Silk Road forums
Discussion => Silk Road discussion => Topic started by: kingghb on April 15, 2013, 09:48 pm
-
So on Friday, I tried logging into my SR account, my password had been changed. I immediately messaged SR support. It took until today (3 days later) that my account was finally reset. When I got back in I see that luckily the small amount of BTC i kept in my account 1.03BTC wast transferred on (4/15/13 8:59PM). I may have at some point months ago, accidentally put my username/password into a phishing site but NEVER gave my pin. I don't know if someone seriously brute forced my pin for the 1.03BTC or what but this could have been resolved had my password been reset earlier. >:(
-
In order for anyone to transfer btc on SR, they would need your PIN. Are you sure you haven't entered it anywhere?
Because at this point, you're saying someone knew your password AND your PIN ... which would be difficult for anyone to guess.
-
Scout like I said I never gave it out to anyone, my computers are clean of all malware. I think months ago I may have accidentally hit a phishing site because it said I couldn't login. Anyway, I only use particular passwords for these types of sites but i have no idea what happend but I do know I didn't give a pin. That's why i asked about the PIN being BF'ed
-
Cool Story Bro.
The Original, I'm impressed.
-
Cool Story Bro.
The Original, I'm impressed.
Not sure what you meant by your post. Anyhow, I guess more than anything, people be careful if for some reason you lose your link to SR. Now I know what the .onion address looks like so it's very unlikely this would happen again. I guess really a 4 digit PIN wouldn't take long to brute force even through tor, but I would think SR would automatically lock out for an elapsed period of time under these conditions.
-
Why would you use a 4 digit PIN here?!?!
-
Why would you use a 4 digit PIN here?!?!
Is this for serious? roflfmao
-
1234 ??
-
I guess really a 4 digit PIN wouldn't take long to brute force even through tor
I can't get past this .... you should never use a 4 digit PIN on SR! holy crap!
-
Yeah, no kidding. I guess the word "PIN" is so widely used (and usually 4 digits) that he just assumed that was the way it was here, too. Make it long and complex, man. Letters and numbers.
-
It was,"0000,". I win all his money now. I'm headed to go change mine now!!! Can we use letters AND numbers, scout?
-
It was,"0000,". I win all his money now. I'm headed to go change mine now!!! Can we use letters AND numbers, scout?
That's amazing. I've got the same combination on my luggage.
-
Regardless of if it was 1234 or 0000 doesn't matter, it's only a possibility of what? 256 combinations? The reason why is, back when I set it up I picked something easy to remember not knowing what it was even used for. I've only planned on using SR as being a vendor and there are a couple things that are cheaper/hard to get on the street. But lesson learned. I only lost 1.03 BTC, luckily I wasn't naive enough to leave a larger amount.
-
It was,"0000,". I win all his money now. I'm headed to go change mine now!!! Can we use letters AND numbers, scout?
That's amazing. I've got the same combination on my luggage.
+1 for the spaceballs quote.
Fucken love that shit.
-
Regardless of if it was 1234 or 0000 doesn't matter, it's only a possibility of what? 256 combinations? The reason why is, back when I set it up I picked something easy to remember not knowing what it was even used for. I've only planned on using SR as being a vendor and there are a couple things that are cheaper/hard to get on the street. But lesson learned. I only lost 1.03 BTC, luckily I wasn't naive enough to leave a larger amount.
It does matter because using a ridiculously easy to guess pin would explain your alleged missing coins when you have already stated you think you logged into a phishing site previously.
Just sayin'...
-
Regardless of if it was 1234 or 0000 doesn't matter, it's only a possibility of what? 256 combinations? The reason why is, back when I set it up I picked something easy to remember not knowing what it was even used for. I've only planned on using SR as being a vendor and there are a couple things that are cheaper/hard to get on the street. But lesson learned. I only lost 1.03 BTC, luckily I wasn't naive enough to leave a larger amount.
No it's more like 10,000 possible combinations.... exactly 10,000.... but 256 was a good guess lol
-
Regardless of if it was 1234 or 0000 doesn't matter, it's only a possibility of what? 256 combinations? The reason why is, back when I set it up I picked something easy to remember not knowing what it was even used for. I've only planned on using SR as being a vendor and there are a couple things that are cheaper/hard to get on the street. But lesson learned. I only lost 1.03 BTC, luckily I wasn't naive enough to leave a larger amount.
No it's more like 10,000 possible combinations.... exactly 10,000.... but 256 was a good guess lol
Unless he was working in base-4. In which case there are exactly 256 possible values.
-
Regardless of if it was 1234 or 0000 doesn't matter, it's only a possibility of what? 256 combinations? The reason why is, back when I set it up I picked something easy to remember not knowing what it was even used for. I've only planned on using SR as being a vendor and there are a couple things that are cheaper/hard to get on the street. But lesson learned. I only lost 1.03 BTC, luckily I wasn't naive enough to leave a larger amount.
No it's more like 10,000 possible combinations.... exactly 10,000.... but 256 was a good guess lol
Unless he was working in base-4. In which case there are exactly 256 possible values.
Or unless he was working in binary. In which case there are exactly.... oh man I don't even know :) I guess moral of story is less numbers more letters for kingghb. Sucks man, even though it wasn't that much, it's still more than zero. I also encourage everyone to regularly check out the Security threads to stay on top of your shit. Icecream for all.
-
Either way. Lesson learned. I'm pretty damn sure it was brute forced. 256, 10,0000 either way depending on what beginning number they started with it wouldn't' take very long. apparently it took 2 days for them to transfer the BTC. From now on I'd use at least a 6-9 digit pin.
-
Brute forced over password on a hidden service? Can you say incredibly slow?
-
Either way. Lesson learned. I'm pretty damn sure it was brute forced. 256, 10,0000 either way depending on what beginning number they started with it wouldn't' take very long. apparently it took 2 days for them to transfer the BTC. From now on I'd use at least a 6-9 digit pin.
Nooooo!!! lol we just got done saying don't just use numbers. Just because it says pin does not mean it's only 0-9. Use a combination of numbers, letters, and characters. ie. YoU?n33d?A?new?PA44word
-
This might be a good time to change the nomenclature of the PIN. I think most people think "4 digit numeric" when they see PIN, and possibly fishers are using that to their advantage.
Maybe "Secondary Password" or "Withdrawal Password"?
-
... Is it at all possible that you've registered with the same Username and Password for a site like BMR/SHEEP/ATLANTIS?
-
By the way, no it wasn't brute forced.
The system allows you 5 failed pin attempts before it freezes your pin.
Most likely scenario is that you entered your pin in the phishing page as well as your password -- all the phishing sites ask for pin. Would be kind of useless if they didn't.
you got pwned
-
By the way, no it wasn't brute forced.
The system allows you 5 failed pin attempts before it freezes your pin.
Most likely scenario is that you entered your pin in the phishing page as well as your password -- all the phishing sites ask for pin. Would be kind of useless if they didn't.
you got pwned
Then I don't know wtf I did. I recently had changed my pin to a random number. I did create an account on BMR. That site is lame, but I probably used same user/pass. The pin, I doubt I used the same one. And yes when I saw pin I DID think it had to be numeric for some reason. On these type of sites, i usually use same user/pass for convenience but I'm obviously not doing that anymore.