Hacker News new | past | comments | ask | show | jobs | submit login




I can confirm that the alleged dump is the real deal.

Some passwords are md5 hashes, some are salted md5 hashes (utilizing the crypt[0] function). I did not log in for a long time and my password was still unsalted, so I assume that converting to salted passwords was done either automatically on login or on password changes.

0: http://www.kernel.org/doc/man-pages/online/pages/man3/crypt....


I hate to look down my nose at other programmers, because I understand that we all start somewhere, but if you are building a financial exchange and you encrypted passwords using unsalted MD5 at any point in the history of your product, you have proven to me that you are learning as you go, and there is no way in hell I'd trust you with any significant sum of money.


To give some context, that financial exchange had a trading volume of less than 1000 dollars/day six months ago. http://i.imgur.com/HHlnd.png

The original author sold the site in March before things got really serious.


Where do programmers learn about this stuff? Is it taught at schools? Can anyone recommend good books on proper security procedures?


For web security, I'd recommend checking out this question on Stack Overflow: http://stackoverflow.com/questions/72394/what-should-a-devel...

Also the OWASP top ten vulnerabilities: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Proje...


A great place to start is "Applied Cryptography" by Bruce Schneier.

http://www.schneier.com/book-applied.html

Edit: Note, this really barely scratches the surface for building secure software. AC says how to apply cryptographic primitives correctly. It won't teach you how to avoid vulnerabilities specific to particular application domains (like CSS, SQL injection, etc...).


That book is old, and though still basically correct, there's much better ways to learn about the practice of developing secure systems. I recommend "Cryptography Engineering" by Ferguson, Schneier, Kohno which is a more modern descendant of Schneier's AC.


Looks like I need to update my bookshelf. Thanks for the recommendation.


Being a programmer means committing yourself to a life of continued education. Building a secure authentication system? Time to read up on the subject. You don't have to go far before you learn about the vulnerability of MD5 hashes for password storage.


A good start can be made by following the work of Ross Anderson and having a read of his book.

http://www.cl.cam.ac.uk/~rja14/ http://www.cl.cam.ac.uk/~rja14/book.html


Websites like this are great. Just look at what other learned people here are saying about cryptography.


My account is also in the list and appears salted. Someone just tried to access my gmail account via an ec3 instance so I bet the salting is done wrong or something else.


Damn, I'm in there. Glad I used a generated password (from LastPass) so I don't have to change my passwords on a lot of various sites.


this is the only way to fight incompetence of some websites. those passwords are (most likely) unsalted vanilla MD5 hashes. just entered a few of them into google from that file and yes, many of them are present in rainbow tables. damn. makes me angry as a programmer how financial website can be this unsecure and easy to compromise.


They look like salted hashes to me.


you can recognize salted hashes from unsalted ones just by looking at them? open the file and search for 5f4dcc3b5aa765d61d8327deb882cf99, at least 1,600 passwords in that list are unsalted. (those without $1$)


5f4dcc3b5aa765d61d8327deb882cf99 = md5("password")

for those who don't know

Man, these programmers are fucking amateurs. It's a FUCKING TRADING PLATFORM.


That's what happens when there's no regulation...


You must not have been following the news: http://www.theinquirer.net/inquirer/news/2079431/citibank-ha...

It happens everywhere.


Would you be willing and able to point out the regulation violated?

http://www.federalreserve.gov/bankinforeg/reglisting.htm

Cause, I don't think they broke any rules. Are they even required to keep those details secret? It's pretty clear marketing agencies can buy that data, so i don't think it's any sort of violation of privacy policy.


icebraining, that's called irony

...i hope


I find it funny that people are outraged about unsalted MD5 yet they use passwords like "secret123" that are found in every wordlist.

Guess what: Even salted hashes won't save your ass with such weak passwords. And yes: it's a FUCKING TRADING PLATFORM you want to put money on so _you_ should think of a secure password.


And what makes you think that the same people who are complaining about unsalted MD5 are also the same people who use passwords as weak as 'secret123'?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: