Pages:
Author

Topic: Has anyone completed the MtGox verification yet? (Read 2930 times)

full member
Activity: 140
Merit: 100
I'm curious: how does MtGox know if a user's password was strong enough?

so MtGox employees have access to our passwords??

Some employees will definitely have the capability to access to the encrypted hash.  So if you downloaded the password file (like I did) which was circulating around the net.  You would see things like

 

Something like this:

mobydib [email protected] $1$0uu.XEh9$MT8XIHVdVGjlXyP/ezHhx1

The last part is the hash entry.  It's made of three parts:  The hash type, the salt and the hashed password itself.  These parts are all separated by the $ sign.

With this information, a nefarious person could attempt a brute force attack on your password to determine what it is.  In other words they can compute the hash for each password.   When they find one that produces a hash that matches the hash in the password file.  Then they know your password**

Ok, so when you talk about password 'strength'.  We are talking about the probability that the password can be discovered***.  This could include things as simple as someone guessing your password or using your GPU to compute password hashes.   So what's the best way to avoid someone guessing your password?  Well, to frame the question a little better it's worth noting that if you give a smart person a large enough amount of time they will guess your password regardless****.   So what you really want is the way to give them the worst chance of guessing your password.   In other words you want a password where the guesser has no better than average probability of guessing it.   In other words you want a random password.  On top of that we want to make sure that we don't give our guesser any "shortcuts".  For example by making our password short they don't have to guess long passwords.   By making the password only contain letters the attacker doesn't have to guess numbers.  The more permutations we force our attacker to try the more 'uncertainty' is in our random password.  In information theory we call this "entropy".

When Mt. Gox or any site asks you to enter a password and gives you some kind of feedback on it's 'strength'.   They are usually applying one of a few different entropy models which take into account things like: length, does it contain letters, numbers and punctuation.   They can even be comparing the relative frequency that various letters occur in other peoples passwords (i.e. more 'e's and less 'z's).   They may also be checking if it contains dictionary words which is a good sign it isn't random.  It also can make hashes vulnerable to a 'rainbow table' attack where an attacker pre-computes all possible hashes (for some subset of passwords - like those that contain dictionary words.   In this particular case that kind of attack doesn't work as the 'salt' part of the password file is a randomly generated string which is added to the password before it is hashed.  So even if every person used the same password the hash would be different.

To give you an idea as to how password strength is derived check out: http://www.passwordmeter.com/


**Technically this isn't 100% true as a hashing algorithm can (and will) create the same hash for different inputs *BUT* a well constructed hashing algorithm shouldn't do this for anything sufficiently shorter than the hash itself.  Like a password.  In any case if two passwords did create the same hash (we call this a "collision") then either password would work.   So it doesn't matter which one they find.

***Generally speaking we mean "discovered by a stranger"

****Assuming it's not sufficiently long that they wouldn't die before guessing. ;-)
full member
Activity: 126
Merit: 100
Had email awaiting from Mt. Gox when I logged on this morning.  Went to the URL; my claim has been accepted.  So yes, they're restoring accounts, albeit fairly slowly.
hero member
Activity: 809
Merit: 501
Always verify deals with me through my public key!
Made it, just gotta wait now for it to open.
full member
Activity: 154
Merit: 100
For people who are still waiting, make sure you keep an eye on your junk mail folder... my (acceptance) email landed there, even though previous Mt Gox emails made it to my inbox.
full member
Activity: 208
Merit: 100
Risk-hedging platform for cryptocurrency investors
got rejected, provided more proof and waiting for news now ...

edit: finally got accepted, phew ...
member
Activity: 140
Merit: 10
I'm curious: how does MtGox know if a user's password was strong enough?

so MtGox employees have access to our passwords??

Some MtGox employee might have access to your password, it depends on how the site is designed, anyhow there are ways to compute the password complexity even after it has been hashed (depending on hash)
full member
Activity: 168
Merit: 100
My request failed Sad

But I think I put my name not my bank's name, do'h

Reapplying...
sr. member
Activity: 254
Merit: 250
Got my account verified today after 3 days.
hero member
Activity: 602
Merit: 500
Sweet, got my account verified about 2 hours ago. So judge where you stand based on when your request was and the rate they are acceptng requests (based on OP and myself).
legendary
Activity: 2114
Merit: 1040
A Great Time to Start Something!
I'm curious: how does MtGox know if a user's password was strong enough?

so MtGox employees have access to our passwords??

That was supposed to be automatically verified on part 1 of the claim form 2 days ago, which is why I've been saying everyone with a strong password should have already been verified by now.

What are they really doing?
newbie
Activity: 56
Merit: 0
I'm curious: how does MtGox know if a user's password was strong enough?

so MtGox employees have access to our passwords??
legendary
Activity: 2114
Merit: 1040
A Great Time to Start Something!
That's just a preliminary step. The important milestone is when people are successfully completing big withdrawals and receiving their funds from Mt. Gox without problems. If there's any stalling on delivering cash, something is very wrong at Mt. Gox.

like they lost their money, or the intrusion is worse than what they say?

Last night they demonstrated they have at least 424,242 BTC, however there does seem to be evidence the intrusion was worse than they say. Strange, and oh so slowwwwwwwwwww.
jr. member
Activity: 55
Merit: 55
My account recovery request has been accepted too. I had a strong password too and I am one of the first 500 customer registered on that famous hacked list. Hope the Mt.Gox team will get all the accounts sorted as soon as possible.
hero member
Activity: 532
Merit: 500
FIAT LIBERTAS RVAT CAELVM
I'm confirmed, had a strong password. Which is good, since I already changed it in Lastpass.  Cheesy
full member
Activity: 224
Merit: 100
This is my theory on why it's completely valid for them to be taking so long, please read: http://forum.bitcoin.org/index.php?topic=21676.msg273585#msg273585

Or tl;dr version: The longer it takes before an account is verified, the bigger the chance that the real user will file a claim for an account in the event that a scammer has access to enough info to claim an account. More than one claim will delay things, especially if both have valid info, and then the real person would hopefully get their account.

Super tl;dr: The longer it takes the less likely people are to get scammed and have all their stuff stolen.
newbie
Activity: 56
Merit: 0
It's 4:48 GMT and there's still NO email with the claim resolution from MtGox, are they counting GMT wrong? what's going on?
sr. member
Activity: 364
Merit: 250
My claim request has been accepted.
newbie
Activity: 14
Merit: 0
I just got this back from Mt Gox Support

Hello,

Before 3:00 GMT on Friday June 24th you will receive an email from us advising that either


A) Your claim was successful and you can login to Mt.Gox once the site is up.

or,

B) We require more information to process and authorize your claim.


We appreciate your continued patience as we work to get everything back online.

Thanks,

MtGox.com Team
newbie
Activity: 55
Merit: 0
My account recovery request has been accepted, less than 2 hours before they PLAN to re-open Mt. Gox. (http://forum.bitcoin.org/index.php?topic=21727.0)

Let's hope everything works as expected. But I'm not totally optimistic.
newbie
Activity: 14
Merit: 0
Friday June 24th  01:40 GMT

"Users with reclaimed accounts will be able to login to Mt.Gox on Friday June 24th at 3:00 GMT"

- Less than 1.5 hrs until Mt Gox goes back online. No emails No anoucements.
Pages:
Jump to: