, please, please do not store passwords as plain text. It is a huge breach of user trust. You should immediately change it to store passwords as a salted hash. If you don't know how to do this, ask me and I will give you details. As a start, you can read this: http://codahale.com/how-to-safely-store-a-password/
Like bwagner, I hope I am being helpful and educational with this, as that is my intent.Passwords being stored as plain text really is a Big Deal. I love to see new Bitcoin-related business start up, and I am all for them. But when a website is negligent in terms of security issues, I cringe.
For minimum levels of security do this:
1. When user registers, generate a random salt for the user (say 20 random characters)
2. Take the user's password and hash it with the salt in a loop (pseudocode):
Code:
salt = "9sOqlp09Juy336Fvz,)jk@kxccq1>Mf"; // different for every user
password = "blahblah";
hash = password;
for (i = 0; i < 10000; ++i)
{
hash = sha256(sha256(hash) + salt);
}
When a user logs in, run the password through the same process as above (using the salt stored for that user), and if the resultant hash is the same as the one stored in the database for that user, log them in.
EDIT: OP had PMed me before I wrote this, bit I didn't see the PM. Oops. Replied to PM as well.
So the coins I sent dont say: received from: "14ofhkLgaUzY1z2Zg7jM5Q4BTm1vszpBLF"?
My fiinal post on this point, I hope I am being helpful and educational here - that is my intent.
Just as an example the 0.10 BTC you sent to me can be seen here:
http://blockexplorer.com/address/1Kuktw1ebnL3ySLx3AJK5kEA3xbkibH535
Notice they were sent from and address you probably didn't even know you had
Thanks for your help. I think I will take your idea and make process something like this:
1. Enter the number of credits you wish to purchase and press submit:
[#number of credits]
2. Send [# number of credits submitted]/[100*(Mt Gox buy price at the time they press submit)] bitcoins to the following address
[MokiMarket bitcoin address]
What do you think of that?
So the coins I sent dont say: received from: "14ofhkLgaUzY1z2Zg7jM5Q4BTm1vszpBLF"?
My fiinal post on this point, I hope I am being helpful and educational here - that is my intent.
Just as an example the 0.10 BTC you sent to me can be seen here:
http://blockexplorer.com/address/1Kuktw1ebnL3ySLx3AJK5kEA3xbkibH535
Notice they were sent from and address you probably didn't even know you had
I am glad to help in any way I can. I love to see businesses join the Bitcoin community. I see why you want the "from" address - so you can see who sent the BTC so you can credit their account. The way this is usually done is to generate a new TO address for each order, then when you get the BTC you know who it was from since you see where they sent it to. If you look at the standard client - at least the version I am using - and click on a transaction the from field is often (always?) blank. So if you have everyone send BTC to your single address of 14ofhkLgaUzY1z2Zg7jM5Q4BTm1vszpBLF then it is a pain to figure out who sent it (look in the block explorer and look at all the transaction to 14ofhkLgaUzY1z2Zg7jM5Q4BTm1vszpBLF), like this:
http://blockexplorer.com/address/14ofhkLgaUzY1z2Zg7jM5Q4BTm1vszpBLF
If you do that you will notice that I sent you 1 BTC. You know this because I am in the minority in that I can send from a known vanity address of http://firstbits.com/1burtw. Most payments from most users will appear to just come from random addresses, many times from multiple addresses for a single transaction. So it would be best if your site just generated a different payment address every time someone sends you coins, then when you get coins at that address you know you can credit that person's account with the proper number of credits.
http://blockexplorer.com/address/14ofhkLgaUzY1z2Zg7jM5Q4BTm1vszpBLF
If you do that you will notice that I sent you 1 BTC. You know this because I am in the minority in that I can send from a known vanity address of http://firstbits.com/1burtw. Most payments from most users will appear to just come from random addresses, many times from multiple addresses for a single transaction. So it would be best if your site just generated a different payment address every time someone sends you coins, then when you get coins at that address you know you can credit that person's account with the proper number of credits.
OK, I finally read the fine print:
So I will send you 1 BTC and see what happens. I think with some work this could be a very fun site.
Quote
Example: One bitcoin payment is submited at 1:00pm when MtGox is trading at $3, worth 300 credits. If payment is processed at 1:30pm and MtGox is trading at $3.20, your account will receive 320 credits; if payment is processed at 2:30pm and MtGox is trading at $2.90 your account will receive 290 credits.”
So I will send you 1 BTC and see what happens. I think with some work this could be a very fun site.
I just processed your payment, sorry for the confusion. I will fix this issue to make it more user friendly.
So I guess I am waiting to hear from you as to how many BTC you expect me to send in order to get $1.00 worth of credits?
I think it may be simpler to have the following on the credit sale page when buying using BTC:
1) how many credits to you want? (have a numeric entry box here)
2) I enter 100 and submit
3) next/response page: That will cost you 0.33783783 BTC, please send payment to 14ofhkLgaUzY1z2Zg7jM5Q4BTm1vszpBLF
I think it may be simpler to have the following on the credit sale page when buying using BTC:
1) how many credits to you want? (have a numeric entry box here)
2) I enter 100 and submit
3) next/response page: That will cost you 0.33783783 BTC, please send payment to 14ofhkLgaUzY1z2Zg7jM5Q4BTm1vszpBLF
That's a good idea. See this is why I need the bitcoin community to help me out with these issues. I'm just trying to create what I think would be a really cool service and am open to any help i can get!
I got the coupon code, but haven't bid yet -- the auction ending in one hour is of no interest to me. I'll bid later, when the more interesting auctions are nearer.
In any case:
username: BTCurious
Address: 1NaNoBitU2q8czqE2y5rEQPj4qcW6K3mFp
In any case:
username: BTCurious
Address: 1NaNoBitU2q8czqE2y5rEQPj4qcW6K3mFp
Payment sent!
OK, I finally read the fine print:
So I will send you 1 BTC and see what happens. I think with some work this could be a very fun site.
Quote
Example: One bitcoin payment is submited at 1:00pm when MtGox is trading at $3, worth 300 credits. If payment is processed at 1:30pm and MtGox is trading at $3.20, your account will receive 320 credits; if payment is processed at 2:30pm and MtGox is trading at $2.90 your account will receive 290 credits.”
So I will send you 1 BTC and see what happens. I think with some work this could be a very fun site.
So I guess I am waiting to hear from you as to how many BTC you expect me to send in order to get $1.00 worth of credits?
I think it may be simpler to have the following on the credit sale page when buying using BTC:
1) how many credits to you want? (have a numeric entry box here)
2) I enter 100 and submit
3) next/response page: That will cost you 0.33783783 BTC, please send payment to 14ofhkLgaUzY1z2Zg7jM5Q4BTm1vszpBLF
BUT to easily track your incomming payments you should probably generate a new address for each order instead of using 14ofhkLgaUzY1z2Zg7jM5Q4BTm1vszpBLF for every order
I think it may be simpler to have the following on the credit sale page when buying using BTC:
1) how many credits to you want? (have a numeric entry box here)
2) I enter 100 and submit
3) next/response page: That will cost you 0.33783783 BTC, please send payment to 14ofhkLgaUzY1z2Zg7jM5Q4BTm1vszpBLF
BUT to easily track your incomming payments you should probably generate a new address for each order instead of using 14ofhkLgaUzY1z2Zg7jM5Q4BTm1vszpBLF for every order
hey moki thanks for getting the spam issue sorted out, have another one for you though
you have this on the "buy credit" page...
umm, how am i supposed to know from what address i will be sending the coins ? clients selects automatically one or more input addresses to sum the total amount
I find this very confusing also. No one ever asks the address the Bitcoins are coming FROM. In fact the average user of the standard Bitcoin client has no idea what account the Bitcoins are coming FROM - and really no control as to what address they will come from. I happen to have created my own vanity key pairs using vanitygen and imported them into a StrongCoin account where I can have total control of the from address - but that is not the usual case. You should really not ask for this information. Also I have no idea how many coins to send you in order to buy $1.00 worth of credits. Your site should calculate this for me and then give me an address and an amount to send. you have this on the "buy credit" page...
Code:
1. Enter the bitcoin address you will be sending coins from and press submit:
umm, how am i supposed to know from what address i will be sending the coins ? clients selects automatically one or more input addresses to sum the total amount
hey moki thanks for getting the spam issue sorted out, have another one for you though
you have this on the "buy credit" page...
umm, how am i supposed to know from what address i will be sending the coins ? clients selects automatically one or more input addresses to sum the total amount
you have this on the "buy credit" page...
Code:
1. Enter the bitcoin address you will be sending coins from and press submit:
umm, how am i supposed to know from what address i will be sending the coins ? clients selects automatically one or more input addresses to sum the total amount
Hmmm..I thought that it sent payment from this address listed on the client:
Your bitcoin address: 14ofhkLgaUzY1z2Zg7jM5Q4BTm1vszpBLF
I guess I was wrong. Payments can still be processed, but I will change it so that it says enter the amount of coins that will be sent instead. Thanks for pointing that out.
So the coins I sent dont say: received from: "14ofhkLgaUzY1z2Zg7jM5Q4BTm1vszpBLF"?
i don't get you very well, in the standard client you can't possibly know what addresses will be used to send a payment before hitting the pay button.
Example transactions that have multiple inputs and one output, destination address. You enter destination address and the software combines various inputs to make the sum of bitcoins.
Knowing from what address the bitcoins will come it's quite impossible, really
I got the coupon code, but haven't bid yet -- the auction ending in one hour is of no interest to me. I'll bid later, when the more interesting auctions are nearer.
In any case:
username: BTCurious
Address: 1NaNoBitU2q8czqE2y5rEQPj4qcW6K3mFp
In any case:
username: BTCurious
Address: 1NaNoBitU2q8czqE2y5rEQPj4qcW6K3mFp
bwagner
please use 1Kuktw1ebnL3ySLx3AJK5kEA3xbkibH535
please use 1Kuktw1ebnL3ySLx3AJK5kEA3xbkibH535
Payment sent! I believe you were lucky number 10
Please Enter Right Coupn Code
Only 10 slots were available for coupon code...sorry. I will be doing another one soon though, so check back.
Please Enter Right Coupn Code
hey moki thanks for getting the spam issue sorted out, have another one for you though
you have this on the "buy credit" page...
umm, how am i supposed to know from what address i will be sending the coins ? clients selects automatically one or more input addresses to sum the total amount
you have this on the "buy credit" page...
Code:
1. Enter the bitcoin address you will be sending coins from and press submit:
umm, how am i supposed to know from what address i will be sending the coins ? clients selects automatically one or more input addresses to sum the total amount
Hmmm..I thought that it sent payment from this address listed on the client:
Your bitcoin address: 14ofhkLgaUzY1z2Zg7jM5Q4BTm1vszpBLF
I guess I was wrong. Payments can still be processed, but I will change it so that it says enter the amount of coins that will be sent instead. Thanks for pointing that out.
So the coins I sent dont say: received from: "14ofhkLgaUzY1z2Zg7jM5Q4BTm1vszpBLF"?
hey moki thanks for getting the spam issue sorted out, have another one for you though
you have this on the "buy credit" page...
umm, how am i supposed to know from what address i will be sending the coins ? clients selects automatically one or more input addresses to sum the total amount
you have this on the "buy credit" page...
Code:
1. Enter the bitcoin address you will be sending coins from and press submit:
umm, how am i supposed to know from what address i will be sending the coins ? clients selects automatically one or more input addresses to sum the total amount
Hmmm..I thought that it sent payment from this address listed on the client:
Your bitcoin address: 14ofhkLgaUzY1z2Zg7jM5Q4BTm1vszpBLF
I guess I was wrong. Payments can still be processed, but I will change it so that it says enter the amount of coins that will be sent instead. Thanks for pointing that out.
hey moki thanks for getting the spam issue sorted out, have another one for you though
you have this on the "buy credit" page...
umm, how am i supposed to know from what address i will be sending the coins ? clients selects automatically one or more input addresses to sum the total amount
you have this on the "buy credit" page...
Code:
1. Enter the bitcoin address you will be sending coins from and press submit:
umm, how am i supposed to know from what address i will be sending the coins ? clients selects automatically one or more input addresses to sum the total amount
bwagner
please use 1Kuktw1ebnL3ySLx3AJK5kEA3xbkibH535
please use 1Kuktw1ebnL3ySLx3AJK5kEA3xbkibH535
Payment sent! I believe you were lucky number 10
Jump to: