Author

Topic: [Warning] People with MtGox (Read 2845 times)

sr. member
Activity: 252
Merit: 251
July 02, 2011, 09:47:47 PM
#18
That was just an example I made up on the spot. I hope nobody is dumb enough to actually use something that can be found with Google.

You can construct a similar pass with any combination of symbols
legendary
Activity: 1008
Merit: 1001
Let the chips fall where they may.
July 02, 2011, 09:21:58 PM
#17
What you need to do is use completely unique, altering-case letters and numbers & special characters each occurring no more than once.

Repeats can happen in a secure, randomly generated password. For many passphrases, I have started using 32 random hex digits (128 bits of entropy). With only 16 symbols, each symbol is repeated, on average, twice. I did that calculation after noticing that one of my passphrases was actually missing one of those 16 symbols.

Quote
Example of a safe 25 char. password would be 4gD_7´%jU1Q#}!5Lv=¤*h^8~¨

That password is no longer secure because it has been published and may now be in a password-cracking dictionary.
sr. member
Activity: 252
Merit: 251
July 02, 2011, 09:12:03 PM
#16
password changed from "password" to "passwerrrrrrd".

There are ways to bruteforce all combinations with repeats up to 16 letters relatively fast.
So if your pass is something like "paaaaaaaaaaaasword" or "passwwwwwword", it's not safer just because you entered a bunch of letters.
Repeating the same word twice or multiple times is also one of the easiest ways to get your pass cracked as well (footballfootballfootball is not a safe pass)

What you need to do is use completely unique, altering-case letters and numbers & special characters each occurring no more than once.

Example of a safe 25 char. password would be 4gD_7´%jU1Q#}!5Lv=¤*h^8~¨

About 20 to 30 characters should be safe forever, the harder it is to remember the better. Don't use sequential symbols, numbers or characters.

Don't use words in a standard dictionary of any language no matter how cleverly disguised with stretched vocals or 1337-speak replacement of letters with numbers.
member
Activity: 84
Merit: 10
July 02, 2011, 07:55:57 PM
#15
password changed from "password" to "passwerrrrrrd".
newbie
Activity: 56
Merit: 0
July 02, 2011, 05:21:54 PM
#14
http://techcrunch.com/2011/05/05/password-manager-last-pass-possibly-hacked/
Anybody who stores his passwords with a 3rd party online service is in a state of sin.

But it turns out the "possibly" became "not".

The alternative is to write them down in a little book that you always carry with you.  Or have the same password everywhere.

Whatever solution you use, it's going to be bad.  Unless you have super memory, which I do not.

Reminds me of a friend I have who has great memory. All his passwords are ~20 characters long, and involve numbers, letters (upper & lower). He picks a phrase and then implements it like: First letter, Number, Last letter, Number... . He makes a new password for every site. Amazing that he hasn't forgot any.
sr. member
Activity: 294
Merit: 250
July 02, 2011, 05:16:45 PM
#13
http://techcrunch.com/2011/05/05/password-manager-last-pass-possibly-hacked/
Anybody who stores his passwords with a 3rd party online service is in a state of sin.

But it turns out the "possibly" became "not".

The alternative is to write them down in a little book that you always carry with you.  Or have the same password everywhere.

Whatever solution you use, it's going to be bad.  Unless you have super memory, which I do not.
hero member
Activity: 630
Merit: 500
Posts: 69
July 02, 2011, 05:15:57 PM
#12
"was not a regular word, random letters with 4 numbers", huh? Let me introduce you to dictionary based attacks, you little rascal you.

rascalwned
hero member
Activity: 576
Merit: 514
July 02, 2011, 05:13:15 PM
#11
"was not a regular word, random letters with 4 numbers", huh? Let me introduce you to dictionary based attacks, you little rascal you.

I learned my lesson that day.  I got Last Pass, and all sites now have a unique and complex password.
http://techcrunch.com/2011/05/05/password-manager-last-pass-possibly-hacked/
Anybody who stores his passwords with a 3rd party online service is in a state of sin.
legendary
Activity: 1022
Merit: 1001
July 02, 2011, 04:09:40 PM
#10
Yea thanks but I already changed my password from password
sr. member
Activity: 294
Merit: 250
July 02, 2011, 04:09:33 PM
#9
Pretty sure we said to change passwords weeks ago when that happened. Sorry you missed all 100 of those posts.

You win the internets.  Grin

seriously, made me laugh.  Spot on.
sr. member
Activity: 294
Merit: 250
July 02, 2011, 04:07:11 PM
#8
I used to use the same password at most sites.  Sites that had non-financial info, of course.  Then Gawker Media got hacked, and that allowed a hacker into my Facebook page, which had the same email and password.

I learned my lesson that day.  I got Last Pass, and all sites now have a unique and complex password.
newbie
Activity: 56
Merit: 0
July 02, 2011, 04:06:11 PM
#7
Pretty sure we said to change passwords weeks ago when that happened. Sorry you missed all 100 of those posts.
newbie
Activity: 28
Merit: 0
July 02, 2011, 03:58:55 PM
#6

The passwords that have been cracked independently include many that are 14 characters long.

http://forum.bitcoin.org/index.php?topic=24727.msg314393#msg314393

BTW, one list includes:

  [email protected] rascal101

hero member
Activity: 576
Merit: 514
July 02, 2011, 12:20:54 PM
#5
Why would you not change your password on sites involving money after such a hack?   Shocked
More interesting, why would one use the same password at different sites? Everybody tells you not to do that, but people still do it. There is nobody to blame but himself.
hero member
Activity: 551
Merit: 500
July 02, 2011, 12:16:01 PM
#4
Duh
full member
Activity: 140
Merit: 100
July 02, 2011, 12:01:51 PM
#3
Why would you not change your password on sites involving money after such a hack?   Shocked
member
Activity: 98
Merit: 10
July 02, 2011, 11:46:48 AM
#2
The leaked accounts.csv file had a few thousand md5 password hashes, and the rest (total 60k) was md5 with salt.

Unless those have been hashed by the hacker, there's no reason to doubt MtGox had the passwords hashed.
newbie
Activity: 13
Merit: 0
July 02, 2011, 11:04:26 AM
#1
So today I wake up to my paypal account being used and several hundred dollars in money were being transferred from my bank account. If you all remember MtGox was recently hacked and they required all your email account passwords to be changed as well as the site.  They told us that their passwords were stored in md5 and newer accounts were Salted MD5.  I changed every password I could possibly thing of related to my email, making sure they were long and well secure. One password I forgot was paypal, and guess what, my account was being used only weeks after MtGox got hacked. I had been using same password as on MtGox. I quickly changed all my passwords, security questions, phone pin, etc and got it resolved rather quickly with paypal.

My point being with all of this, change your passwords EVERYWHERE! I would also like to point out the fact that I highly doubt MtGox had MD5 or Salted MD5 Encrypted passwords because my password was 14 characters long before (was not a regular word, random letters with 4 numbers). It would have taken an extremely long time to decrypt an md5 hash with that kind of character amount, if not impossible(Due to it taking YEARS). I don't think MtGox had any password encryption at all now that this has happened, this is the first and I hope only time someone has gained access to an account of my anywhere in the 2 decades Ive been online.

So please change your passwords everywhere you used the same password and/or email address. Thanks!
Jump to: