Hacker News new | past | comments | ask | show | jobs | submit login

So it was... I confirmed my username is in there but at least passwords are hashed. Luckily, I never added an email address and used a different Username and pw than I do everywhere else. Gotta take precautions with bitcoin!



Doesn't look as if passwords were salted, though :-( (Edit: just read in another comment that there seems to have been a global salt)


They were hashed using the standard php crypt() method, it generates a salt for every password encrypted. I'm in that database and was able to generate the exact hash. Luckily I use one-time passwords with such things...


Hm, if it is using the same hash all over the world (on your computer it has the same salt as on the MtGox server?), what is the point? I don't understand how this salting scheme is supposed to work?

Edit: Ah OK, the salt is encoded in the String.


In theory, it just slows it down so rainbow tables are ineffective (not that people need them anymore), and it requires you to brute force each password than brute forcing one password and then checking it against everything.

In reality, it's all MD5 and the passwords were leaked to a community who are running tons of GPUs to brute force hashes. So it's kind of irrelevant.


The salt is one of the other fields in the row? I'm pretty sure I used unimportant password, but I can't remember for sure!


You can recreate the hash by calling crypt() in php with your PW and the full hash as arguments. Basically, the hash is built like $1$_salt_$_hash_ - by feeding it as an argument to the function, you make it use the same salt used originally at encryption, when it was randomly generated. This is exactly the way these hashes are verified on login.


Wait. The effective exchange for bitcoins worldwide is using PHP internally? People are actually trusting this with thousands of dollars in cash?


I'm not even much of a PHP fan, but it seems like you're unaware of what most people use. Including financial institutions.


Haha. I came from PHP and won't ever go back, but, you would be surprised what people use PHP for.


Very sloppy. When you're dealing with actual money, industry-standard practices like this shouldn't be considered optional.


Legally, they're not. Bitcoin just isn't actual money in any country.

Someone should buy sealand and change the national currency to bitcoin...


What would be the point of doing that?


You can also have real money in your mtgox account.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: