Pages:
Author

Topic: MCXNow Can See your passwords! REALSolid has access to all your Passwords (Read 4740 times)

sr. member
Activity: 280
Merit: 250
TECHNOLOGY, BABY!
As far as I know are the passwords used on Cryptsy hashed, yet I hear numerous stories about people losing coins on Cryptsy. On the other hand I have never heard a single story of people having lost coins on mcxNOW.

I've lost quite a few coins from quite a few currencies to random disappearing transactions on Cryptsy. mcxNOW on the other hand, is paying me interest on all my coins Smiley
full member
Activity: 191
Merit: 100
As far as I know are the passwords used on Cryptsy hashed, yet I hear numerous stories about people losing coins on Cryptsy. On the other hand I have never heard a single story of people having lost coins on mcxNOW.
sr. member
Activity: 280
Merit: 250
TECHNOLOGY, BABY!
erk
hero member
Activity: 826
Merit: 500


I really don't like scammers and unprofessional people but fortunately, there are also professionals who do their job with competence. They are not numerous but they exist.
The biggest scams come from the most professional looking people.
full member
Activity: 146
Merit: 100
It's not about jealousy, it's about irresponsibility, and breaking trust with your clients.

RS is an obvious amateur when it comes to security.


The crypto world is full of amateurs.

I am tired of these people who are unprofessional and who have no clue about business. I already lost much money with bitcoin-24, this site was made by an amateur, an unprofessional kid, and now he has problems with the justice... I learnt the lesson, I will never send my money on a site like this one without address nor name, even with btc-e, i am not sure that they are very professional.

The crypto world needs rules and professionalism!
Why are you involving yourself at all in crypto if you are that paranoid? Stick with fiat or cash under the bed if you don't trust bankers.



I really don't like scammers and unprofessional people but fortunately, there are also professionals who do their job with competence. They are not numerous but they exist.
erk
hero member
Activity: 826
Merit: 500
It's not about jealousy, it's about irresponsibility, and breaking trust with your clients.

RS is an obvious amateur when it comes to security.


The crypto world is full of amateurs.

I am tired of these people who are unprofessional and who have no clue about business. I already lost much money with bitcoin-24, this site was made by an amateur, an unprofessional kid, and now he has problems with the justice... I learnt the lesson, I will never send my money on a site like this one without address nor name, even with btc-e, i am not sure that they are very professional.

The crypto world needs rules and professionalism!
Why are you involving yourself at all in crypto if you are that paranoid? Stick with fiat or cash under the bed if you don't trust bankers.

full member
Activity: 146
Merit: 100
It's not about jealousy, it's about irresponsibility, and breaking trust with your clients.

RS is an obvious amateur when it comes to security.


The crypto world is full of amateurs.

I am tired of these people who are unprofessional and who have no clue about business. I already lost much money with bitcoin-24, this site was made by an amateur, an unprofessional kid, and now he has problems with the justice... I learnt the lesson, I will never send my money on a site like this one without address nor name, even with btc-e, i am not sure that they are very professional.

The crypto world needs rules and professionalism!
erk
hero member
Activity: 826
Merit: 500
It's not about jealousy, it's about irresponsibility, and breaking trust with your clients.

RS is an obvious amateur when it comes to security.



This is about RS establishing a long pattern of arrogant incompetence to fall back on when mcxNOW gets "hacked" and everybody's funds vaporize.


~BCX~


You wish.
legendary
Activity: 2128
Merit: 1002
Guys, since we are talking about security and passwords on Exchanges,
have there been any breakins at https://bter.com/ ?
Looks like a solid site to me.
member
Activity: 115
Merit: 10

wrong, most can only see the hash. they would have to decrypt it to see the password
i use the exchange before but even i can tell you no matter how well it works the non hashing is the single flaw in there

Are you joking?? Of course they can see the password, it's the admin (or their software) that does the hashing in the first place.

Admin wanting to have passwords 101.
1) User enters passwords
2) Code on site logs cleartext password to a logfile, then hashes password into the database.

Non hashed passwords in the database only make the database more vulnerable should it be stolen. That's it. It doesn't make RS untrustworthy. Let's just hope his db is unstealable.

All my sites use JS client side to hash the password and send that over. That hash is then salted server side and rehashed to check against the db. No plain text password ever leaves client machine.
sr. member
Activity: 246
Merit: 250
My spoon is too big!
One should always assume the admin can see what you store. I'm surprised that people are worried about this aspect when in reality the fact that in a large majority of cases they store significant amounts of crypto on the site in a shared wallet. What do you care more about - that he can see your stupid "hunter2" password or that he could, at any time, jank your funds? There has to be a certain level of trust at some point. If you don't trust him or mcxnow, go elsewhere. I hear there are some Russians that are pretty trustworthy with these kinds of things. Wink
newbie
Activity: 31
Merit: 0
2 month ago I tryed to recover my mcxnow password. I sent an email to admin and he asked me about the password, or to tell him what letters are in my password.

I suppose that my password was in clear text for him.


just take care...
full member
Activity: 136
Merit: 100
Maybe youre saying he can hack Google Authenticator too?  This thread is retarded. 
erk
hero member
Activity: 826
Merit: 500
Here is some basic Internet info for noobs.

Assume the site owners, your ISP, your email provider can read or bypass your passwords as required.

Never use the same password on two different sites.

Assume everything you type is being recorded.

Do no click on email enclosures from people you don't know.



As for MCXnow, the site probably works better than most of the exchanges out there, it has some great features like earning interest on your deposits every 6 hours, and payban which is a real hoot.







full member
Activity: 191
Merit: 100
[snip..]Salting and hashing is absolutely no added security.

.. I'd just like to point out, that if the server is compromised and the attacker can download the full database of passwords... then they have 11k accounts and passwords, some of which will no doubt be used on other sites aswell.

If the passwords are stored encrypted, then the attacked cannot download all 11k passwords at once and must put in some code to get the password - pre encryption - per login.

Thus, if time between attack and attack detection is 24 hours, the attacker will only have gathered the passwords of users who have logged in the last 24 hours - not all 11k.

Thus, quite obviously, storing passwords encrypted IS infact added security. Not doing this IS a flaw.

According to RS the passwords ARE ENCRYPTED, but it is a two encryption not a one way like hashing is.
full member
Activity: 153
Merit: 100
I don't see why this is a surprise? Of course a site run by a few individuals with zero regulatory oversight could have access to passwords. In fact I'd hazard that many IT companies who do not have solid information security management systems in place (eg. ISO27001) have the capability for rogue systems administrators and/or developers to capture user passwords. Many even likely have them stored in plain text so that they can easily send out reminder emails and such.

As with all sites, you should use a different, unique password for each one. We provide a free tool for the purpose, here.

Caveat emptor. RS has a somewhat questionable past and people should make up their own mind.

Kate.
newbie
Activity: 7
Merit: 0
Non hashed passwords in the database only make the database more vulnerable should it be stolen. That's it. It doesn't make RS untrustworthy. Let's just hope his db is unstealable.

There is no such thing and if he claims otherwise, than he's just being arrogant. But keeping passwords in cleartext is a real threat. In hosting companies there is a lot of people who have access to servers. It's much secure to make sure they can't just make a copy of your disk and start stealing accounts from stupid users who are too dumb to use diffrent passwords.

Don't get me wrong, I am using myself mcxnow and have no intention in undermining his credibility - just pointing how it works. I've created multiple applications and this kind of thing is Security 101.
full member
Activity: 191
Merit: 100
doesnt make much of a difference where its encrypted. yes its possible to check its before its encrypted. thats nothing to say that the majorityof site admins will. you as a dev should know better than that


I have never said nor have i implied that site admins ARE looking at the passwords. I merely stated that if they WISHED to, they COULD.
This was about trust and that trust is broken by not hashing and salting passwords.

That is utterly bullocks. Hashing is only helping if the DB is stolen and people are so foolish to have only one password for everything.
But even hashed passwords can be guessed and as a dev you should know that. Wink

Also RS' database is apparently encrypted in someway, so a potential thief still does not have access to the password right away.
full member
Activity: 182
Merit: 100

wrong, most can only see the hash. they would have to decrypt it to see the password
i use the exchange before but even i can tell you no matter how well it works the non hashing is the single flaw in there

Are you joking?? Of course they can see the password, it's the admin (or their software) that does the hashing in the first place.

Admin wanting to have passwords 101.
1) User enters passwords
2) Code on site logs cleartext password to a logfile, then hashes password into the database.

Non hashed passwords in the database only make the database more vulnerable should it be stolen. That's it. It doesn't make RS untrustworthy. Let's just hope his db is unstealable.
hero member
Activity: 518
Merit: 500
Bitrated user: ahmedbodi.
doesnt make much of a difference where its encrypted. yes its possible to check its before its encrypted. thats nothing to say that the majorityof site admins will. you as a dev should know better than that
Pages:
Jump to: