Nxt Forum

Please login or register.

Login with username, password and session length
Advanced search  

News:

Latest Nxt Client: Nxt 1.11.14 - Latest Ardor Client: Ardor 2.0.14

Pages: [1]

Author Topic: Brute Force for mistyped passphrase Anyone? Reward!!  (Read 769 times)

JesusJames

  • Jr. Member
  • **
  • Offline Offline
  • Posts: 20
    • View Profile
  • Karma: +0/-0

Hi, I noobed it bigtime and sent a couple thousand NXT to an account I created by mistyping my passphrase.  If anyone can brute force the passphrase for me I'll gladly pay 500 NXT to them.  PM me if you think you can help.   Thanks.   

starfighter65

  • Jr. Member
  • **
  • Offline Offline
  • Posts: 17
    • View Profile
  • Karma: +0/-0

Basically nxt generates passwords with 12 words randomly selected from an alphabet.
You can calculate the possible permutations and it seems to me that these passwords have 232 possibilities.

It would take around 7 billion days to calculate the right combination of words you need for your passphrase.

If someone could spend 19178082191 years of his life brute forcing the passphrase for you, I think he would have asked for greater remuneration. ;)

segfaultsteve

  • Newbie
  • *
  • Offline Offline
  • Posts: 3
    • View Profile
  • Karma: +1/-0

@starfighter65 I wouldn't be so quick to dismiss this request for help...

@JesusJames, if you know the password you mistyped, then it wouldn't be hard to check for common typos, like accidentally omitting a character, transposing two characters, or substituting a different character by mistake. There aren't that many permutations. As long as you didn't mistype the password too badly, it shouldn't be hard to crack it.

Even if that doesn't work, if this was a new account and you don't have a public key yet, then I'd suspect it would still be possible to brute force. Without a public key, your account is only protected by the 64 bits of entropy in your address, not the full 256 bits of entropy in your private key. I haven't benchmarked the algorithms that Nxt uses, but I know that modern hardware can crack some 64-bit passwords quite quickly. I've also never done any GPU programming before, but it could be a fun exercise.

I'll PM you to get details.

JesusJames

  • Jr. Member
  • **
  • Offline Offline
  • Posts: 20
    • View Profile
  • Karma: +0/-0

Basically nxt generates passwords with 12 words randomly selected from an alphabet.
You can calculate the possible permutations and it seems to me that these passwords have 232 possibilities.

It would take around 7 billion days to calculate the right combination of words you need for your passphrase.

If someone could spend 19178082191 years of his life brute forcing the passphrase for you, I think he would have asked for greater remuneration. ;)

SegfaultSteve cracked it. ;D ;D ;D ;D  Didn't ask me for any compensation.  So as segfaultsteve says in the previous post, if there aren't too many typos and its only a couple characters out of place it can be done.  Mine had 2 words sandwiched together without a space in between and had an extra 'r' added to a word that would have otherwise been spelled correctly.  And he did this in a very short period of time.  So if anyone else out there has this same issue, and knows their passphrase for the most part, ask segfault if he can help you.  I've learned to copy and paste my passphrase.  Had I known that a new account could be created by typing any combination of characters, I'd never have tried to type in the passphrase manually in the first place.  I think more emphasis needs to be put on this to newcomers.   

x7p5a23b

  • Newbie
  • *
  • Offline Offline
  • Posts: 3
    • View Profile
  • Karma: +0/-0

The same happened for me in the beginning, was able to figure out the typo. The new ardor client gives you a warning if you enter a new (possibly misspelled) passphrase. Glad to hear that you resolved it.

tinamc

  • Newbie
  • *
  • Offline Offline
  • Posts: 1
    • View Profile
  • Karma: +0/-0

I am having the same problem. Trying to access wallet. I have written down the passphrase but  have obviously mistyped when sending coins. Have tried as many variations as I can with no 3lh. Really affecting my sanity now..

segfaultsteve

  • Newbie
  • *
  • Offline Offline
  • Posts: 3
    • View Profile
  • Karma: +1/-0

My program can detect up to two typos, where each typo is a combination of up to four deletions and up to two insertions. It will only work if you didn't mistype your password too badly. I'll PM you.

By the way, in case anybody is interested, I was waaaay wrong about being able to brute force a passphrase that maps to a given 64-bit address. Nxt and Ardor use the following steps to derive your account number:

passphrase ---sha256---> seed for private key ---Curve25519---> private key, public key pair ---sha256-of-public-key---> account number

So for each guess, you have to do two steps of sha256 and an elliptic curve step. For a single sha256 step, if you had all of the hashpower securing the Bitcoin blockchain, you could try 2^64 sha256 hashes in about a second. So that gives you an idea of what kind of power it would take to brute force. Even a whole rack of top-end GPUs would be about a factor of a billion slower, so it would take more than 30 years to do 2^64 sha256 steps. And I'm sure the elliptic curve step would also slow you down.

It's still a good idea to broadcast your public key to secure your count with its full 256 bits of entropy, but you probably don't need to rush.
Pages: [1]