elective-stereophonic
elective-stereophonic
Is 12 words enough for a passphrase?
Please login or register.

Login with username, password and session length
Advanced search  

News:

Latest Nxt Client: Nxt 1.11.15

Author Topic: Is 12 words enough for a passphrase?  (Read 5755 times)

leo+

  • Jr. Member
  • **
  • Karma: +10/-1
  • Offline Offline
  • Posts: 84
    • View Profile
Is 12 words enough for a passphrase?
« on: August 15, 2015, 02:10:03 am »

Quote
Please write down or memorize these 12 words (their order and capitalization matters - always lowercase). This passphrase is needed in order to access your Nxt account.

There has been some talk about the danger of brain wallets in general. I've been wondering, if 12 random words, as generated by the nxt wallet is actually enough to be safe and secure?

What if in the future there is a botnet that tries attacking the nxt network to crack into people's wallet's ?

Logged

leo+

  • Jr. Member
  • **
  • Karma: +10/-1
  • Offline Offline
  • Posts: 84
    • View Profile
Re: Is 12 words enough for a passphrase?
« Reply #1 on: August 15, 2015, 02:46:46 am »

Quote
Please write down or memorize these 12 words (their order and capitalization matters - always lowercase). This passphrase is needed in order to access your Nxt account.

There has been some talk about the danger of brain wallets in general. I've been wondering, if 12 random words, as generated by the nxt wallet is actually enough to be safe and secure?

What if in the future there is a botnet that tries attacking the nxt network to crack into people's wallet's ? Maybe the default should be 24 words? Twice as secure... ?
Logged

jones

  • Hero Member
  • *****
  • Karma: +310/-8
  • Offline Offline
  • Posts: 1043
  • write code not war
    • View Profile
    • jNxt
Re: Is 12 words enough for a passphrase?
« Reply #2 on: August 15, 2015, 03:14:37 am »

Quote
Please write down or memorize these 12 words (their order and capitalization matters - always lowercase). This passphrase is needed in order to access your Nxt account.

There has been some talk about the danger of brain wallets in general. I've been wondering, if 12 random words, as generated by the nxt wallet is actually enough to be safe and secure?

What if in the future there is a botnet that tries attacking the nxt network to crack into people's wallet's ?

12 word passphrases are secure, I have personally audited the code and done the math and they are secure.

They use the javascript secure random number generator to product the necessary entropy, and selects words from a wordlist of 1626 different words, this gives us 1626^12 possible combinations and an entropy level of
Log (1626^12)/log (2) = 128 bits of entropy

This is an arbitrarily large number, with 38 decimal places, even with one trillion guesses a second, it would take until beyond the heat death of the universe to compute the entire keyspace.

I would not worry about the 12 word seed, the bigger issue is quantum computers breaking elliptic curve cryptography, but that won't be for another 15 or so years
Logged
-- Jones NXT-RJU8-JSNR-H9J4-2KWKY

jl777

  • Hero Member
  • *****
  • Karma: +718/-123
  • Offline Offline
  • Posts: 6170
    • View Profile
Re: Is 12 words enough for a passphrase?
« Reply #3 on: August 15, 2015, 04:13:39 am »

Quote
Please write down or memorize these 12 words (their order and capitalization matters - always lowercase). This passphrase is needed in order to access your Nxt account.

There has been some talk about the danger of brain wallets in general. I've been wondering, if 12 random words, as generated by the nxt wallet is actually enough to be safe and secure?

What if in the future there is a botnet that tries attacking the nxt network to crack into people's wallet's ?

12 word passphrases are secure, I have personally audited the code and done the math and they are secure.

They use the javascript secure random number generator to product the necessary entropy, and selects words from a wordlist of 1626 different words, this gives us 1626^12 possible combinations and an entropy level of
Log (1626^12)/log (2) = 128 bits of entropy

This is an arbitrarily large number, with 38 decimal places, even with one trillion guesses a second, it would take until beyond the heat death of the universe to compute the entire keyspace.

I would not worry about the 12 word seed, the bigger issue is quantum computers breaking elliptic curve cryptography, but that won't be for another 15 or so years
JS RNG is weakest link
Logged
There are over 1000 people in SuperNET slack! http://slackinvite.supernet.org/ automatically sends you an invite

I am just a simple C programmer

CryptKeeper

  • Hero Member
  • *****
  • Karma: +78/-5
  • Offline Offline
  • Posts: 1235
    • View Profile
Re: Is 12 words enough for a passphrase?
« Reply #4 on: August 15, 2015, 06:33:29 am »

Quote
Please write down or memorize these 12 words (their order and capitalization matters - always lowercase). This passphrase is needed in order to access your Nxt account.

There has been some talk about the danger of brain wallets in general. I've been wondering, if 12 random words, as generated by the nxt wallet is actually enough to be safe and secure?

What if in the future there is a botnet that tries attacking the nxt network to crack into people's wallet's ?

12 word passphrases are secure, I have personally audited the code and done the math and they are secure.

They use the javascript secure random number generator to product the necessary entropy, and selects words from a wordlist of 1626 different words, this gives us 1626^12 possible combinations and an entropy level of
Log (1626^12)/log (2) = 128 bits of entropy

This is an arbitrarily large number, with 38 decimal places, even with one trillion guesses a second, it would take until beyond the heat death of the universe to compute the entire keyspace.

I would not worry about the 12 word seed, the bigger issue is quantum computers breaking elliptic curve cryptography, but that won't be for another 15 or so years
JS RNG is weakest link

IMHO the rng flaws in openssl and others show that the best strategy is to combine several rng providers.
Logged
Follow me on twitter for the latest news on bitcoin and altcoins!
Vanity Accounts Sale :-)

whale

  • Sr. Member
  • ****
  • Karma: +55/-80
  • Offline Offline
  • Posts: 427
    • View Profile
Re: Is 12 words enough for a passphrase?
« Reply #5 on: August 15, 2015, 07:05:49 am »

Just create a custom password with additional words  ;)
Logged

coretechs

  • Sr. Member
  • ****
  • Karma: +161/-1
  • Offline Offline
  • Posts: 436
    • View Profile
Re: Is 12 words enough for a passphrase?
« Reply #6 on: August 15, 2015, 01:07:59 pm »

JS RNG is weakest link

IMHO the rng flaws in openssl and others show that the best strategy is to combine several rng providers.

That's why I created this tool - http://nxtportal.org/tools/diceware_passphrase.html

It uses a combination of mouse & timing input data + "secure" JS RNG functions to generate a hash stream that is used as the source for dicerolls.  The diceware wordlist is 7776 words, so a 12-word passphrase has ~150+ bits of entropy.

Just remember that there is a much bigger risk of a keystroke logger than someone cracking your super-secure passphrase.  You can put as many locks as you want on the door but they don't help if the window is open.
Logged
https://ardorportal.org - Ardor blockchain explorer | https://nxtportal.org - Nxt blockchain explorer | http://bitcoindoc.com - The Rise and Rise of Bitcoin
ARDOR-T43P-R2K9-8W79-9W2AL | NXT-WY9K-ZMTT-QQTT-3NBL7

leo+

  • Jr. Member
  • **
  • Karma: +10/-1
  • Offline Offline
  • Posts: 84
    • View Profile
Re: Is 12 words enough for a passphrase?
« Reply #7 on: August 15, 2015, 03:13:02 pm »

JS RNG is weakest link

IMHO the rng flaws in openssl and others show that the best strategy is to combine several rng providers.

That's why I created this tool - http://nxtportal.org/tools/diceware_passphrase.html

It uses a combination of mouse & timing input data + "secure" JS RNG functions to generate a hash stream that is used as the source for dicerolls.  The diceware wordlist is 7776 words, so a 12-word passphrase has ~150+ bits of entropy.

Just remember that there is a much bigger risk of a keystroke logger than someone cracking your super-secure passphrase.  You can put as many locks as you want on the door but they don't help if the window is open.

I like this better than the current version in the nxt client. Any way the dev's of nxt can upgrade the RNG in the NXT client ?
Is there any safe tool to test what the entropy of a passphrase is? My passphrase is a combination of random characters /numbers and words.
Logged

CryptKeeper

  • Hero Member
  • *****
  • Karma: +78/-5
  • Offline Offline
  • Posts: 1235
    • View Profile
Re: Is 12 words enough for a passphrase?
« Reply #8 on: August 15, 2015, 04:10:39 pm »

JS RNG is weakest link

IMHO the rng flaws in openssl and others show that the best strategy is to combine several rng providers.

That's why I created this tool - http://nxtportal.org/tools/diceware_passphrase.html

It uses a combination of mouse & timing input data + "secure" JS RNG functions to generate a hash stream that is used as the source for dicerolls.  The diceware wordlist is 7776 words, so a 12-word passphrase has ~150+ bits of entropy.

Just remember that there is a much bigger risk of a keystroke logger than someone cracking your super-secure passphrase.  You can put as many locks as you want on the door but they don't help if the window is open.

Yes, but the difference with bad rng is that someone could crack my pass phrase without having access to my computer. Access to the blockchain is sufficient for that. If you loose your password by a keylogger, the malware must have managed to infect your computer before that.

I must always remember this cartoon, when I think about pass phrase security. I think it describes the situation well:  :D

Logged
Follow me on twitter for the latest news on bitcoin and altcoins!
Vanity Accounts Sale :-)

Brangdon

  • Hero Member
  • *****
  • Karma: +229/-25
  • Offline Offline
  • Posts: 1389
  • Quality is addictive.
    • View Profile
Re: Is 12 words enough for a passphrase?
« Reply #9 on: August 16, 2015, 03:17:40 pm »

This is an arbitrarily large number, with 38 decimal places, even with one trillion guesses a second, it would take until beyond the heat death of the universe to compute the entire keyspace.
Also, 128 bits is about the same level of security as the Nxt core. Nxt uses 256 bit keys with elliptic curve cryptography, but there are fast ways to attack it meaning the core security is rated as equivalent to 128 bits. So using more than 12 words won't make the security any stronger, because beyond that length the attacker won't be using brute force password attempts anyway.
Logged

farl4bit

  • Global Moderator
  • Hero Member
  • *****
  • Karma: +210/-45
  • Offline Offline
  • Posts: 3463
    • View Profile
    • Blockchain Twitter
Re: Is 12 words enough for a passphrase?
« Reply #10 on: August 16, 2015, 03:26:28 pm »

Logged
 

elective-stereophonic
elective-stereophonic
assembly
assembly