ripple account hacked | Bitcointalksearch.org

BRules

sr. member

Activity: 293

Merit: 250

Quote from: Badabing on May 06, 2013, 02:19:34 AM

Do you use the same username here with your ripple account? If you use the same, 62k passwords to try doesn't take an hour IMO. Do you share your secret key?

no, I didn't share anything about my ripples account.

Quote from: BBQKorv on May 06, 2013, 04:02:14 AM

Hopefully you learned a lesson in here, how is your bitcoin wallets encryption key?

The password I chose for my ripple account is the password I use for all "I don't care" stuff. it was my password here before I understand the potencial of the bitcoin and now I use a more secure password in the forum.

about my wallet password, as it has a substantial amount in bitcoins, it is a 16 characters unique password involving lower and upper case letters, numbers and symbols. I'm not that crazy to use a weak password to protect a considerable amount of money.

BBQKorv

sr. member

Activity: 280

Merit: 250

Quote from: BRules on May 05, 2013, 11:56:43 PM

well, looks like the password I choose for my ripples was a common password as it was in this list:

http://www.isdpodcast.com/resources/62k-common-passwords/

that's the beaty of bitcoin, the wallet is in your computer, so even if I choose a weak password, my computer needs to be compromised before they can try to crack the password.

Hopefully you learned a lesson in here, how is your bitcoin wallets encryption key?

Badabing

member

Activity: 75

Merit: 10

Do you use the same username here with your ripple account? If you use the same, 62k passwords to try doesn't take an hour IMO. Do you share your secret key?

Vladimir

hero member

Activity: 812

Merit: 1001

-

Sorry to hear about this.

This is still not too late to start using best practices as relevant to passwords and aimed for a regular internet user. I am not even talking about really sensitive stuff here.

1. Never use the same password in more than one place.
2. Use passwords managers like keepass and lastpass.
3. Encrypt all or most sensitive parts of your hard drives using software such as truecrypt etc...
4. Use very strong and long pass phrases (6-10 words plus some padding at least) that you can remember for few important passwords like for keepass, truecrypt, lastpass, your main email, bitcoin wallets.
5. Use auto generated passwords for everything else (keepass,lastpass will help ya)
6. If you can remember a password it is a bad password. With a few exceptions as in 4. Here is an example of a password that is good: nbJbvrTXgWZDSYl15jT6jgnk
7. And finally:

- Doctor, how do I make sure that I do not get pregnant?
- Drink lots of milk.
- ... Huh

before or after?
- Instead of.

Think about the above when you download stuff from the net and go to bad neighborhoods.

Sorry that I cannot help you with this any more than by typing this stuff again.

scintill

sr. member

Activity: 448

Merit: 254

Quote from: loudpete on May 06, 2013, 12:28:13 AM

So what were you using for passwords? now that you wont be using them anymore...

Still, seems like they'd have to try 62,000 passwords per user account, wouldn't the ripple servers block more then 5 attemps (for like an hour) making this impossible?

No, the Ripple webclient wallet is decrypted client-side in the user's browser. So they just grabbed the encrypted wallet and cracked it locally. Blockchain.info wallets works the same way, so they can also be cracked like this.

It's possible they grabbed a bunch of wallets around the same time that maybe should have tripped an alarm on the Ripple wallet server, but we don't know, and there's nothing Ripple can really do to perfectly prevent this. The user has to pick a good passphrase and ideally also a non-obvious wallet ID as well.

Edit: Most of this is wrong, as I realized after seeing this thread. The Ripple wallet is indeed decrypted locally, but the blob vault (wallet server) requires a hash of username+password (not just a plaintext username as I had assumed), so in order to try 62k passwords on BRules' wallet they would indeed have to make that many requests to the server. Sorry for spreading false information. Sad

I did just try blockchain.info MyWallet, and, for a simple (no extra security enabled) wallet, I could decrypt with only data obtained from https://blockchain.info/wallet/?format=json&resend_code=false and a local decrypt. If you enable more security I think you would be safer than this though.

scintill

sr. member

Activity: 448

Merit: 254

Quote from: BRules on May 05, 2013, 11:56:43 PM

well, looks like the password I choose for my ripples was a common password as it was in this list:

http://www.isdpodcast.com/resources/62k-common-passwords/

that's the beaty of bitcoin, the wallet is in your computer, so even if I choose a weak password, my computer needs to be compromised before they can try to crack the password.

Well, you've learned your lesson the hard way, sorry about that. For what it's worth, from what I understand there are supposed to eventually be alternate clients that could be kept fully local like Bitcoin is (source). The current lack of diversification and openness is a common complaint against Ripple as it is today though.

loudpete

newbie

Activity: 10

Merit: 0

So what were you using for passwords? now that you wont be using them anymore...

Still, seems like they'd have to try 62,000 passwords per user account, wouldn't the ripple servers block more then 5 attemps (for like an hour) making this impossible?

odolvlobo

legendary

Activity: 4466

Merit: 3391

I was about to write, "what fool uses a password that would be in that list?", but then I discovered that 2 of my many passwords are in the list.

BRules

sr. member

Activity: 293

Merit: 250

well, looks like the password I choose for my ripples was a common password as it was in this list:

http://www.isdpodcast.com/resources/62k-common-passwords/

that's the beaty of bitcoin, the wallet is in your computer, so even if I choose a weak password, my computer needs to be compromised before they can try to crack the password.

BRules

sr. member

Activity: 293

Merit: 250

Quote from: Trading on May 05, 2013, 08:39:20 PM

Search for the ripple address to where the XRPs were send on the forum and on Google, you might find the nick of the user on the giveaway thread or other place. To get a new ripple address you need to open another account and he might have been too lazy to do that. If you find nothing, check if the money is still on his account, by entering his address at https://ripple.com/graph/. If the money was sent to another account, try to search that one (but he could have sell them to an innocent person).
If you find the username, try to get him a scammer tag and to get his email and IP from the mods and google the email and nickname, you might end up finding his social network account and private information or another email linked to the previous one that leads to the social account. Then, use your imagination: write him and say if he doesn't give back the XRPs you will email his family and friends about what he done; complain to any available authority with evidence, etc..

none of the addresses showed something. I'm not too worried about my ripples, I only wanna know the scenario that my accout was compromised. I don't think it was a trojan in my computer as my bitcoins are still in my address, and a 8 characters password is kinda hard to crack on a online service.

markm

legendary

Activity: 2940

Merit: 1090

Quote from: BRules on May 05, 2013, 08:38:53 PM

I know this is weak, but as it was a online password I think it will take a while to crack this password

I didn't think it *was* "an online password".

I thought what it is is a private key, like in bitcoin, and used for things like encrypting your data blob that you can store at a blob storage facility. Or, if not the private key, then, like a brainwallet, a seed used to deterministically generate one or more private keys.

Thus, I had always thought that hackers could spend as much computer power as they wish, for as long as they wish, cracking it, just like any private key controlling any bitcoin address or any brainwallet phrase used to deterministically generate a deterministic wallet.

-MarkM-

Trading

legendary

Activity: 1455

Merit: 1033

Nothing like healthy scepticism and hard evidence

Search for the ripple address to where the XRPs were send on the forum and on Google, you might find the nick of the user on the giveaway thread or other place. To get a new ripple address you need to open another account and he might have been too lazy to do that. If you find nothing, check if the money is still on his account, by entering his address at https://ripple.com/graph/. If the money was sent to another account, try to search that one (but he could have sell them to an innocent person).
If you find the username, try to get him a scammer tag and to get his email and IP from the mods and google the email and nickname, you might end up finding his social network account and private information or another email linked to the previous one that leads to the social account. Then, use your imagination: write him and say if he doesn't give back the XRPs you will email his family and friends about what he done; complain to any available authority with evidence, etc..

BRules

sr. member

Activity: 293

Merit: 250

Quote from: Chuck on May 05, 2013, 08:20:22 PM

Did you use the same name (BRules) as your ripple wallet's name?

yes

Quote from: markm on May 05, 2013, 08:21:00 PM

Pass phrase, isn't it, for Ripple?

So, an eight character phrase?

Hmm...

-MarkM-

I know this is weak, but as it was a online password I think it will take a while to crack this password

markm

legendary

Activity: 2940

Merit: 1090

Pass phrase, isn't it, for Ripple?

So, an eight character phrase?

Hmm...

-MarkM-

Chuck

member

Activity: 92

Merit: 10

Quote from: BRules on May 05, 2013, 08:18:32 PM

About a month ago I received 30000 ripples from the giveaway thread, did some tests and never touched my account again. But today I entered my account again and I saw that 11 days ago someone hacked into my account and transfered all my ripples to another addresses. I just want to know if this happened to someone else (security breach in ripple server) or was just my account that was hacked (8 characters password).

Did you use the same name (BRules) as your ripple wallet's name?

BRules

sr. member

Activity: 293

Merit: 250

About a month ago I received 30000 ripples from the giveaway thread, did some tests and never touched my account again. But today I entered my account again and I saw that 11 days ago someone hacked into my account and transfered all my ripples to another addresses. I just want to know if this happened to someone else (security breach in ripple server) or was just my account that was hacked (8 characters password).

Topic: ripple account hacked (Read 2784 times)