Topic: PRIMEDICE COMPROMISED [RESOLVED] - page 3. (Read 4213 times)

Just to be very clear, I was only trying to crack their bustabit password (based on information I could find online), I obviously wasn't attempting to crack their other accounts based on the password used at bustabit.  And that risk is now 0, because bustabit doesn't even let users pick their own password.

yes, so you please try and login to one of those websites with same password and you tell me if you can crack any of them please.

Out of interest, for a couple of days I logged peoples username/password and tried to look them or crack them myself. I think my success rate was about 20-30%.

Fair, the username of his account is widely used on a bunch of other bitcoin websites though. And regarding Robert, that really is terrible but there were no back-end flaws that resulted in that.

I was able to find pp@$$w0rd in plaintext and MD5 in a leaked password list.

People use rules that change letters from lowercase to uppercase using Hashcat meaning that the password isn't exactly 100% unique but yeah the chance of someone guessing it... or brute forcing it.... hell nah

About $60. but I've always put emphasis more on the site's security than my losses. for which I'm being called a beggar.

There's a good library for that by dropbox:  https://github.com/dropbox/zxcvbn

I used it for a while, but it ended up making almost no difference. Pretty much every hacked account I saw wasn't hacked through brute forcing (as we had a recaptcha, and logged failed attempts) but was hacked by people using sites like leakedsource.com  Even when people used unique usernames, a nasty trick some scammers were doing was luring people into other mediums (email, skype, etc) so they could see their other usernames to look them up.


Out of interest, for a couple of days I logged peoples username/password and tried to look them or crack them myself. I think my success rate was about 20-30%.


I've come to the conclusion that passwords are pretty useless by themselves, unless tied to a bunch of other stuff (probably the easiest being email 2FA).  So what I now do is just not let users pick their own passwords (and force them to use a random securely generated one).

Of course users absolutely hate it, but I figure the users who hate it the most are the same ones who don't use password managers and reuse the same password for every site, and they're the exact people who would otherwise get hacked. I think since doing that, claims of hacked accounts have dropped about 10 fold (although forgot password claims have gone up by a similar amount).

It still doesn't protect against phishing attacks, unfortunately. Something that 2FA tends to do a better job at preventing

How much did you lose?

I was able to find pp@$$w0rd in plaintext and MD5 in a leaked password list.

People use rules that change letters from lowercase to uppercase using Hashcat meaning that the password isn't exactly 100% unique but yeah the chance of someone guessing it... or brute forcing it.... hell nah

You took 4 days to respond to me and now you say that I'm wasting your time. I never wanted to sound harsh but you called me a liar and make me sound like a beggar. It's upto users of this forum to judge you I suppose.

My password was pP@$$w0rd and it's definitely unique to this site. you tell me that this a password that could be guessed by a random guy in less than 10 minutes, I have nothing to say to you. and guys, do google it and tell me if you find it.

hah good point.

If you post your password convertekk, I'll refund you for the loss. Also, we'll look into setting tighter requirements for passwords and maybe offer a 2fa on cashout option.





So.. this isn't a unique password? okay.

Stunna I'm still not sure why after 8(?) months, you're still ignoring the fact that I lost 13 BTC.

I was not infected and I believe that the site security is to be blamed. Why would you allow two IPs to be logged in simultaneously? (And that's assuming I was even "hacked")

That's simply untrue, I can google the password you supplied me and get plenty of results of it being used as a mysql password. Note when you google "yMrND9DpHD9T" you get no results. If you want a full refund feel free to post it here (after changing it on primedice) and close this discussion. I also have strong doubts you only used it on primedice which is why I imagine you are hesitant. 

Stunna I'm still not sure why after 8(?) months, you're still ignoring the fact that I lost 13 BTC.

I was not infected and I believe that the site security is to be blamed. Why would you allow two IPs to be logged in simultaneously? (And that's assuming I was even "hacked")

I can tell you that my password is stronger than yours with more than alphanumeric.

Sure, why not? My password was yMrND9DpHD9T   (but I just changed it). Your account has already been hacked, so it presumedly doesn't even have money in it. I don't see the harm in sharing a password as unique and strong as you claim