elective-stereophonic
elective-stereophonic
WARNING! PLEASE READ BEFORE MAKING YOUR NXT ACCOUNT! singapore
Please login or register.

Login with username, password and session length
Advanced search  

News:

Latest Stable Nxt Client: Nxt 1.11.15 | Latest Experimental Nxt Client: Nxt 1.12.0e

Pages: 1 [2]  All

Author Topic: WARNING! PLEASE READ BEFORE MAKING YOUR NXT ACCOUNT!  (Read 29545 times)

firefighter

  • Jr. Member
  • **
  • Karma: +5/-1
  • Offline Offline
  • Posts: 70
    • View Profile
Re: WARNING! PLEASE READ BEFORE MAKING YOUR NXT ACCOUNT! [Please Sticky]
« Reply #20 on: August 08, 2014, 07:41:28 am »

Hi,

I've done a first look on client passwordgenerator. If I assume the words are selected in an absolute random way, the security of this 12 word passphrass will match an entropy of 128 bit, so it has the same strengh as the other crypto concepts in nxt.

If the devs would use the orign diceware list they would get an entropy of 129 bits with just 10 words passphrase. Anyhow I think 128 bit are to much paranoid anyway.
I suggest to use 8 words (out of 8k diceware list), that is easier to rember and still at 104 bit strenght.

I'll ckeck the source code to be sure about randomness. Since I'm not a real programmer it will take some time.


FireF
 

Logged
NXT-SYDZ-HECY-YF3A-76E5Q

antanst

  • Full Member
  • ***
  • Karma: +36/-0
  • Offline Offline
  • Posts: 216
    • View Profile
    • nxtblocks.info
Re: WARNING! PLEASE READ BEFORE MAKING YOUR NXT ACCOUNT! [Please Sticky]
« Reply #21 on: August 08, 2014, 08:52:26 am »

Here's what I use for quick and strong random password generation without leaving my browser.

Save the following in an .html file and bookmark it on your Firefox/Chrome browser:

Code: [Select]
<html><h1><pre style="font-family:Consolas,Liberation Mono, monospace;" id="pass"></pre></h1><script>(function(){document.getElementById('pass').innerHTML=btoa(String.fromCharCode.apply(null,(function(){var buf = new Uint8Array(15); window.crypto.getRandomValues(buf); return buf } )()))})()</script></html>
With a click on this bookmark, you'll have a strong, 120-bit strong password ready to copy-paste. Untested in IE, probably needs window.msCrypto instead of window.crypto to work.
Logged

Eadeqa

  • Hero Member
  • *****
  • Karma: +83/-68
  • Offline Offline
  • Posts: 1888
    • View Profile
Re: WARNING! PLEASE READ BEFORE MAKING YOUR NXT ACCOUNT! [Please Sticky]
« Reply #22 on: August 08, 2014, 09:04:52 am »

If the devs would use the orign diceware list they would get an entropy of 129 bits with just 10 words passphrase.

Diceware words are a weird, include non pronounceable words like "a-z" . If we were to use larger dictionary, I like this one better
https://docs.google.com/file/d/0B7kbeA6whDvNMWJqNTQwcTBJM00

Quote
Anyhow I think 128 bit are to much paranoid anyway.  I suggest to use 8 words (out of 8k diceware list), that is easier to remember and still at 104 bit strenght.

No, the problem is that if too many people use passwords made by nxt client, the entropy drops as the attacker has to find any random account. For example, if 10 million people used nxt client to generate password, and if the attacker needs to find any random account of 10 million accounts, his difficulty drops to 2^128 / 10  million, or about 2^104 difficulty. It's still pretty safe, but we should increase the strength of client generated password to about 2^150.  The link I posted has 7150 words (2^153 with 12 words), and if the client was using that dictionary, that will be better in my opinion just in case we get 10 million Nxt users 5 years from now all of whom made their password with the client (unlikely but still it bothers me). 

Quote
I'll ckeck the source code to be sure about randomness. Since I'm not a real programmer it will take some time.

On all modern browsers, the client uses crypto.getRandomValues which should be secure. On older browsers it uses mouse movements from the user to gather entropy. In any case, it was looked by some people and seemed to be secure.
« Last Edit: August 08, 2014, 09:16:48 am by Eadeqa »
Logged
NXT-GZYP-FMRT-FQ9K-3YQGS

firefighter

  • Jr. Member
  • **
  • Karma: +5/-1
  • Offline Offline
  • Posts: 70
    • View Profile
Re: WARNING! PLEASE READ BEFORE MAKING YOUR NXT ACCOUNT! [Please Sticky]
« Reply #23 on: August 08, 2014, 11:04:02 am »

Hi Eadega,


Diceware words are a weird, include non pronounceable words like "a-z" . If we were to use larger dictionary, I like this one better
https://docs.google.com/file/d/0B7kbeA6whDvNMWJqNTQwcTBJM00

Yeah but still good to rember. But ...


Quote
No, the problem is that if too many people use passwords made by nxt client, the entropy drops as the attacker has to find any random account. For example, if 10 million people used nxt client to generate password, and if the attacker needs to find any random account of 10 million accounts, his difficulty drops to 2^128 / 10  million, or about 2^104 difficulty. It's still pretty safe, but we should increase the strength of client generated password to about 2^150.  The link I posted has 7150 words (2^153 with 12 words), and if the client was using that dictionary, that will be better in my opinion just in case we get 10 million Nxt users 5 years from now all of whom made their password with the client (unlikely but still it bothers me). 

That is valid point, I didn't saw. :-)
Okay 12 words should be good. And yes we should use your list instead of the current one.


Quote
I'll ckeck the source code to be sure about randomness. Since I'm not a real programmer it will take some time.

On all modern browsers, the client uses crypto.getRandomValues which should be secure. On older browsers it uses mouse movements from the user to gather entropy. In any case, it was looked by some people and seemed to be secure.
[/quote]

Will check :-)

FireF
Logged
NXT-SYDZ-HECY-YF3A-76E5Q

firefighter

  • Jr. Member
  • **
  • Karma: +5/-1
  • Offline Offline
  • Posts: 70
    • View Profile
Re: WARNING! PLEASE READ BEFORE MAKING YOUR NXT ACCOUNT! [Please Sticky]
« Reply #24 on: August 11, 2014, 03:32:11 pm »

Hi All,

checked :-)

The passphrase generator in the default nxt client generates the 12 passwords in 4 groups with 3 words each.
For every group a extra random value is used. I first assumed that the dependency of the 3 words in each group leads to a smaller entropy. But after doing some math and some test I see there is no loose of entropy at all. So each group has still an entropy of 32 bit (4 groups = 128 bit).

Maybe some dev can tell the reason behind not using 12 random values at the beginning. (Maybe it is a good practice)

The Module which generates the random numbers also looks good.

So from my point of view, it is  a good advice to use the 12 words from default client and not an own password unless  you are really knowing  how to choose a good one.


FireF
Logged
NXT-SYDZ-HECY-YF3A-76E5Q

Dread Pirate Roberts

  • Newbie
  • *
  • Karma: +0/-0
  • Offline Offline
  • Posts: 2
  • We have a big plan .
    • View Profile
Re: WARNING! PLEASE READ BEFORE MAKING YOUR NXT ACCOUNT! [Please Sticky]
« Reply #25 on: August 12, 2014, 05:35:51 pm »

i think op fill random.org on the thread to makesure people know how to generate great password .
for who hacker hard to crack it .
Logged
You will not believe what you see for now .

harvest1st

  • Newbie
  • *
  • Karma: +0/-0
  • Offline Offline
  • Posts: 11
    • View Profile
Re: WARNING! PLEASE READ BEFORE MAKING YOUR NXT ACCOUNT! [Please Sticky]
« Reply #26 on: September 18, 2014, 02:59:04 am »

i think this is strong password

lkdjflsdjfsoaulsjdflsjda;js;lgfjsojpaieopjf;l

paste to notepad  ;D
Logged

Daedelus

  • Hero Member
  • *****
  • Karma: +230/-12
  • Offline Offline
  • Posts: 3280
    • View Profile
Re: WARNING! PLEASE READ BEFORE MAKING YOUR NXT ACCOUNT!
« Reply #27 on: March 24, 2015, 09:54:17 am »

onesmallstepformanonegiantleapformankind

was also cracked IIRC..  ;D

And a Bible quote in another.

Logged
NXT: NXT-4CS7-S4N5-PTH5-A8R2Q

lcharles123

  • Jr. Member
  • **
  • Karma: +7/-7
  • Offline Offline
  • Posts: 75
    • View Profile
Re: WARNING! PLEASE READ BEFORE MAKING YOUR NXT ACCOUNT!
« Reply #28 on: April 02, 2015, 01:06:28 pm »

Use this site to generate good passwordas: ;)
https://identitysafe.norton.com/password-generator/#
Logged

SafeFund

  • Guest
Re: WARNING! PLEASE READ BEFORE MAKING YOUR NXT ACCOUNT!
« Reply #29 on: August 26, 2015, 01:21:27 am »

The Safefund NXT account has 76 character random password generated by static radio noise (in case my PC's RNG is compromized) , converted into binary on offline PC ,then the bits shuffled 250 times with a pseudorandom generator, then i converted the bit string into random ASCII characters,then I cut off a random ASCII string of 76 characters from it , and then I added a few random symbols into it manually.

I can really say that the fund is safe :)
« Last Edit: August 26, 2015, 01:23:50 am by SafeFund »
Logged

BlueSky55

  • Jr. Member
  • **
  • Karma: +11/-0
  • Offline Offline
  • Posts: 45
    • View Profile
Re: WARNING! PLEASE READ BEFORE MAKING YOUR NXT ACCOUNT!
« Reply #30 on: March 06, 2016, 12:32:55 pm »


...
« Last Edit: March 09, 2016, 05:04:38 pm by BlueSky55 »
Logged

mamagenit

  • Newbie
  • *
  • Karma: +1/-0
  • Offline Offline
  • Posts: 3
    • View Profile
Re: WARNING! PLEASE READ BEFORE MAKING YOUR NXT ACCOUNT!
« Reply #31 on: June 28, 2016, 10:13:04 am »

Is it possible to remember till 30 words of the password? ::)
Logged

lurker10

  • Hero Member
  • *****
  • Karma: +168/-33
  • Offline Offline
  • Posts: 1334
    • View Profile
Re: WARNING! PLEASE READ BEFORE MAKING YOUR NXT ACCOUNT!
« Reply #32 on: June 28, 2016, 10:37:10 am »

Is it possible to remember till 30 words of the password? ::)

30 words is too many, I think the NXT client generates 12 words passphrases for new accounts?
Use Keepass to store the passphrase if you can't remember it: http://keepass.info/
For double protection write it on a piece of paper, or carve on wood, metal and don't show it to anyone :)
Logged
Run a node - win a prize! "Lucky node" project jar: NXT-8F28-EDVE-LPPX-HY4E7

martismartis

  • Hero Member
  • *****
  • Karma: +73/-10
  • Offline Offline
  • Posts: 1237
    • View Profile
Re: WARNING! PLEASE READ BEFORE MAKING YOUR NXT ACCOUNT!
« Reply #33 on: June 28, 2016, 10:54:41 am »

Is it possible to remember till 30 words of the password? ::)

30 words is too many, I think the NXT client generates 12 words passphrases for new accounts?
Use Keepass to store the passphrase if you can't remember it: http://keepass.info/
For double protection write it on a piece of paper, or carve on wood, metal and don't show it to anyone :)

And double check, that your passphrase opens the same account :)
Logged

aini

  • Newbie
  • *
  • Karma: +1/-0
  • Offline Offline
  • Posts: 3
    • View Profile
Re: WARNING! PLEASE READ BEFORE MAKING YOUR NXT ACCOUNT!
« Reply #34 on: July 10, 2016, 03:03:29 pm »

good to know!!! looking forward to change my pass! :)
Logged

Ice Cream

  • Newbie
  • *
  • Karma: +1/-0
  • Offline Offline
  • Posts: 4
    • View Profile
Re: WARNING! PLEASE READ BEFORE MAKING YOUR NXT ACCOUNT!
« Reply #35 on: August 23, 2017, 12:55:58 am »

This has been an amazing read.

Truthfully, I don't know much about password security, but my identity was stolen many years ago due to leaving a laptop in view in my car (I know, that was stupid). After a year of putting my life back together, I implemented a much more robust approach to account security - using 20 character randomly generated passwords, and no two accounts had the same password (well, at least the important ones). No problem for five years.

Then I started getting involved in blockchain stuff this year (for education and fun really, but maybe a little investment too) and I read that 20 characters is not enough. Wow. So, all my blockchain accounts are 32 character, randomly generated from passwords generator (dot) net.

Is that good enough? I am not the NSA, and I don't have a gazillion dollars :-)

Peace, Love and...

Ice Cream
Logged

LimKi54

  • Newbie
  • *
  • Karma: +0/-0
  • Offline Offline
  • Posts: 11
    • View Profile
Re: WARNING! PLEASE READ BEFORE MAKING YOUR NXT ACCOUNT!
« Reply #36 on: November 09, 2017, 12:46:15 pm »

Thank's, it's important
Logged
Pages: 1 [2]  All
 

elective-stereophonic
elective-stereophonic
assembly
assembly