MtGox new password scheme SHA512 still insecure

15 points by Ixiaus ↗ HN
https://support.mtgox.com/entries/20208066-huge-bitcoin-sell-off-due-to-a-compromised-account-rollback

"SHA-512 multi-iteration salted hashing is in enabled and ready for when we get users reactivating their accounts."

I used to use a SHA-512 multi-iteration salted hashing scheme for my website's account passwords and after the Gawker attack and about 5 other HNers telling me it was not as secure as bcrypt, I decided to test cracking my own hashed password with a GPU brute force.

All I can tell you, is that it is NOT secure. Even with multi-iteration salting. It's just too FAST, that's the problem. BCRYPT allows you to adjust the WORK FACTOR to make it SLOWER and therefore not economical to brute force passwords.

----

After the hacks and now knowing that they are UPGRADING their password hashing scheme to a process I used TWO YEARS ago; I will safely say that I will not use MtGox now or in the future.

5 comments

[ 2.9 ms ] story [ 23.6 ms ] thread
I spammed Manny at onlyonetv the first day that they spoke with someone at mt.gox. I believe my exact words were:

Manny-Only1Tv, PLEASE scream bcrypt at him

He asked their dev (who asked Mark). Mark replied "bcrypt really isn't that secure. We're using SHA-512. Like 1000 times".

I had a further comment about where he should play "his SHA-512" but we can leave that out.

Or SCrypt: http://www.tarsnap.com/scrypt.html

The question here is, considering what they are doing(i.e. handling monetary transactions), shouldn't they have implemented a better hashing strategy from the beginning? After this, i'd say they are not the best source for security advices...

I known I'm a bit late here, you probably won't see this. I originally did use scrypt, actually, because I'm a fan of Colin's work but I was turned off by the lack of rigorous 3rd party crypto analysis of his reference implementation. Something bcrypt has...

Also, the python scrypt wrapper kept erroring out when I would use it in an app running in mod_wsgi... (which has probably since been fixed)

Agreed, the lack of peer reviews seems to be main reason people choose to go with bcrypt, i've seen this pointed out frequently on other sites.
Ok stupid question time.

Am I right in assuming that the way the password authentication works is, user types in a candidate password, it is hashed to a 512 bit hash, the hash is combined with the 512 bit salt, it is hashed again, it is compared to the official hash and if equal, access is granted?

If so, isn't that an insanely difficult thing to crack, that is, find a working candidate password?

Or am I totally at sea here?