Pages:
Author

Topic: www.btcbalance.net - View your balance easily online. - page 4. (Read 18006 times)

hero member
Activity: 530
Merit: 500
SHA-256 is compromised in the future you could also require users to change password and re-hash.
Or you just hash them three times with 3 random methods out of a big algorithm pool to begin with so you don't have to re-hash and notify everybody.
Therefore, I don't register any email addreses, so I can never notify every user about a database comprimise.

Second plain hashing algorithms aren't a good idea for passwords.  The problem is they are too fast.
That's why each user has a unique code bind to there account to decrypt (when logging in) what hash methods have been used.
This would make the cracking of 3 different hash methods very hard since for each new account the password is hashed with different methods in a random order.
It's not hashed with just only md5 or something.

A mining farm can attempt to brute force tens of billions of hashes per second.
Not sure what you think, but I still think nobody would want to crack this and invest tons and tons of time, energy and money in hacking a small database containing passwords that are connected to a bitcoin address and some hashed ip's that are not even connected to the accounts.


Saying triple hashed w/ three "random" (is that even possible) algorithms doesn't make any sense.
Saying something like.  "Your password is never stored in plain text.   A secure hash of your password is used for authentication.  We can't recover any lost/forgotten passwords.  For technical details click here" makes a lot more sense.
I agree with you on this. I will change this at short notice.
donator
Activity: 1218
Merit: 1079
Gerald Davis
Quote
Hashed with three random of the most secure algorithms

So now that we got the encrypt vs hash confusion behind us I think the point was this sentence doesn't make much sense and isn't very professional.

First there is no reason to triple hash.  If you use a solid algorithm like SHA-256 the results can't be unhashed.  If SHA-256 is compromised in the future you could also require users to change password and re-hash.

Second plain hashing algorithms aren't a good idea for passwords.  The problem isn't that they can be reversed the problem is that they are fast.  Too damn fast. A mining farm can attempt to brute force tens of billions of hashes per second.  An algorithm like bcrypt, scrypt, or PBKDF2 are much better suited for protecting a password list.

Third no idea what you mean by three random secure algorithms?  You can't pick the algorithm randomly or even if you do you must provide it in the password file which doesn't provide any security.

Saying something like the following makes more sense:
Quote
Your password is never stored in plain text.   A secure hash of your password is used for authentication.  We can't recover any lost/forgotten passwords.  For technical details click here.

The here could be something like:
Quote
For the cryptographically oriented, the stored password hash is the output of bcrypt using workload=20 and the input is the user supplied password and a per account randomly generated 64 bit salt."

That would tell people how you are hashing (and doesn't help the attacker at all).
hero member
Activity: 530
Merit: 500
@mlawrence
The word: 'Encrypted' needs to be: 'Hashed'. Your right. Thanks guys.
donator
Activity: 1218
Merit: 1079
Gerald Davis
BLERG.  Fail on my part  I intended to write hashing.  You asked why shouldn't they be hashed.
hero member
Activity: 530
Merit: 500
He never said you shouldn't be encrypting IP addresses.
You shouldn't be encrypting the IP addresses at all.
donator
Activity: 1218
Merit: 1079
Gerald Davis
He never said you shouldn't be encrypting hashing IP addresses.
hero member
Activity: 530
Merit: 500
You shouldn't be encrypting the IP addresses at all.

Use a one way hash to stop spam accounts.  Then if the database is compromised they have nothing.

The passwords of each account are being tripple hashed with 3 random algorithmes.
IP adresses are hashed one time with SHA512.
Why shouldn't I hash the IP's if I may ask?
Vod
legendary
Activity: 3668
Merit: 3010
Licking my boob since 1970
You shouldn't be encrypting the IP addresses at all.

Use a one way hash to stop spam accounts.  Then if the database is compromised they have nothing.
hero member
Activity: 530
Merit: 500
Sounds like a good idea. I'm not sure if this makes sense though:

Encrypted with three random of the most secure algorithms
1) Thanks.
2) Which part doesn't make sense?
donator
Activity: 848
Merit: 1078
Sounds like a good idea. I'm not sure if this makes sense though:

Encrypted with three random of the most secure algorithms
newbie
Activity: 21
Merit: 0
The exchange rate display stopped working cause the Tradehill API died.
It's now retrieved from the Mtgox API.

Go check out now how many your bitcoins (spread over different addresses) are worth in euros or dollars.

Thanks, I was just spending hours looking for this it was meant to be! (-:
hero member
Activity: 530
Merit: 500
The exchange rate display stopped working cause the Tradehill API died.
It's now retrieved from the Mtgox API.

Go check out now how many your bitcoins (spread over different addresses) are worth in euros or dollars.
hero member
Activity: 530
Merit: 500
Just wanna bump this since it got complety burried.
hero member
Activity: 530
Merit: 500
Rather than checking blockexplorer for your wallet data, have you considered running your own block data software? There's an open source version in development on this thread: http://forum.bitcoin.org/index.php?topic=22785.0.
Yes of course.
I tried this, but for some reason I could not get it to work.
So for now I decided to go via the easy way.
Right now its okay to parse the information via blockexplorer.
If this thing grows big, I of course need to get this to work without parsing from the blockexplorer API.
Maybe add caching of the blockexplorer data every 30 minutes?
At least until you can setup your own.

Well right now the data amount being parsed isn't that significant.
So I guess I am not gonna plan in that one yet.
But we will see. Thanks for your input though.

hero member
Activity: 560
Merit: 500
Rather than checking blockexplorer for your wallet data, have you considered running your own block data software? There's an open source version in development on this thread: http://forum.bitcoin.org/index.php?topic=22785.0.

Yes of course.
I tried this, but for some reason I could not get it to work.
So for now I decided to go via the easy way.
Right now its okay to parse the information via blockexplorer.
If this thing grows big, I of course need to get this to work without parsing from the blockexplorer API.
Maybe add caching of the blockexplorer data every 30 minutes?
At least until you can setup your own.
hero member
Activity: 530
Merit: 500
Rather than checking blockexplorer for your wallet data, have you considered running your own block data software? There's an open source version in development on this thread: http://forum.bitcoin.org/index.php?topic=22785.0.

Yes of course.
I tried this, but for some reason I could not get it to work.
So for now I decided to go via the easy way.
Right now its okay to parse the information via blockexplorer.
If this thing grows big, I of course need to get this to work without parsing from the blockexplorer API.
hero member
Activity: 530
Merit: 500
UPDATE v1.2 -> v1.3

Added
  • Total balance viewer converted into EUR (based on Tradehill)
  • You can now use a additional nicnkame in order to login
  • First address has an standard label wich notifies the user about the fact the label can be adjusted

Let me know if you guys still like it.
hero member
Activity: 530
Merit: 500
Added a print screen of the interface to the start post.

Working on the following things right now:

  • Label help (not alot of labels seem changed yet, maybe cause people don't know yet you can click your label to change it)
  • Nickname register option
  • Euro display of total balance
hero member
Activity: 767
Merit: 500
Rather than checking blockexplorer for your wallet data, have you considered running your own block data software? There's an open source version in development on this thread: http://forum.bitcoin.org/index.php?topic=22785.0.

yup I would certainly like to do this if I can find an efficient/inexpensive/free way of hosting this- if only that I could use google cloud notifications to send messages to android phones about when someone pays money into their wallet so my wallet viewer could update automatically - hate having to poll Smiley

Will
newbie
Activity: 26
Merit: 0
Rather than checking blockexplorer for your wallet data, have you considered running your own block data software? There's an open source version in development on this thread: http://forum.bitcoin.org/index.php?topic=22785.0.
Pages:
Jump to: