Topic: www.btcbalance.net - View your balance easily online. - page 3. (Read 17996 times)

If I just created an account but entered an address that had previous transactions, should that appear in the chart?

If so, it isn't appearing for me.

The chart page is developed in the Chrome browser.
Weird, can you maybe give me some more details?


Minor update

• Since much problems are going on with Intersango these days, I have decided to stop using there API.
  The "euro balance check" now uses the Mtgox Euro market.
  

I'm using chrome, the chart is blank.

Do you guys like the new features? 

UPDATE v1.4 -> v1.5

Added

• Charts page. You can now check how many euros or dollars your Bitcoin balance was worth in the past.
  
• If your balance in euros or dollars decreases it displays how many. The fading out of the text is still a little buggy sometimes I am aware of this.
  
• Instead of waiting a very long time before the page was loaded with all the data, now you can see in realtime how the data is loaded in.
  

Changed

• All data is being parsed from Blockchain.info now. Wich means your data will load almost 3 times as fast
• You can add up to 50 addreses now
• Total EUR balance (based on intrsngEUR)
• Some text on the About page

@ Stephen Gornick
I will come back to you very soon about that.

Will there ever be a mobile app version of BTCBalance (or mobile-enabled website)?

Specifically, what I'm looking for is an app that lets a person scan a QR code containing a Bitcoin address and then see the balance and transaction history for that address.

For a specific use case, a mobile phone (or Android tablet, more likely) is going to be made available at an event to allow people to check the balance of their bitcoin address.  Attendees with their own smartphone can use their own mobile wallet app but for those without smartphones and those who don't know (nor care) about bitcoin, the QR code on their badge will work as their wallet.  Kind of like these, for example:



 - http://www.paymyaddress.com/


The app can be pretty simple -- a text field to enter the firstbits (and a button to optionally allow a scan), and then the balance is displayed (with transaction history below, optionally).

Since it would be used by people just walking up, it shouldn't require any registration or login.  Simply scan and view.

Is there any chance a BTCBalance app or mobile-enabled page could be built to do this?

Cause of a database problem on the server the lists of the last 7 accounts made are gone.
This regards account id: 185 towards 192.
Sorry for the inconvenience.

Big update coming by the way!

UPDATE v1.3 -> v1.4

Added

• Current mtgoxEUR and mtgoxUSD rates (wich update each 10 seconds) displayed under the total balance.
  

Changed

• Total USD balance (based on mtgoxUSD)
• Total EUR balance (based on mtgoxEUR)
• Total EUR balance & Total USD balance updated each 10 seconds without having to refresh the page
• Some text on the About page

ah, that might be it. I checked with blockchain.info not blockexplorer.

BTCBalance uses BlockExplorer API, and BlockExplorer is several hundred blocks behind at the moment.  Could that possibly be the reason?

BTCBalance doesn't show my address as having any bitcoins, but blockexplorer blockchaininfo are showing a balance...

Here's one example where that's not true.  If I'm referring to the use case where I use this to maintain balances for payments from customer, each getting their own address (which I've labeled with their name).  If this then were to be compromised someone could go in, add a new address, update the label with a customer's name, then delete the old one.  I'ld never know and might think the customer has a higher balance than this shows.

[Of course, I'ld not use it this way myself, but it might be [mis-]used by someone in this manner.]

It isn't insecure* and I am keeping my account.   Using a stronger hashing algorithm would simply make it more secure.  It strengthens the user's password by making it take more resources to crack.  

I can delete my posts if you wish to cleanup the thread. PM me if you want me too.

* with the caveat:
You use a secure hashing algorithm (one is fine but three won't "hurt")
You include sufficient salt (32 min but bits are cheap so go 128 bit) which is random and psuedo-unique per user.
Your user's ensure their passwords have sufficient length and complexity.

I get it now, thank you.
How ever: Can you confirm here that there is nothing wrong with the method I am using except that it's unnecessary complex?
I mean before users that might not understand this abacadabra think BtcBalance is unsafe or whatever.

Thanks again.

Of course bcrypt is safe against hashing farms. That is the whole point.  

As to why/how?  It isn't a single hash but instead a looping construct which performs multiple hashes using the prior hash's output as input for the next round.  The default workload is 10 which is 2^10= 1024 hashes.  Today the recommended minimum is 16 = 65,536 recursive hashes.   That significantly cuts the throughput of a hashing farm.  Instead of being able to check billions of potential passwords every second the same hardware can only check thousands.  

Another way to look at it is for a given password complexity and cracking hardware a sha-512 hash could be brute forced in 1 hour it would take multiple years using bcrypt(16).


I think you are missing the point.  If you use n algorithms to acheive a total hashing time of 3x you haven't gained anything (other than needless complexit) over using a SINGLE good algorithm and iterating it enough times to take 3x time.

this:
Stored hash = RandomAlgo#1(RandomAlgo#2(RandomAlgo#3(password+sat)+salt)+salt)

isn't any more secure than this:
Stored hash = SHA512(SHA512(SHA512(password+sat)+salt)+salt)

All of the picking randomly algorithms from a pool of algorithms and then encrypting them is what is known as "feel good security".  It does nothing that simply using a single good algorithm multiple times doesn't do.  However the second issue is when dealing with massive cracking engines a multiplier of 3x (or 5x or 18x) doesn't provide any meaningful increase in resistance.  Since you seem hell bent on catching the "I must reinvent the wheel" train, your next though likely is to increase the number of iterations. So lets take this to the logic conclusion.

If you took the above idea, used a core hashing algorithm which was harder to brute force, ensured sufficient entropy in the salt (64 bit minimum), built in protection for intra-round key collision (which optimizes attacks using rainbow tables), designed it to store the version, hash, salt, and # of rounds in the output (which adds upgrade/compatibility), built in a whole bunch of error checking to reduce/prevent usage bugs which weaken the output, and allowed for changing the # of rounds as computers get faster .... well you would have just re-invented bcrypt.  In a decade or two when it was as exhaustively tested and analyzed as bcrypt you have a high confidence it was as secure as bcrypt.  

Alternatively you could just use what has already been written a decade ago.

BTW bcrypt isn't the only option.  scrypt is a variant which is memory-hard throughput on GPU/FPGA restricted.  PBKDF2 (Password-Based Key Derivation Function) is a third common option which can use a variety of base hashing algorithms.

And why would bycrypt have any more resistance to a mining farm?
I mean if we start using mining farms to brute force (On what actually? You need to check if the outcome is correct right?) no hashing method is safe.

Doesn't it take 3 times as long to decrypt a password that has being hashed 3 times?
Above you say it will take as long to decrypt a single hashed md5 password as a password that has being hashed with sha512, md5 and whirlpool.

Yeah, I was getting at the wording as opposed to the technical details behind it. It didn't really make sense. My English is pretty terrible but I'm sure its grammatically incorrect too.

I mean encrypting the method is dubious because anyone who can obtain the list can also obtain the encryption key and decrypt the method.  The reason we hash passwords instead of encrypting them is because one must assume if the attacker was able to gain access to your password list he will be able to gain any encryption keys.

Encrypting the hash method is simply "feel good security".  Either attacker never gets password list (in which case the encryption protects something that wasn't stolen) OR the attacker gets the password list AND likely the encryption key and the first thing he does is decrypt the hashing method.

This is the same reason that salt is stored in plaintext.  The algorithm, salt, # of rounds (for some algorithms), IV, etc are non-secure pieces of information.   Good security assumes the attacker already knows them.  Hiding, obfuscating, or encrypting them doesn't make the system any stronger.




The number of methods doesn't make it any harder.  Brute force cracking is solved by brute force.  It isn't any harder to brute force 3 algorithms which combined take 3x clocks cycles as it is to brute force a single algorithm which takes 3x clock cycles.  All that matters is the amount of computing power required to check a single key, and the weakness of the password.    As an alternative using something like bcrypt (instead of 3 random encrypted algorithms) would be simpler, peer reviewed, and would require the attacker to take 10,000x  (where x= 1 SHA-512 hash) clock cycles to perform one password check.  Multiple secret methods just add complexity without adding security.

For weak passwords it wouldn't take years, or even weeks it is more like days or hours. SHA, whirlpool, and ripemd320 are very fast algorithms (with throughput in billions of hashes per second.  A cracker with a quad GPU machine could brute force ~ 500 trillion possible passwords per day.  Half a quadrillion is every common/weak/known/leaked password plus exhaustive brute force search of all passwords 7 char or less (upper/lower/number/symbol) for site containing 50,000 accounts.

For the record it is mostly academic because there is little value in attacking the site however it is a good idea to separate strong security from "feel good security".  Adding extra complexity which doesn't make the attacker's job materially harder is "feel good security".  Someday you may write the next Bitcoinica. 

How do you mean: "If someone gets the password list they can decrypt it. "
I mean sure, theoretically it's possible to crack one user his password hashed by sha512, whirlpool and ripemd320.
But practically it will take dozen of years to do so. And then you have what? A password connected to a bitcoin adress.
Maybe keeping the hashing methods a secret isn't providing security, but making sure each account it's password has a different way of being hashed makes it damn more difficult for the hacker to crack it.

Thanks, feedback is appreciated.

EDIT:
You may also pm me if you don't want to answer in this thread.

I agree it is unlikely anyone would want to crack this but you you got a nice first project and maybe your next one involves coins or other sensitive details.  Like most developers you will work with what you know and trying dubious "roll your own security methods" may lead to you using them on other sites too.

Encrypting the hashing method provides no security.   If someone gets the password list they can decrypt it.   That is the entire reason for hashing.  Keeping the hashing method a secret isn't security.   Bitcoin puts its algorithms out in the open and it hasn't been broken.

Generally speaking "rolling your own encryption (or hashing)" is a bad idea.  I don't want to derail this anymore than I already have so I will leave it at that.   Still given the scope of the site there isn't any real risk (even if pwd were stored in plaintext).  For the record I made an account to check it out.