Topic: MCXNow Can See your passwords! REALSolid has access to all your Passwords - page 2. (Read 4709 times)

The password is encrypted server side, hence you can see it period.

wrong, most can only see the hash. they would have to decrypt it to see the password
i use the exchange before but even i can tell you no matter how well it works the non hashing is the single flaw in there

This is all about jealousy and envy.
Salting and hashing is absolutely no added security. I said it twice and will repeat this forever, EVERY SITE ADMIN HAS THE ABILITY TO SEE YOUR PASSWORDS.

At least RS is honest about it, and I cannot see how that is breaking trust.

I wished you people use your brain for once instead of saying what others are saying.

It's not about jealousy, it's about irresponsibility, and breaking trust with your clients.

RS is an obvious amateur when it comes to security.

Then you are a reporter the world does not need. Go find scandals that really are abuses, not things every site admin can do if he chooses so. You are only reporting this with the sole purpose of discrediting RealSolid. Why are you sol jealous>

Don't blame me for reporting the truth.  All the information I post is true.  And I am pointing these things out because I am a reporter in my normal job and this type of thing is something people want to know!  So if it's false then prove it. But out of his own mouth, Realsolid can see each and every one of our passwords.

Stick to the facts.

I remember someone working on something like this for BTC. Something that ran locally in your browser, but interfaced with a remote site. Maybe I'm misremembering about exactly what it did, but I remember thinking it was pretty cool. dunno what became of it though.

Pure lies.  All of it except for the unsalted passwords.  Alex has created several of these threads for some reason.  He uses several socks to bump them.  All of it is complete bullshit.

Last night an unknown site was compromised.  Someone was trying the DB of username/passwords against mcxNOW accounts.  After 1 theft of B was verified the site immediately went into lockdown to prevent other nubs who didn't use unique passwords from losing their money as well.

I thought I'd chime in here.

#7 rule of the internet: Use unique passwords for anything remotely important. Especially places where you hold money. If you follow this rule, these claims are irrelevant to you.

Secondly, I'm not even sure if this is correct. As a developer, I have a bit of a conundrum over whether I would do this or not. Generally, I prefer simpler code, and plaintext is as simple as you can get for passwords. While it may put the users at risk if something is compromised, I would rather tell my users that they *must* use a unique password and let them deal with the consequences if they do not.

And off topic, MCXNow is an awesome exchange in my opinion.

Zyl - Since your leaving mcxNOW, I'll take your mcxFEE shares!  ;o)

oh  mg. thank your message.                               

I was there. You were not.

Ask realsolid for a chat log of yesterday.
Or ask somebody who is using the API and possibly has a local log.

Cant 100% Verify that

But he admitted to entering the usernames/passwords of users at other sites to attempt to gain access. Whether or not it was to find the leak its a questionable practice

Absolutely false. You are not being truthful. For example, he asked a user whose password was COMPLETELY UNRELATED to their chat username, about their full plaintext password.

Somebody else will verify this.

This thread is getting out of hand with the goddamn FUD omg!    And I remember that he said  WTF!!!  "Somebody's password was their username"  he never posted the password. 

You guys are just upset because volume at btce is lacking because of the mcx update!  get the fuck over it!!!

He posted their full password, with no ******'s.
The ***'s is a recent thing he switched over to today only.
You may have been lurking for a different conversation than the one I refer to.

Other people who were there will remember.

One password was like monkeynuts or something. But I can't remember exactly.

As someone who was there lurking when this happened, I'd like to offer a bit of context (though I have no screenshots).

The question was posed, "What site did the leaked passswords come from?"

The answer from RS was something to the effect of, "We're not sure, so check your security log and it will say something like 'Failed attempt to login using Garb******' " (using your example as I don't recall it verbatim either)

The conversation then went back and forth and it was mentioned multiple times that the passwords being attempted could be seen by the admin and consequently by users logging in (but only the first 4 letters and ****s). The group was making an effort using the passwords to try and determine which site the leaked database may have come from. These were NOT mcxNOW passwords, rather they were the passwords which were tried against mcxNOW.

I agree 110% that having unsalted plain text passwords on ANY site with $$ involved is MORONIC. However, I also agree that if you're dim enough to use a password that's not unique on ANY site with $$ involved you're asking for trouble. I'm not condoning nor defending RS or mcxNOW's site, I just thought for vitriol's sake I'd share. I don't see how its anyone but the user's fault if their passwords are the same; then again the troll box isn't really the best place to ctrl+v any passwords whatsoever.

I didn't think of it at the time. Go on chat and ask other users, they will remember.
Or request a chat log from RS for security reasons.

"Realsolid: Soandso, what other sites have you used password garbanzobunk on?"
Almost identical words to that, I don't remember their exact password though.

Exactly!

do you know how computers work?