<<  >> (p.10)
    Author Topic: About the recent server compromise  (Read 15447 times)

    • favdesu
    Legendary
    *
    Offline Offline

    Activity: 1764
    Merit: 1000



    View Profile WWW
    May 26, 2015, 09:27:56 PM
     #181
    Quote from: Scamalert on May 26, 2015, 09:23:58 PM
    Quote from: theymos on May 25, 2015, 02:39:49 PM
    Passwords are hashed with 7500 rounds of sha256crypt. This is pretty good, but certainly not beyond attack. Note that even though SHA-256 is used here, sha256crypt is different enough from Bitcoin's SHA-256d PoW algorithm that Bitcoin mining ASICs almost certainly cannot be modified to crack forum passwords.

    How much does the password need to be changed, whould it be enough to change a letter or two.
    Or would it be better to make a brand new long and complicated password.
    Reason I ask is that it take some time to memories a long complicated password,
    if only added or removing something will the learning time for the new password decrease.

    no, make a fresh, and new password.

    if you have issues remembering all passwords - check out KeePass 2 - it's a open source password vault. you only need one master password
    Bitcoin Experiment: Financial Freedom with Faucets?! Week 19

  • Scamalert
    Hero Member
    *****
    Offline Offline

    Activity: 490
    Merit: 500


    Captain


    View Profile
    May 26, 2015, 09:38:53 PM
     #182
    Quote from: favdesu on May 26, 2015, 09:27:56 PM
    Quote from: Scamalert on May 26, 2015, 09:23:58 PM
    Quote from: theymos on May 25, 2015, 02:39:49 PM
    Passwords are hashed with 7500 rounds of sha256crypt. This is pretty good, but certainly not beyond attack. Note that even though SHA-256 is used here, sha256crypt is different enough from Bitcoin's SHA-256d PoW algorithm that Bitcoin mining ASICs almost certainly cannot be modified to crack forum passwords.

    How much does the password need to be changed, whould it be enough to change a letter or two.
    Or would it be better to make a brand new long and complicated password.
    Reason I ask is that it take some time to memories a long complicated password,
    if only added or removing something will the learning time for the new password decrease.

    no, make a fresh, and new password.

    if you have issues remembering all passwords - check out KeePass 2 - it's a open source password vault. you only need one master password

    Yes, you are proberly right....... I need a brand new one, adding 8 letters is not good enough.
    I look at that KeePass 2, it looks pretty good, just not sure I can trust it.....
    But thank you anyways Smiley

  • readysalted89
    Sr. Member
    ****
    Offline Offline

    Activity: 327
    Merit: 250


    View Profile
    May 26, 2015, 10:31:04 PM
     #183
    Quote from: favdesu on May 26, 2015, 09:27:56 PM
    Quote from: Scamalert on May 26, 2015, 09:23:58 PM
    Quote from: theymos on May 25, 2015, 02:39:49 PM
    Passwords are hashed with 7500 rounds of sha256crypt. This is pretty good, but certainly not beyond attack. Note that even though SHA-256 is used here, sha256crypt is different enough from Bitcoin's SHA-256d PoW algorithm that Bitcoin mining ASICs almost certainly cannot be modified to crack forum passwords.

    How much does the password need to be changed, whould it be enough to change a letter or two.
    Or would it be better to make a brand new long and complicated password.
    Reason I ask is that it take some time to memories a long complicated password,
    if only added or removing something will the learning time for the new password decrease.

    no, make a fresh, and new password.

    if you have issues remembering all passwords - check out KeePass 2 - it's a open source password vault. you only need one master password

    Are the passwords it generates by using mouse movements for additional entropy completely random? Does it only generate pseudo random passwords without using mouse movements or anything else to collect additional entropy?

  • Gisado
    Full Member
    ***
    Offline Offline

    Activity: 168
    Merit: 100

    Yoohoo


    View Profile
    May 26, 2015, 11:21:59 PM
     #184
    Compromise notification email said reset question was less brute-force resistant, so I wanted to remove it. Is blanking QnA form (and save) enough to disable it?

  • theymos_away
    Member
    **
    Offline Offline

    Activity: 82
    Merit: 27


    View Profile
    May 26, 2015, 11:29:54 PM
     #185
    Quote from: Gisado on May 26, 2015, 11:21:59 PM
    Compromise notification email said reset question was less brute-force resistant, so I wanted to remove it. Is blanking QnA form (and save) enough to disable it?

    Yes, make the secret question field empty.

  • Welsh
    Staff
    Legendary
    *
    Offline Offline

    Activity: 3500
    Merit: 4165


    View Profile
    May 26, 2015, 11:35:43 PM
     #186
    Quote from: Gisado on May 26, 2015, 11:21:59 PM
    Compromise notification email said reset question was less brute-force resistant, so I wanted to remove it. Is blanking QnA form (and save) enough to disable it?

    You can always test it yourself by going to the "forgotten password" and selecting "Ask me my security question". It will tell you if it's not enabled on your account. That's if you want to double check.

  • shavers
    Sr. Member
    ****
    Offline Offline

    Activity: 439
    Merit: 288



    View Profile
    May 27, 2015, 12:06:08 AM
     #187
    Good job on getting this up again lads! Hope next time you'll be ready and fully armed! Wink This downtime looked like an eternity, lot of us missed you.
    Aber wie willst du denn einmal sterben, Narziß, wenn du doch keine Mutter hast?

  • Superhitech
    Legendary
    *
    Offline Offline

    Activity: 1064
    Merit: 1000


    View Profile
    May 27, 2015, 03:20:27 AM
     #188
    Thanks for the explanation theymos.  

    Quote from: theymos on May 25, 2015, 02:39:49 PM
    On May 22 at 00:56 UTC, an attacker gained root access to the forum's server. He then proceeded to try to acquire a dump of the forum's database before I noticed this at around 1:08 and shut down the server. In the intervening time, it seems that he was able to collect some or all of the "members" table. You should assume that the following information about your account was leaked:

    Does this mean that only people with the member rank were effected, or all forum members? Changing my password anyways, just curious.

    Also, I found this interesting article: https://www.cryptocoinsnews.com/bitcoin-mining-figure-joshua-zipkin-responsible-bitcointalk-hack/

    Opinions?

  • notlist3d
    Legendary
    *
    Offline Offline

    Activity: 1456
    Merit: 1000



    View Profile
    May 27, 2015, 03:55:24 AM
     #189
    Quote from: Superhitech on May 27, 2015, 03:20:27 AM
    Thanks for the explanation theymos.  

    Quote from: theymos on May 25, 2015, 02:39:49 PM
    On May 22 at 00:56 UTC, an attacker gained root access to the forum's server. He then proceeded to try to acquire a dump of the forum's database before I noticed this at around 1:08 and shut down the server. In the intervening time, it seems that he was able to collect some or all of the "members" table. You should assume that the following information about your account was leaked:

    Does this mean that only people with the member rank were effected, or all forum members? Changing my password anyways, just curious.

    Also, I found this interesting article: https://www.cryptocoinsnews.com/bitcoin-mining-figure-joshua-zipkin-responsible-bitcointalk-hack/

    Opinions?

    I think the comments are pretty dated.  I do know AMT has no love here so I could see them having a reason.  But I don't know how much of a threat the owner is. 

    I do wonder do we know besides password was other information also salted?  Or are we talking plain text?

  • freedomno1
    Legendary
    *
    Offline Offline

    Activity: 1848
    Merit: 1096


    Learning the troll avoidance button :)


    View Profile
    May 27, 2015, 04:23:35 AM
     #190
    Off to change the password
    It's good to know that a Bitcoin miner can't be used to break encryption
    Thanks for the hard work theymos
    Believing in Bitcoins and it's ability to change the world

  • hedgy73
    Legendary
    *
    Offline Offline

    Activity: 1428
    Merit: 1083



    View Profile
    May 27, 2015, 06:12:45 AM
     #191
    Thanks for your hard work getting the forum back up and running Theymos, it must have been a real headache.

    Lets hope the reward your offering helps catch the lowlife scumbags.

  • Lauda
    Legendary
    *
    Offline Offline

    Activity: 2674
    Merit: 3004


    Terminated.


    View Profile WWW
    May 27, 2015, 07:02:52 AM
     #192
    Quote from: Scamalert on May 26, 2015, 09:38:53 PM
    Yes, you are proberly right....... I need a brand new one, adding 8 letters is not good enough.
    I look at that KeePass 2, it looks pretty good, just not sure I can trust it.....
    But thank you anyways Smiley
    There's no reason no to trust it. Since it is open source, and if coders have accepted it it should be fine. Also there is always the old school method of writing it down on a piece of paper.

    Quote from: freedomno1 on May 27, 2015, 04:23:35 AM
    Off to change the password
    It's good to know that a Bitcoin miner can't be used to break encryption
    Thanks for the hard work theymos
    Although the majority of the passwords will still get broken.
    "The Times 03/Jan/2009 Chancellor on brink of second bailout for banks"
    😼 Bitcoin Core (onion)

  • itod
    Legendary
    *
    Offline Offline

    Activity: 1988
    Merit: 1077


    Honey badger just does not care


    View Profile
    May 27, 2015, 08:31:53 AM
     #193
    Quote from: LaudaM on May 27, 2015, 07:02:52 AM
    Although the majority of the passwords will still get broken.

    I'm not so sure about this. It's hard to estimate how long passwords people used, but average 11-length alphanumeric password needs 3 months (estimated) to be cracked, and 12-length 3 years. Longer passwords probably won't get cracked. If majority of people here used shorter passwords then, yes, majority will get broken, but I think that is not the case, majority of people here new better then to use short passwords.

  • thebitcoinquiz.com
    Sr. Member
    ****
    Offline Offline

    Activity: 280
    Merit: 250



    View Profile
    May 27, 2015, 10:21:51 AM
     #194
    Why is this news, "News: Change your password!" only showed on the index page?
    I believe that right now this news is the like the most important thing for the forum and should be displayed on all the threads.
    Stay hungry. Stay foolish.

  • BTCtalkScammerDetective
    Newbie
    *
    Offline Offline

    Activity: 17
    Merit: 0


    View Profile
    May 27, 2015, 10:25:44 AM
     #195
    Quote from: thebitcoinquiz.com on May 27, 2015, 10:21:51 AM
    Why is this news, "News: Change your password!" only showed on the index page?
    I believe that right now this news is the like the most important thing for the forum and should be displayed on all the threads.

    At least have it in bold so it's easier to see.

  • KarmaShark
    Hero Member
    *****
    Offline Offline

    Activity: 617
    Merit: 559



    View Profile
    May 27, 2015, 11:10:21 AM
    Last edit: July 29, 2016, 07:50:16 PM by KarmaShark
     #196
    Happy to see that all is good now! I think it was 3rd hack attempt in last 2 months.

  • chrisvl
    Legendary
    *
    Offline Offline

    Activity: 1274
    Merit: 1006

    Trainman


    View Profile WWW
    May 27, 2015, 11:34:02 AM
     #197
    404 security not found\ Theymos protect the bitcointalk community there are to much ways
    pgp

  • rishabh6115
    Newbie
    *
    Offline Offline

    Activity: 13
    Merit: 0


    View Profile
    May 28, 2015, 05:20:11 AM
     #198
    Do we have to change our passwords or it is fine to keep before one. Please answer fast.

  • MakingMoneyHoney
    Hero Member
    *****
    Offline Offline

    Activity: 504
    Merit: 500



    View Profile
    May 28, 2015, 05:22:30 AM
     #199
    Quote from: rishabh6115 on May 28, 2015, 05:20:11 AM
    Do we have to change our passwords or it is fine to keep before one. Please answer fast.

    You should change it.

  • DiamondCardz
    Legendary
    *
    Offline Offline

    Activity: 1134
    Merit: 1118



    View Profile WWW
    May 28, 2015, 05:25:15 AM
     #200
    Ooh. That's a lot of kiloyears to break my password.

    Thanks for the warning, I updated my password after the hack just to be safe and also to make it a little bit more secure compared to the password that I previously had on my account.

    rishabh6115: Depends. If it's extremely secure you might not need to take action, if it's less secure you should, but in all fairness you probably should either way.
    BA Computer Science, University of Oxford
    Dissertation was about threat modelling on distributed ledgers.
    Pages: « 1 2 3 4 5 6 7 8 9 [10] 11 12 13 »  All
      Print  
Page 9
Viewing Page: 10

IRLBTC™ © 2025 IRLBTC.com