MCXNow Can See your passwords! REALSolid has access to all your Passwords

int3ractivodular

sr. member

Activity: 280

Merit: 250

TECHNOLOGY, BABY!

Quote from: MarpleTrading on October 18, 2013, 07:05:10 AM

As far as I know are the passwords used on Cryptsy hashed, yet I hear numerous stories about people losing coins on Cryptsy. On the other hand I have never heard a single story of people having lost coins on mcxNOW.

I've lost quite a few coins from quite a few currencies to random disappearing transactions on Cryptsy. mcxNOW on the other hand, is paying me interest on all my coins

MarpleTrading

full member

Activity: 191

Merit: 100

As far as I know are the passwords used on Cryptsy hashed, yet I hear numerous stories about people losing coins on Cryptsy. On the other hand I have never heard a single story of people having lost coins on mcxNOW.

int3ractivodular

sr. member

Activity: 280

Merit: 250

TECHNOLOGY, BABY!

*head-desk*

erk

hero member

Activity: 826

Merit: 500

Quote from: Loki8 on October 18, 2013, 03:07:07 AM

I really don't like scammers and unprofessional people but fortunately, there are also professionals who do their job with competence. They are not numerous but they exist.

The biggest scams come from the most professional looking people.

Loki8

full member

Activity: 146

Merit: 100

Quote from: erk on October 18, 2013, 02:26:08 AM

Quote from: Loki8 on October 18, 2013, 02:14:43 AM

Quote from: Zyl on September 17, 2013, 07:33:06 AM

It's not about jealousy, it's about irresponsibility, and breaking trust with your clients.

RS is an obvious amateur when it comes to security.

The crypto world is full of amateurs.

I am tired of these people who are unprofessional and who have no clue about business. I already lost much money with bitcoin-24, this site was made by an amateur, an unprofessional kid, and now he has problems with the justice... I learnt the lesson, I will never send my money on a site like this one without address nor name, even with btc-e, i am not sure that they are very professional.

The crypto world needs rules and professionalism!

Why are you involving yourself at all in crypto if you are that paranoid? Stick with fiat or cash under the bed if you don't trust bankers.

I really don't like scammers and unprofessional people but fortunately, there are also professionals who do their job with competence. They are not numerous but they exist.

erk

hero member

Activity: 826

Merit: 500

Quote from: Loki8 on October 18, 2013, 02:14:43 AM

Quote from: Zyl on September 17, 2013, 07:33:06 AM

It's not about jealousy, it's about irresponsibility, and breaking trust with your clients.

RS is an obvious amateur when it comes to security.

The crypto world is full of amateurs.

I am tired of these people who are unprofessional and who have no clue about business. I already lost much money with bitcoin-24, this site was made by an amateur, an unprofessional kid, and now he has problems with the justice... I learnt the lesson, I will never send my money on a site like this one without address nor name, even with btc-e, i am not sure that they are very professional.

The crypto world needs rules and professionalism!

Why are you involving yourself at all in crypto if you are that paranoid? Stick with fiat or cash under the bed if you don't trust bankers.

Loki8

full member

Activity: 146

Merit: 100

Quote from: Zyl on September 17, 2013, 07:33:06 AM

It's not about jealousy, it's about irresponsibility, and breaking trust with your clients.

RS is an obvious amateur when it comes to security.

The crypto world is full of amateurs.

I am tired of these people who are unprofessional and who have no clue about business. I already lost much money with bitcoin-24, this site was made by an amateur, an unprofessional kid, and now he has problems with the justice... I learnt the lesson, I will never send my money on a site like this one without address nor name, even with btc-e, i am not sure that they are very professional.

The crypto world needs rules and professionalism!

erk

hero member

Activity: 826

Merit: 500

Quote from: ?? on ??

Quote from: Zyl on September 17, 2013, 07:33:06 AM

It's not about jealousy, it's about irresponsibility, and breaking trust with your clients.

RS is an obvious amateur when it comes to security.

This is about RS establishing a long pattern of arrogant incompetence to fall back on when mcxNOW gets "hacked" and everybody's funds vaporize.

~BCX~

You wish.

ninjaboon

legendary

Activity: 2128

Merit: 1002

Guys, since we are talking about security and passwords on Exchanges,
have there been any breakins at https://bter.com/ ?
Looks like a solid site to me.

sheffters

member

Activity: 115

Merit: 10

Quote from: vinne81 on September 17, 2013, 08:36:22 AM

Quote from: ahmed_bodi on September 17, 2013, 07:56:55 AM

wrong, most can only see the hash. they would have to decrypt it to see the password
i use the exchange before but even i can tell you no matter how well it works the non hashing is the single flaw in there

Are you joking?? Of course they can see the password, it's the admin (or their software) that does the hashing in the first place.

Admin wanting to have passwords 101.
1) User enters passwords
2) Code on site logs cleartext password to a logfile, then hashes password into the database.

Non hashed passwords in the database only make the database more vulnerable should it be stolen. That's it. It doesn't make RS untrustworthy. Let's just hope his db is unstealable.

All my sites use JS client side to hash the password and send that over. That hash is then salted server side and rehashed to check against the db. No plain text password ever leaves client machine.

redphlegm

sr. member

Activity: 246

Merit: 250

My spoon is too big!

One should always assume the admin can see what you store. I'm surprised that people are worried about this aspect when in reality the fact that in a large majority of cases they store significant amounts of crypto on the site in a shared wallet. What do you care more about - that he can see your stupid "hunter2" password or that he could, at any time, jank your funds? There has to be a certain level of trust at some point. If you don't trust him or mcxnow, go elsewhere. I hear there are some Russians that are pretty trustworthy with these kinds of things. Wink

trkmed

newbie

Activity: 31

Merit: 0

2 month ago I tryed to recover my mcxnow password. I sent an email to admin and he asked me about the password, or to tell him what letters are in my password.

I suppose that my password was in clear text for him.

just take care...

bazzip

full member

Activity: 136

Merit: 100

Maybe youre saying he can hack Google Authenticator too? This thread is retarded.

erk

hero member

Activity: 826

Merit: 500

Here is some basic Internet info for noobs.

Assume the site owners, your ISP, your email provider can read or bypass your passwords as required.

Never use the same password on two different sites.

Assume everything you type is being recorded.

Do no click on email enclosures from people you don't know.

As for MCXnow, the site probably works better than most of the exchanges out there, it has some great features like earning interest on your deposits every 6 hours, and payban which is a real hoot.

MarpleTrading

full member

Activity: 191

Merit: 100

Quote from: ?? on ??

Quote from: MarpleTrading on September 17, 2013, 07:49:45 AM

[snip..]Salting and hashing is absolutely no added security.

.. I'd just like to point out, that if the server is compromised and the attacker can download the full database of passwords... then they have 11k accounts and passwords, some of which will no doubt be used on other sites aswell.

If the passwords are stored encrypted, then the attacked cannot download all 11k passwords at once and must put in some code to get the password - pre encryption - per login.

Thus, if time between attack and attack detection is 24 hours, the attacker will only have gathered the passwords of users who have logged in the last 24 hours - not all 11k.

Thus, quite obviously, storing passwords encrypted IS infact added security. Not doing this IS a flaw.

According to RS the passwords ARE ENCRYPTED, but it is a two encryption not a one way like hashing is.

woodrake

full member

Activity: 153

Merit: 100

I don't see why this is a surprise? Of course a site run by a few individuals with zero regulatory oversight could have access to passwords. In fact I'd hazard that many IT companies who do not have solid information security management systems in place (eg. ISO27001) have the capability for rogue systems administrators and/or developers to capture user passwords. Many even likely have them stored in plain text so that they can easily send out reminder emails and such.

As with all sites, you should use a different, unique password for each one. We provide a free tool for the purpose, here.

Caveat emptor. RS has a somewhat questionable past and people should make up their own mind.

Kate.

albitos

newbie

Activity: 7

Merit: 0

Quote from: vinne81 on September 17, 2013, 08:36:22 AM

Non hashed passwords in the database only make the database more vulnerable should it be stolen. That's it. It doesn't make RS untrustworthy. Let's just hope his db is unstealable.

There is no such thing and if he claims otherwise, than he's just being arrogant. But keeping passwords in cleartext is a real threat. In hosting companies there is a lot of people who have access to servers. It's much secure to make sure they can't just make a copy of your disk and start stealing accounts from stupid users who are too dumb to use diffrent passwords.

Don't get me wrong, I am using myself mcxnow and have no intention in undermining his credibility - just pointing how it works. I've created multiple applications and this kind of thing is Security 101.

MarpleTrading

full member

Activity: 191

Merit: 100

Quote from: ahmed_bodi on September 17, 2013, 08:26:43 AM

doesnt make much of a difference where its encrypted. yes its possible to check its before its encrypted. thats nothing to say that the majorityof site admins will. you as a dev should know better than that

I have never said nor have i implied that site admins ARE looking at the passwords. I merely stated that if they WISHED to, they COULD.
This was about trust and that trust is broken by not hashing and salting passwords.

That is utterly bullocks. Hashing is only helping if the DB is stolen and people are so foolish to have only one password for everything.
But even hashed passwords can be guessed and as a dev you should know that. Wink

Also RS' database is apparently encrypted in someway, so a potential thief still does not have access to the password right away.

vinne81

full member

Activity: 182

Merit: 100

Quote from: ahmed_bodi on September 17, 2013, 07:56:55 AM

wrong, most can only see the hash. they would have to decrypt it to see the password
i use the exchange before but even i can tell you no matter how well it works the non hashing is the single flaw in there

Are you joking?? Of course they can see the password, it's the admin (or their software) that does the hashing in the first place.

Admin wanting to have passwords 101.
1) User enters passwords
2) Code on site logs cleartext password to a logfile, then hashes password into the database.

Non hashed passwords in the database only make the database more vulnerable should it be stolen. That's it. It doesn't make RS untrustworthy. Let's just hope his db is unstealable.

ahmed_bodi

hero member

Activity: 518

Merit: 500

Bitrated user: ahmedbodi.

doesnt make much of a difference where its encrypted. yes its possible to check its before its encrypted. thats nothing to say that the majorityof site admins will. you as a dev should know better than that

Topic: MCXNow Can See your passwords! REALSolid has access to all your Passwords (Read 4709 times)