Monday, June 20, 2011

That which does not kill us makes us stronger

The login database for the largest (and second-oldest) Bitcoin Exchange site got loose. The site wasn't hacked:
It appears that someone who performs audits on our system and had read-only access to our database had their computer compromised.
The good news is Mt.Gox had layered security, so your money or bitcoins stored at Mt. Gox are safe. And if you chose a strong password (my Mt.Gox password is 12 random characters, chosen and remembered by LastPass and not used for anything else) you don't have to worry, because of the way Mt. Gox stored the passwords in the database.

The bad news is lots of people still choose really bad passwords, even for financial sites.

Coming right on the heels of the discovery of bitcoin-wallet-stealing malware, that's a lot of disturbing bitcoin-related news, and I'm getting asked "what does it all mean for Bitcoin?"

I hope it means the bitcoin hype starts to calm down. The insanely rapid growth of both the number of users and the value of a bitcoin over the last month or two was unsustainable, and both the core system and all of the surrounding infrastructure (like the exchanges) need more time to "grow up."

I've said it before, and I'll say it again: Bitcoin is an experiment. Treat it like you would a promising Internet start-up company: maybe it will change the world, but realize that investing your money or time in new ideas is always risky.


Theo said...

Good advice.

Anonymous said...

Ditto what Theo said: Good advice. I'm not sure Mt.Gox will survive this but it will grow the Bitcoin community rather than shrink it. Others will see an opportunity in the Mt.Gox collapse. Now, if I could only find a BTC ebay-like site to sell stuff rather than exchanges on which to gamble, I'd be a happy camper.

BTW: You got good press in CNBC Media Money
Good job.

-rob lister

Anonymous said...

You've said it before, Gavin, but I'll say it again - end-user password management sucks. There are lots of better ways.

Anonymous said...

How safe is The password site? Or even just mention you using it and what you use it for. Anyone around you in your life can now steal anything you hold in MT.Gox. Do you completely trust everyone in your meatspace?

Gavin Andresen said...

RE: how safe is LastPass: it is safe, assuming I chose a strong master password and assuming there is no malware on my computer or cell phone that can capture my master password as I type it in. LastPass is a "trust no one" solution-- they store my passwords encrypted with my master password, and my master password never leaves my computer. So even if LastPass is hacked my passwords are safe.

As for trusting everybody in my "meatspace" : I've been planning on writing a blog post on how I keep my bitcoins secure, and part of that is how I keep my computer secure, so even if somebody breaks into my office and steals it they won't be able to steal my passwords.

There is still a lot of technical work to be done to create solutions for keeping large amounts of bitcoin safe; there are no easy answers, because there is always a security/convenience tradeoff.