Pages:
Author

Topic: mcx passwords - page 2. (Read 4356 times)

sr. member
Activity: 248
Merit: 251
August 18, 2013, 12:48:49 PM
#49
So RealSolid, how your system check the user password when he log in ?
He has to send a request to your password server.
So your password server is not off the internet.
He is just not directly on the internet.
So if a hacker compromise you site, he now have internet access to your password server.

Then you say "so what, the password should be unique to my site", but imagine the hacker just retrieve the password list and leave, cleaning all his trace.
Then he could empty the accounts on mcxnow even the cold storage ones.

So maybe there is a median solution here :
- Hash the passwords that are used to authenticate user loging in.
- Store an offline encrypted list of password, so you can do your manual password recovery stuff.

On a side note I agree with you that user have to trust the admin of a site, because whatever he says, he can watch your password if he wants to.
On the other side you could do the javascript hashing on client side and that would prevent the admin to have access to it.
Actually I'm wondering why there is no standard way of doing the hashing on the browser side, this could be a enhancement off security world wide...
 
sr. member
Activity: 434
Merit: 250
August 18, 2013, 12:47:36 PM
#48
You could easily implement algorithm that would disallow you to see plain-texted passwords. You could easily create email recovery system, which you would have to authorize first te be used. So people that didn't lose password could not be attacked via email recovery method, while protecting privacy of people who did lose the password, but with this system they would have to share password details with you.

Its not as much a security concern (if you want to steal from us, you will steal from us anyway), as it is a customer experience issue.



Now you may continue with some strawmen arguments and personal attacks... You are usually very off with assumptions of what I really think. (which shouln't be surprising, as sometimes I am serious and sometimes I just troll for the t of it)
member
Activity: 94
Merit: 10
Operator of mcxNOW | Programmer of MicroCash
August 18, 2013, 12:32:44 PM
#47
I don't believe in email password resets. I stated this. So unless you have another work-around to resolve people who forget passwords (outside of having them store other data about themselves in recoverable form) then it's pretty easy to understand my position.

I also think that email password resets are a problem (although not so much if you use a GPG sign-up which CIYAM Open offers).

Asking someone to disclose even part of their password insecurely (i.e. via plain email or IM) is of no extra benefit and in fact is just even less secure than asking them to disclose something you sent in an initial email.

Why not also offer 2FA via Google Authenticator (I can give you the necessary code in C++ if you like as CIYAM Open offers this)?


Google auth is in the next update already, but thanks for the offer. It's quite easy to implement in c++ which is why I like it.

This isn't about ways to make users more protected from themselves, it's a discussion about how mcxNOW stores some data and the ignorance on why it's irrelevant. People are coming at it like it's a SQL/PHP site when it's completely different and been coded in a way for utmost security.

I don't do email resets at all because even people who don't lose their passwords can be attacked in this way. The few people who do forget their passwords and email me are of course opening themselves up to potential abuse, but they will likely be in the "Loop" quicker than any attacker reading their email and can therefore change it before it's able to be abused. I tell people in my response emails this if usahero wants to share it with the world.
member
Activity: 60
Merit: 10
August 18, 2013, 12:29:45 PM
#46
Unfortunately when a layman such as usahero encounters manual password reset and verification he gets upset that his "used at every site" password is visible to someone like myself. However exchanges which have reset by email (which usahero wanted and thinks is secure) are actually quite insecure.


I know email recovery system has its weaknesses, so this is just another of many of your strawmen arguments. Lets rather focus on the recoverable passwords and the fact you can spy on our passwords?


Yes I can spy on your passwords. If I moved to another piece of information for a user to store instead of passwords I'd be able to spy on that too, or your funds, etc. I'm the admin. Basically if you don't trust an admin to keep your password (or password hash) and other important data to themselves you shouldn't be using that site in my opinion. So what is your point, that an admin has access to data other people don't?

Alternatively you can do what every security expert does, use a unique password at every site so it's irrelevant. Simple isn't it?

Does anyone really trust you? Seriously basic password shit name a major company that uses the RS method to password recovery. Perhaps Google's straw team of support crew can just give it to me. Does it mean I get my password as fast as we get fee shares or the site upgrade on the 10th? Does C++ enable us to trust you more? You sir are a nut job and no WE DONT TRUST YOU.
legendary
Activity: 1890
Merit: 1086
Ian Knowles - CIYAM Lead Developer
August 18, 2013, 12:26:13 PM
#45
On decent sites, admin would have to use password cracker to see hashed passwords.

Actually on CIYAM Open I wouldn't even try to crack your password (as I wouldn't have enough computing power to do so unless you used a very poor password - all I could do is change your password).
sr. member
Activity: 434
Merit: 250
August 18, 2013, 12:23:40 PM
#44
On decent sites, admin would have to use password cracker to see hashed passwords. On your site, you just click the button (or whatever implementation you are using).

So this is my concern, and it doesn't matter if I use the site or I don't use the site. And I can have opinion of the site whether I use it or not.

legendary
Activity: 1890
Merit: 1086
Ian Knowles - CIYAM Lead Developer
August 18, 2013, 12:22:54 PM
#43
I don't believe in email password resets. I stated this. So unless you have another work-around to resolve people who forget passwords (outside of having them store other data about themselves in recoverable form) then it's pretty easy to understand my position.

I also think that email password resets are a problem (although not so much if you use a GPG sign-up which CIYAM Open offers).

Asking someone to disclose even part of their password insecurely (i.e. via plain email or IM) is of no extra benefit and in fact is just even less secure than asking them to disclose something you sent in an initial email.

Why not also offer 2FA via Google Authenticator (I can give you the necessary code in C++ if you like as CIYAM Open offers this)?
member
Activity: 94
Merit: 10
Operator of mcxNOW | Programmer of MicroCash
August 18, 2013, 12:20:48 PM
#42
Unfortunately when a layman such as usahero encounters manual password reset and verification he gets upset that his "used at every site" password is visible to someone like myself. However exchanges which have reset by email (which usahero wanted and thinks is secure) are actually quite insecure.


I know email recovery system has its weaknesses, so this is just another of many of your strawmen arguments. Lets rather focus on the recoverable passwords and the fact you can spy on our passwords?


Yes I can spy on your passwords. If I moved to another piece of information for a user to store instead of passwords I'd be able to spy on that too, or your funds, etc. I'm the admin. Basically if you don't trust an admin to keep your password (or password hash) and other important data to themselves you shouldn't be using that site in my opinion. So what is your point, that an admin has access to data other people don't?

Alternatively you can do what every security expert does, use a unique password at every site so it's irrelevant. Simple isn't it?
member
Activity: 94
Merit: 10
Operator of mcxNOW | Programmer of MicroCash
August 18, 2013, 12:17:50 PM
#41
Actually CIYAM Open is a 100% C++ platform (and I would be interested to perhaps compare notes then).

I only store hashed passwords in the DB and don't really understand why you are not doing the same - the *reset* issue is really not the same thing as you can always send a new password (or a unique link for the email recipient) to accomplish this.

Why exactly do you think you should be able to decrypt your user's passwords?


I don't believe in email password resets. I stated this. So unless you have another work-around to resolve people who forget passwords (outside of having them store other data about themselves in recoverable form) then it's pretty easy to understand my position.
sr. member
Activity: 434
Merit: 250
August 18, 2013, 12:16:48 PM
#40
Unfortunately when a layman such as usahero encounters manual password reset and verification he gets upset that his "used at every site" password is visible to someone like myself. However exchanges which have reset by email (which usahero wanted and thinks is secure) are actually quite insecure.


I know email recovery system has its weaknesses, so this is just another of many of your strawmen arguments. Lets rather focus on the recoverable passwords and the fact you can spy on our passwords?




If you worked your ass as much as you bragged about your c++ skills last 2 months, the update would already be here... by the way. So go to work, make your followers happy.
legendary
Activity: 1890
Merit: 1086
Ian Knowles - CIYAM Lead Developer
August 18, 2013, 12:08:21 PM
#39
Actually CIYAM Open is a 100% C++ platform (and I would be interested to perhaps compare notes then).

I only store hashed passwords in the DB and don't really understand why you are not doing the same - the *reset* issue is really not the same thing as you can always send a new password (or a unique link for the email recipient) to accomplish this.

Why exactly do you think you should be able to decrypt your users passwords?
member
Activity: 94
Merit: 10
Operator of mcxNOW | Programmer of MicroCash
August 18, 2013, 11:48:26 AM
#38
Email password reset mechanisms are not ridiculously insecure if they are done correctly. Their only weak point is a 'hacker' could get their email password and do a reset but of course if they can get their email password then they can probably get their mcxnow password too.

Hashing of passwords is the gold standard of password storage in web applications.

Admins are strongly advised to never use encryption for the obvious reason if the db is compromised then the hacker gains access to everyone's passwords. Before you give your standard canned response to this, remember: 1. some people use dozens of websites and it's a pain in the arse having a strong, unique password for every single one, 2. even if you're the world's best programmer unexpected things can occur meaning the db could be compromised. It is therefore a non-zero probability that a hacker could gain everyone's passwords by your poor decision to employ encryption; using hashing+salting would make this a zero probability.

mcxNOW has no "Remote database", which means everything is incorporated on the one machine which doesn't have internet access. Secondly the reason hashing passwords is a "gold standard" is because everyone uses databases like SQL which have been hacked to death since the internet began. mcxNOW doesn't use these systems, it uses a custom database and the exchange server cannot be accessed on the internet. There is zero code to read passwords on the site which means it is impossible for an internet hacker to obtain passwords. Therefore the only way to get into the system is to be at the datacenter, then to understand the encryption, to reverse the binary, etc. This is beyond ludicrous to suggest it's a more probable event compared to any other system out there.

Meanwhile a typical exchange site that uses SQL can be broken from the internet. Yet if the SQL site uses password hashing it's somehow a "gold standard" compared to mcxNOW? Please. mcxNOW is *THE* standard because every single packet of information is controlled by the code from one person, I know everything that goes on within the exchange. There are no black boxes like others use in their php/sql/asp.net setup.

And email systems are ridiculously insecure. If an email is hacked from ANYWHERE then they can reset your exchange password and steal all your funds. Say you check your email at your mothers house and she has a virus. They log into your email, see you use mtgox and reset password. 24 hours later your account is drained. Your main PC doesn't even have to be compromised and email systems are among the highest compromised websites in existence. Most people probably aren't even aware their emails are hacked.

Your claim that email reset systems aren't insecure if "used properly" is easily extended to using a unique password at every site you use. It's really not that hard and the only reason you shouldn't be doing it is ignorance, not laziness.
hero member
Activity: 622
Merit: 500
www.cryptobetfair.com
August 18, 2013, 11:35:40 AM
#37
Just using a unique password would make this a zero probability.  This is such a non issue.
legendary
Activity: 1344
Merit: 1001
August 18, 2013, 11:31:08 AM
#36
Email password reset mechanisms are not ridiculously insecure if they are done correctly. Their only weak point is a 'hacker' could get their email password and do a reset but of course if they can get their email password then they can probably get their mcxnow password too.

Hashing of passwords is the gold standard of password storage in web applications.

Admins are strongly advised to never use encryption for the obvious reason if the db is compromised then the hacker gains access to everyone's passwords. Before you give your standard canned response to this, remember: 1. some people use dozens of websites and it's a pain in the arse having a strong, unique password for every single one, 2. even if you're the world's best programmer unexpected things can occur meaning the db could be compromised. It is therefore a non-zero probability that a hacker could gain everyone's passwords by your poor decision to employ encryption; using hashing+salting would make this a zero probability.
member
Activity: 94
Merit: 10
Operator of mcxNOW | Programmer of MicroCash
August 18, 2013, 11:01:09 AM
#35
Unfortunately when a layman such as usahero encounters manual password reset and verification he gets upset that his "used at every site" password is visible to someone like myself. However exchanges which have reset by email (which usahero wanted and thinks is secure) are actually quite insecure. MtGOX for instance has password reset by email.

https://www.mtgox.com/login/lost-password

Now why do mtgox (and pretty much everyone) do this? Well it cuts back on support to not have manual verification on password resets. So I don't necessarily blame shoe-string operations which employ simple systems to cut back on support. The funny thing is if I had the same insecure system setup then there would no complaints from laymen such as usahero, regardless of how I stored the passwords. They would never know what really happens at the backend.

As to why I store passwords encrypted instead of hashed is simply to allow original account holders to claim their funds instead of block their access. As noted above email password resets are ridiculously insecure so I don't employ it. My current system allows me to see the password when requested by a user and they can give suggestions on something they should know (they may not know the whole password but they usually remember some of it). To get around this I could instead ask the user on signup to answer questions like "What is your first pets name" or "What is your mothers maiden name", but then people may care that I store such details in recoverable form on the site also (you literally cannot win with some people). Currently the password serves as information only the current account holder should know.

Any person who is involved in security knows you should use a unique password at every site because that is the best security. You should never rely on a site to protect your "used everywhere password", use a new password at every site and there are zero issues in regards to how the site stores your password.

Anyone who thinks their "Sacred password" is sacred needs to get a clue. It shouldn't be sacred and if it is you need a lesson in internet security. Anyone reading this cannot claim ignorance on this going forward. It's rather embarrassing I need to post this as I figured most people on this forum were well versed in internet security but hopefully it can clear things up for those who aren't.

Finally I'll just say unlike every other exchange out there mcxNOW is coded entirely in C++ from top to bottom, it incorporates anti-virus esque self protection systems which limit even a "rogue datacenter admin" getting fanciful with the exchange. I'm well versed not only in internet security but security against humans and these are employed at mcxNOW. I am just _that_ paranoid.
sr. member
Activity: 1638
Merit: 251
Hexhash.xyz
August 18, 2013, 10:50:24 AM
#34
Why update a dead site? Even coins-e is better
legendary
Activity: 1890
Merit: 1086
Ian Knowles - CIYAM Lead Developer
August 18, 2013, 09:31:29 AM
#33
Any system that encrypts rather than securely hashes account passwords is just asking for trouble (using reversible encryption for things like email addresses makes perfect sense but not for account passwords).

Unfortunately even today many ISP's still even do this (I have had low-level support staff read my password to me over the phone only several years ago).
member
Activity: 81
Merit: 1002
It was only the wind.
August 18, 2013, 05:57:45 AM
#33
Don't follow established practices just do anything you feel like no matter how stupid (and pointless).  
like using a different password for every website?  I know you guys have an agenda to push here, and need to make rs or the website look bad, but try harder.  
if RS really stores the password in plain or any reversible format (ie, not hashing them probperly, md5 isnt probperly Tongue) then he lost me, i havent seen any proof of this or did i miss it (due to ignore this usascum moron)?



He is storing them in reversible format. If you want to recover your password, he gives you your password and he sees your password. There is no "password recovery" form on the site, and I think only way to recover the password is:
1) message rs that you lost your password.
2) tell a part of your password/describe your password, so that he can confirm "it is really you" who is recovering
3) he returns you passwords as a string   and in the process he sees your password.  When I did this procedure, I was feeling like my privacy has been breached.


Now even if you think I am moron, you know something you didn't know before.

And if someone has done the procedure, please confirm it is really done this way, as I am not making this up.



It is done this way, I was told so by RS himself. And it's stupid, but until he gets 2FA, there's not really a better way to do it. He could just disallow all password resets, but then people would be up in arms about RS stealing their money.

Don't follow established practices just do anything you feel like no matter how stupid (and pointless).   

like using a different password for every website?  I know you guys have an agenda to push here, and need to make rs or the website look bad, but try harder. 

Laughingbear, I like you. Please try to see reason here. I have no agenda, I like RS, but storing passwords in a reversible format is very, very bad. You can tell people not to reuse passwords all day, but they will still do it. And yes, it's easy to blame them if their password gets used inappropriately, but if mcxNOW gets hacked, and someone got into a mcxNOW user's BTC-E account because of it, that user would blame mcxNOW, and for good reason, because RS is not following best practices for security.
legendary
Activity: 1792
Merit: 1008
/dev/null
August 18, 2013, 09:20:09 AM
#32
well, i had a chat with RS on IRC, i asked him if can publish it, he went mad and didnt answer anymore (so i cutted the things below):
Code:
 RealSolid: https://bitcointalk.org/index.php?topic=270155.0 <-- can i get a ACK/NACK on this? ie that you store the users PW in plain (or decryptable only by X ppl)
passwords are stored encrypted yeah
they are the only identifyable information atm, i may change it in the future and have other info i force people to enter
name of first pet, etc
as suggestion, hash the passwords...
in 1970-1980 hashing started, now we have 2013!
no
theres no added security to my system in salting them
i like your idea about the selfbuild engine + DB alot, as its secure. but this is horrible
i dont talk abuot salting, i talk about hashing!
or hashing
that may change as i adapt future requirements of course
not hashing is a huge security risk, mtgox had to learn it the hard way
haha
thinking its a security risk shows your ignorance on mcxnow security
hmm, "they are the only identifyable information atm" <-- so you identify users per password and not per user id?
no but if they want a reset its the only info they have put in there
so i either offer no resets or add more info they can store to prove they are account holders
so if someone forgot his password (and really forgot), hes totally fucked or you just give it to them?
the exchanges that do password email resets are way more insecure
i agree that password email resets are extreme insecure
same with automated password recovery
the mcxnow database is undumpable from the internet and you should be using a unique password at the site anyhow, this is what i tell everyone if you K1773R use a unique password at mcxnow there is no difference whether i hash+salt+shit on your password
so im not sure what *your* personal issue is with the way i handle passwords, even if you think its insecure, when you should be following good security protocol as a security expert :P
if someone successfully takes over your engine, he gets access to the user DB as its needed to identify persons right? so why not just dumping this, all thats needed is to break the encryption (password? privkey? combination?) and you have the password of every person @ mcxnow
or did i miss something?
i protect the people who are insecure people by nature by not allowing auto password resets and requiring they remember part of their password
the only person who can "take over the engine" is someone who works at the datacenter of the exchange server
not internet hackers
and ive added protection against local admin hacking by encrypting everything the exchange uses
nothing is fullproof of course, but worrying about your unique password being in the wild is nothing compared to losing all your funds right?
how comes? if your engine needs informations to identifiy users (ie, username + password), as soon you got the engine, you also got the encrypted password, all you need then is to encrypt it
and as soon as you got the engine youve got all the funds too if youre an elite hacker who can decrypt and reverse engineer a x64 binary
yes, i liked your setup alot as its the only exchange i saw knowing something about security, this is just the little ugly thing that poped up, so im wondering ;)
so if a compromised amazon elite hacker data center admin finds out about the mcxnow exchange server we could be in trouble
so what do you propose to do instead of what i do to verify lost passwords?
just lock people out of accounts if they forget?
nope, its a tough question
to be honest i think only morons/haters care about this because as a specific user if you use unique password at mcxnow you are no more or less compromised if the database gets breached
i have no idea so far how an average person could be able to get his account back due to missing knowledge
so why should *YOU* care about these people?
well, i dont care about anyone usual ;)
so if we are in trouble (stolen funds), would you pay it back out of ur pocket?
people recommend salting and hashing passwords because sql and other database technologies are often compromised, mine cant be from the internet
if yes, well then i dont care anymore
worrying about rogue elite datacenter admin hacker taking your password is the least of your worries, the funds are more important :P
and unlike pretty much all other exchanges except perhaps mtgox ive put a lot of thought into protecting against those
so you would pay back the stolen funds?
i dont have enough money to do that
if theres a 50/50 split on funds in hot/cold for instance, i guess id just pay back the percentage in cold to everyone
ok
to me thats pretty much game over material though
so i never want it to happen at all
hence the paranoia and security
after this, he didnt answer me anymore :S well, i for myself will stay @ mcxnow for "now", will see how things work out.

EDIT: seems he wasnt mad, just busy, will edit again if neccessary.
EDIT2: chat updated.
sr. member
Activity: 242
Merit: 250
August 18, 2013, 08:51:11 AM
#31
I never stored my coins on mcxnow after trading I transferred back  the coins to my wallet. I have no problem with the trading platform only the security.
Pages:
Jump to: