I Was Robbed of Bitcoins at MtGox: Good Passwords and Site Trust

Enforcing strong passwords is a good policy, because it increases users trust in your site. I think the same applies to 2-factor authentication.

I recently had two bad things happen to me. One is that I lost over $200 in bitcoins because I used a weak password that I'd used before on another site that was compromised. Obviously, that was stupid, but it's a common mistake, and I didn't really take the Bitcoin money that seriously because it was mostly a donation. I mined and worked for very little of it, and had already spent over $30 of it. It sucked, but I'm over it.

(I wasn't getting $200+ in donations. An organization I'm in got around $3 in donations, but the rising price of bitcoin increased the dollar value.)

Another is that I started using the LastPass security checker, and found out that a specific account, on Yahoo, had been compromised. It was news to me. That account may have been one of the causes of the breach - but I assumed it was actually an account I had used on Gawker (which I had later changed).

Finally, I found out one of my work addresses was found in a database of stolen passwords from Adobe. The good news was that we had a pretty complex password, but just to be safe, I installed LastPass and spent some hours changing passwords to different, more complex passwords.

Then I started on my personal passwords. I had changed around two dozen years ago, to pretty good unique, complex passwords, but I had accounts on hundreds of websites. For these, I tended to use lamer passwords, and picked from a pool of a few passwords with a few variations on each. I had created, for myself, a gigantic security hole that spans dozens of websites. Fortunately, most of these sites are gone or don't have anything of value on them - but that bitcoin site was an unusual situation where something that seemed worthless became valuable over time.

Today, passwords are a security hole. The risk is twofold, in my experience. First is that the attackers can get access to one or more accounts. Second is that, within the account, the software has increased permissions, and a broader attack surface, for more opportunities to try out attacks.

As a user of websites, I am starting to appreciate the value of complex passwords, password managers like LastPass, and the value of 2-factor authentication to help plug up the security hole of weak passwords.