elective-stereophonic
elective-stereophonic
WARNING! PLEASE READ BEFORE MAKING YOUR NXT ACCOUNT!
Please login or register.

Login with username, password and session length
Advanced search  

News:

Latest Nxt Client: Nxt 1.11.15

Pages: [1] 2  All

Author Topic: WARNING! PLEASE READ BEFORE MAKING YOUR NXT ACCOUNT!  (Read 29017 times)

colin012

  • Hero Member
  • *****
  • Karma: +65/-18
  • Offline Offline
  • Posts: 851
  • NXTOrganization Marketing
    • View Profile
WARNING! PLEASE READ BEFORE MAKING YOUR NXT ACCOUNT!
« on: August 05, 2014, 06:40:21 pm »

WARNING! RECENT ATTACKS ON NEW ACCOUNTS HAVE STOLEN NEW COMMUNITY MEMBERS' FUNDS AS SOON AS THEY RECEIVE THEM!!!!

HERE IS HOW YOU AVOID IT!!!!

You may think you know how to make a strong password but, trust me, when it comes to a NXT Account, you don't! There have been recent thefts of new members funds! This has scared many new NXTers away!

The problem is that a password is all that is needed for someone to access a NXT account! No user name is needed and no wallet file is needed! Because of this, someone (or multiple someones) has written a program that opens many NXT accounts simultaneously by entering in thousands of passwords per second and keeping the accounts open! Whenever someone enters in their password for the first time, chances are that the attacker already has the account open and that anything sent to that account will immediately be sent to the attacker! A lot of NXT has been stolen from many new users this way!

A typical 8 character password is not safe! It doesn't matter if you use upper case, lowercase, and special characters! I don't care if you use Arabic characters! 8 is still not enough! 10 is not enough! 20 is not enough! 29 is not enough!

Here is 2 ways you can protect yourself and your NXT from this kind of attack. If you do either of these, I guarantee your account WILL BE SAFE from this type of attack! You will have NOTHING TO FEAR...

A) USE THE PASSWORD GENERATOR! It will create a very strong password for you! A password made by this generator IS NOT VULNERABLE to this kind of an attack! To put it another way; a password made by this generator IS SAFE! If you use the password generator, you have nothing to fear!

B)Make a custom password that is at least 30 characters long! A password of this length, even if it is all lower case, IS SAFE! If you doubt yourself at all, USE THE PASSWORD GENERATOR! A guide on creating a strong custom password can be found here: http://nxter.org/protect-your-nxt/


I cannot stress enough how important it is that you do one of these two things for your own safety! I promise that if you do either of these things, you will be 100% (well 99.99999999999999999999999999999999999999999999999999999999999999999999%) safe from these types of attacks.

If you follow one of the two methods listed above for creating a new account, then you will not be vulnerable to these attacks. I guarantee your safety; you have nothing to worry about and can completely disregard the urgency of this post.

Tips on creating a strong custom password!
For anyone who wants a custom password, here are some tips to follow! Thanks firefighter!

0. The strength of a password creation system is not how many letters, digits, and symbols you end up with, but how many ways you could get a different result using the same system. (Orgin: agilebits.com)
  - Only real Random Passwords are secure.
  - If a Pattern occurs or you use common tips to create remindable passwords, then you don't have a random password at all.

  - You should always look at http://blog.agilebits.com/2011/06/21/toward-better-master-passwords/ to understand password security.
 1. Take the 12 words password which are suggest from the NXT Client.
   - This is far more secure to select a password of your self - in most cases.
   - Don't generate passwords with an pattern, cause pw chrackter know such patters to.
2. Use a strong password generator in combination with an password manager
  - 1password for example
3. If you need a strong passwords, which are easy to rember, for example Masterpassword of the Passwordmanager -> see www.diceware.com


Examples of passwords that were cracked!
These passwords are NOT examples of good passwords! All of these passwords have been cracked. Thanks Eadeqa for providing this:
Quote
Philippians4:6-7
qeadzcwrsfxv1331
k1araj0hns0n
Sh1a-labe0uf
Apr!l221973
Qbesancon321
DG091101%
« Last Edit: January 11, 2015, 05:44:53 pm by farl4bit »
Logged
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬  ▄▀▀▀▀▀▀▀▀▄  ▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬●  nimirum  ●▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬ ◖ENDING CENSORSHIP ONLINE◗  ◖ ICO OPEN NOW◗ ▬▬▬

gs02xzz

  • Hero Member
  • *****
  • Karma: +56/-12
  • Offline Offline
  • Posts: 1101
    • View Profile
Re: WARNING! PLEASE READ BEFORE MAKING YOUR NXT ACCOUNT! [Please Sticky]
« Reply #1 on: August 05, 2014, 06:54:44 pm »

Don't try to make a pass phrase/word which you can remember.
Logged
Nxt Mission is to commercialize the crypto technology and build new commerce and society.

colin012

  • Hero Member
  • *****
  • Karma: +65/-18
  • Offline Offline
  • Posts: 851
  • NXTOrganization Marketing
    • View Profile
Re: WARNING! PLEASE READ BEFORE MAKING YOUR NXT ACCOUNT! [Please Sticky]
« Reply #2 on: August 05, 2014, 06:55:09 pm »

Example of a good password:

JA2pi$P0nWaVEM$rHCy9F%lJmr4vDlo47wWa&4@$b&6&Q&c3qJ8%dmuBBNR@g4b06pu%!FPRzis*rj@G9t1g4zp^ga5q9W4^x5k

That is a good custom password, yes! However, the password generator also creates good passwords. :)
Logged
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬  ▄▀▀▀▀▀▀▀▀▄  ▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬●  nimirum  ●▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬ ◖ENDING CENSORSHIP ONLINE◗  ◖ ICO OPEN NOW◗ ▬▬▬

colin012

  • Hero Member
  • *****
  • Karma: +65/-18
  • Offline Offline
  • Posts: 851
  • NXTOrganization Marketing
    • View Profile
Re: WARNING! PLEASE READ BEFORE MAKING YOUR NXT ACCOUNT! [Please Sticky]
« Reply #3 on: August 05, 2014, 06:56:19 pm »

Don't try to make a pass phrase/word which you can remember.

Fair enough point, however, it doesn't matter if you are using a password manager if you can remember it or not as long as you have it written down somewhere.
Logged
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬  ▄▀▀▀▀▀▀▀▀▄  ▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬●  nimirum  ●▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬ ◖ENDING CENSORSHIP ONLINE◗  ◖ ICO OPEN NOW◗ ▬▬▬

mikesbmw

  • Hero Member
  • *****
  • Karma: +41/-6
  • Offline Offline
  • Posts: 590
    • View Profile
Re: WARNING! PLEASE READ BEFORE MAKING YOUR NXT ACCOUNT! [Please Sticky]
« Reply #4 on: August 05, 2014, 07:03:02 pm »

I was in a Google hangout a few days ago with a few people from here and one of them showed an easy to remember way of a secure password (his name is Silvio, I just found out).

I'll try to recreate what he did (roughly):

1. he had ANY plastic card from his wallet (his actual wallet) in his case an opera admittance card from which he used the barcode.
2. he used his "brothers" name
3. he used an introductory bit.

With all this he created: PW = Peter %84736293%!

According to Kaspersky that password would take more 10,000+ centuries to crack on a supercompter.

Guy from the Hangout: if you see this post, please post your video  ;)

« Last Edit: August 05, 2014, 07:05:43 pm by mikesbmw »
Logged
Number one Nxt nerd with fancy fantasies!
NXT: NXT-5MMT-RUYC-NCC9-AU8BL

colin012

  • Hero Member
  • *****
  • Karma: +65/-18
  • Offline Offline
  • Posts: 851
  • NXTOrganization Marketing
    • View Profile
Re: WARNING! PLEASE READ BEFORE MAKING YOUR NXT ACCOUNT! [Please Sticky]
« Reply #5 on: August 05, 2014, 07:22:50 pm »

I was in a Google hangout a few days ago with a few people from here and one of them showed an easy to remember way of a secure password (his name is Silvio, I just found out).

I'll try to recreate what he did (roughly):

1. he had ANY plastic card from his wallet (his actual wallet) in his case an opera admittance card from which he used the barcode.
2. he used his "brothers" name
3. he used an introductory bit.

With all this he created: PW = Peter %84736293%!

According to Kaspersky that password would take more 10,000+ centuries to crack on a supercompter.

Guy from the Hangout: if you see this post, please post your video  ;)

That is 21 characters which is pretty good but the number generally agreed on when it comes to NXT is 30+ characters. However, what you suggested would be great for a password manager.
Logged
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬  ▄▀▀▀▀▀▀▀▀▄  ▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬●  nimirum  ●▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬ ◖ENDING CENSORSHIP ONLINE◗  ◖ ICO OPEN NOW◗ ▬▬▬

mikesbmw

  • Hero Member
  • *****
  • Karma: +41/-6
  • Offline Offline
  • Posts: 590
    • View Profile
Re: WARNING! PLEASE READ BEFORE MAKING YOUR NXT ACCOUNT! [Please Sticky]
« Reply #6 on: August 05, 2014, 09:10:23 pm »

I was in a Google hangout a few days ago with a few people from here and one of them showed an easy to remember way of a secure password (his name is Silvio, I just found out).

I'll try to recreate what he did (roughly):

1. he had ANY plastic card from his wallet (his actual wallet) in his case an opera admittance card from which he used the barcode.
2. he used his "brothers" name
3. he used an introductory bit.

With all this he created: PW = Peter %84736293%!

According to Kaspersky that password would take more 10,000+ centuries to crack on a supercompter.

Guy from the Hangout: if you see this post, please post your video  ;)

That is 21 characters which is pretty good but the number generally agreed on when it comes to NXT is 30+ characters. However, what you suggested would be great for a password manager.
The thing is: I don't have my passwords with me all the time. It's a lot easier when you can remember your password.
It's another way of creating the famous "horse battery staple"  ;)

Currently mine is generated by Keepass and is 150 characters long (yes, I went a bit overboard on that one  ;D )
Logged
Number one Nxt nerd with fancy fantasies!
NXT: NXT-5MMT-RUYC-NCC9-AU8BL

CryptKeeper

  • Hero Member
  • *****
  • Karma: +78/-5
  • Offline Offline
  • Posts: 1235
    • View Profile
WARNING! PLEASE READ BEFORE MAKING YOUR NXT ACCOUNT! [Please Sticky]
« Reply #7 on: August 05, 2014, 09:31:40 pm »

Anybody using a yubikey? I've heard you can paste a long static password by one touch of a button and then type in an app/site specific additional suffix. Sounds pretty safe to me and is easy to use.
Logged
Follow me on twitter for the latest news on bitcoin and altcoins!
Vanity Accounts Sale :-)

Eadeqa

  • Hero Member
  • *****
  • Karma: +83/-68
  • Offline Offline
  • Posts: 1888
    • View Profile
Re: WARNING! PLEASE READ BEFORE MAKING YOUR NXT ACCOUNT! [Please Sticky]
« Reply #8 on: August 05, 2014, 09:36:01 pm »

20 is not enough! 29 is not enough!

Really?  If anyone can break this 15 character password I will send them 50,000 Nxt

SHA256 Hash of the password:  3164898B4DEE3FD994BCEA75F2C06B22903A8F89D3708C3FA666BA75C6EFB593

Just to make it easy: there are no special characters -- just alphabets and numbers

The offer is open for an year. The largest successful publicly known brute force was against 64-bit (weaker than 12 char) , so I won't be losing sleep over this.




Logged
NXT-GZYP-FMRT-FQ9K-3YQGS

Eadeqa

  • Hero Member
  • *****
  • Karma: +83/-68
  • Offline Offline
  • Posts: 1888
    • View Profile
Re: WARNING! PLEASE READ BEFORE MAKING YOUR NXT ACCOUNT! [Please Sticky]
« Reply #9 on: August 06, 2014, 11:56:01 am »

20 is not enough! 29 is not enough!

Really?  If anyone can break this 15 character password I will send them 50,000 Nxt

SHA256 Hash of the password:  3164898B4DEE3FD994BCEA75F2C06B22903A8F89D3708C3FA666BA75C6EFB593

Just to make it easy: there are no special characters -- just alphabets and numbers

The offer is open for an year. The largest successful publicly known brute force was against 64-bit (weaker than 12 char) , so I won't be losing sleep over this.

Just be clear, this password looks similar to this: "Fp7fq7aHSRNupa5". This is exactly 15 characters (not 14, not 16, exact 15 characters, and no special characters). Easy.

SHA256 HASH IS : 3164898B4DEE3FD994BCEA75F2C06B22903A8F89D3708C3FA666BA75C6EFB593

I will pay 50,000 nxt plus one nemstake token to anyone who can break it in one year.

Just to put some sense in "29+ char password is not enough" ,   people have been trying to "crack" darknxt account here

https://nxtforum.org/general-discussion/nxt-account-miner-new-version/

There are 20 million darknxt (about $800,000)

No one has (yet) succeeded.

If someone builds a machine that can crack a darknxt account in just one second, (can even NSA do that?) , cracking this 15 char password would still take more than an year on that machine.

Another example: the entire bitcoin network (100k+ dollars in electricity per day?)  has a hash rate of 125,000,000,000,000,000 hashes per second.

It will take the entire bitcoin network  (at current rate) about 100 years (on average) to  break this 15 character password.

So good luck to everyone who tries!
« Last Edit: August 06, 2014, 12:35:55 pm by Eadeqa »
Logged
NXT-GZYP-FMRT-FQ9K-3YQGS

shin

  • Sr. Member
  • ****
  • Karma: +47/-4
  • Offline Offline
  • Posts: 456
    • View Profile
Re: WARNING! PLEASE READ BEFORE MAKING YOUR NXT ACCOUNT! [Please Sticky]
« Reply #10 on: August 06, 2014, 03:51:00 pm »

Interesting read (relevant):
- http://blog.codinghorror.com/speed-hashing/
- http://blog.codinghorror.com/passwords-vs-pass-phrases/

Read on if you like. Click around.
Jeff Atwood has some of the most interesting coding blogs out there. If you don't mind his ego.
« Last Edit: August 06, 2014, 08:39:57 pm by shin »
Logged
Wallet: NXT-ELEB-XT6G-L475-HXRFX • 18354136531262130569 • Twitter: Shin NXT

colin012

  • Hero Member
  • *****
  • Karma: +65/-18
  • Offline Offline
  • Posts: 851
  • NXTOrganization Marketing
    • View Profile
Re: WARNING! PLEASE READ BEFORE MAKING YOUR NXT ACCOUNT! [Please Sticky]
« Reply #11 on: August 06, 2014, 04:51:03 pm »

20 is not enough! 29 is not enough!

Really?  If anyone can break this 15 character password I will send them 50,000 Nxt

SHA256 Hash of the password:  3164898B4DEE3FD994BCEA75F2C06B22903A8F89D3708C3FA666BA75C6EFB593

Just to make it easy: there are no special characters -- just alphabets and numbers

The offer is open for an year. The largest successful publicly known brute force was against 64-bit (weaker than 12 char) , so I won't be losing sleep over this.

Just be clear, this password looks similar to this: "Fp7fq7aHSRNupa5". This is exactly 15 characters (not 14, not 16, exact 15 characters, and no special characters). Easy.

SHA256 HASH IS : 3164898B4DEE3FD994BCEA75F2C06B22903A8F89D3708C3FA666BA75C6EFB593

I will pay 50,000 nxt plus one nemstake token to anyone who can break it in one year.

Just to put some sense in "29+ char password is not enough" ,   people have been trying to "crack" darknxt account here

https://nxtforum.org/general-discussion/nxt-account-miner-new-version/

There are 20 million darknxt (about $800,000)

No one has (yet) succeeded.

If someone builds a machine that can crack a darknxt account in just one second, (can even NSA do that?) , cracking this 15 char password would still take more than an year on that machine.

Another example: the entire bitcoin network (100k+ dollars in electricity per day?)  has a hash rate of 125,000,000,000,000,000 hashes per second.

It will take the entire bitcoin network  (at current rate) about 100 years (on average) to  break this 15 character password.

So good luck to everyone who tries!

Fair enough. You know more about password security than I do, so what would you recommend as the minimum safe password length. Also, keep in mind that this doesn't have to do with cracking a hash, it has to do with precomputation attacks.
Logged
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬  ▄▀▀▀▀▀▀▀▀▄  ▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬●  nimirum  ●▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬ ◖ENDING CENSORSHIP ONLINE◗  ◖ ICO OPEN NOW◗ ▬▬▬

Eadeqa

  • Hero Member
  • *****
  • Karma: +83/-68
  • Offline Offline
  • Posts: 1888
    • View Profile
Re: WARNING! PLEASE READ BEFORE MAKING YOUR NXT ACCOUNT! [Please Sticky]
« Reply #12 on: August 06, 2014, 07:19:22 pm »

Fair enough. You know more about password security than I do, so what would you recommend as the minimum safe password length. Also, keep in mind that this doesn't have to do with cracking a hash, it has to do with precomputation attacks.

I don't know more, I just know basic math. Every password that appears in any kind of database  is bad. It can be cracked instantly. These include leaked password databases  (billion+ passwords) , quotes from books, poem, songs, movies, bitcoin address in bitcoin blockchain, a public key that exist in Nxt's blockchain, used as a password by someone else etc.  A sentence picked from any  book (no matter how obscure book)  from the entire library only has 32 bit of entropy,  as it's possible to scan every book ever published (isn't google already doing something like this?)  and check if someone used a sentence from a book (or slight variant of the sentence)  as a password.  It's much harder (though possible) to crack random 12 char password.  20+ is pretty safe, as long it's not in some database.

Not all Nxt users read this forum, so people will never understand this and will continue losing money with a brain wallet.  Brain wallet should NOT have been default option. It should have been "advanced option".  Private keys should be generated by cryptographically secure random generator, then encrypted by user's password.    HumanFractal  is working on something like this to be implemented in Javascript client. Wesley should hide "brain wallet" in advanced option (not make it easy to use) combined with HumanFractal's deterministic wallet.

So the solution isn't to tell people to use strong passwords (as they are never going to read these articles, or read instructions, or even visit this forum) but make the software design as such that makes it difficult for users to make mistakes, but yet the software remains user friendly and easy to use  (asking people to type 20+ char is not usable software). 
« Last Edit: August 06, 2014, 07:30:29 pm by Eadeqa »
Logged
NXT-GZYP-FMRT-FQ9K-3YQGS

colin012

  • Hero Member
  • *****
  • Karma: +65/-18
  • Offline Offline
  • Posts: 851
  • NXTOrganization Marketing
    • View Profile
Re: WARNING! PLEASE READ BEFORE MAKING YOUR NXT ACCOUNT! [Please Sticky]
« Reply #13 on: August 06, 2014, 07:29:53 pm »

Fair enough. You know more about password security than I do, so what would you recommend as the minimum safe password length. Also, keep in mind that this doesn't have to do with cracking a hash, it has to do with precomputation attacks.

I don't know more, I just know basic math. Every password that appears in any kind of database  is bad. It can be cracked instantly. These include leaked password databases  (billion+ passwords) , quotes from books, poem, songs, movies, bitcoin address in bitcoin blockchain, a public key that exist in Nxt's blockchain, used as a password by someone else etc.  A sentence picked from any  book (no matter how obscure book)  from the entire library only has 32 bit of entropy,  as it's possible to scan every book ever published (isn't google already doing something like this?)  and check if someone used a sentence from a book (or slight variant of the sentence)  as a password.  It's much harder (though possible) to crack random 12 char password.  20+ is pretty safe, as long it's not in some database.

Not all Nxt users read this forum, so people will never understand this and will continue losing money with a brain wallet.  Brain wallet should NOT have been default option. It should have been "advanced option".  Private keys should be generated by cryptographically secure random generator, then encrypted by user's password.    HumanFractal  is working on something like this to be implemented in Javascript client. Wesley should hide "brain wallet" in advanced option (not make it easy to use) combined with HumanFractal's deterministic wallet.

So the solution isn't to tell people to use strong passwords (as they are never going to read these articles, or read introduction, or even visit this forum) but make the software design as such that makes them difficult for users to make mistakes.

True, that is the ideal, long-term solution. However, until that is implemented, we need a patch for the problem. A band-aid if you will. Also, never, is a very black and white word. If even one person reads my post and uses the password generator or creates a strong password because of it, then I would consider this post successful.
Logged
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬  ▄▀▀▀▀▀▀▀▀▄  ▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬●  nimirum  ●▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬ ◖ENDING CENSORSHIP ONLINE◗  ◖ ICO OPEN NOW◗ ▬▬▬

firefighter

  • Jr. Member
  • **
  • Karma: +5/-1
  • Offline Offline
  • Posts: 70
    • View Profile
Re: WARNING! PLEASE READ BEFORE MAKING YOUR NXT ACCOUNT! [Please Sticky]
« Reply #14 on: August 07, 2014, 08:18:45 am »

Hi colin012,

cool Post for new User. We should make an extra Sticky Post on this forum. But don't allow to discuss, otherwise newbies will get confused. We could use this Thread to discuss what is good.
We should give simple advices to New User and support them with good links to understand more about password security if they Like to.


Anyhow the more then 30 char advice is good, but not enough, cause it should be a random 30 char string.

If you choose a 30 char password just with lowercase 7bit ascii char at a random Manner you have an entropy of 143 bit and thats enough. AES 128 has 128 bit of entropy, and AES 128 is save.
If you choose a 15 char password out of 94 chars (alpha, digit, lower/Upper case, symbols) you have an entropy of 98 bits. Everything about 80 bit can be considered as save right now. And to have 18 bits in spare is save for the future.

The password of Eadega has an entropy of 89 bits , so it is save now and still in a few years.
 

Hints for new user (IF you agree with it, you may rewrite this, cause my english isn't as good as my technical knowhow):

0. The strength of a password creation system is not how many letters, digits, and symbols you end up with, but how many ways you could get a different result using the same system. (Orgin: agilebits.com)
  - Only real Random Passwords are secure.
  - If a Pattern occurs or you use common tips to create remindable passwords, then you don't have a random password at all.
  - You should always look at http://blog.agilebits.com/2011/06/21/toward-better-master-passwords/ to understand password security.
 1. Take the 12 words password which are suggest from the NXT Client.
   - This is far more secure to select a password of your self - in most cases.
   - Don't generate passwords with an pattern, cause pw chrackter know such patters to.
2. Use a strong password generator in combination with an password manager
  - 1password for example
3. If you need a strong passwords, which are easy to rember, for example Masterpassword of the Passwordmanager -> see www.diceware.com



FireF
Logged
NXT-SYDZ-HECY-YF3A-76E5Q

firefighter

  • Jr. Member
  • **
  • Karma: +5/-1
  • Offline Offline
  • Posts: 70
    • View Profile
Re: WARNING! PLEASE READ BEFORE MAKING YOUR NXT ACCOUNT! [Please Sticky]
« Reply #15 on: August 07, 2014, 08:38:31 am »

Fair enough. You know more about password security than I do, so what would you recommend as the minimum safe password length. Also, keep in mind that this doesn't have to do with cracking a hash, it has to do with precomputation attacks.

I don't know more, I just know basic math. Every password that appears in any kind of database  is bad. It can be cracked instantly. These include leaked password databases  (billion+ passwords) , quotes from books, poem, songs, movies, bitcoin address in bitcoin blockchain, a public key that exist in Nxt's blockchain, used as a password by someone else etc.  A sentence picked from any  book (no matter how obscure book)  from the entire library only has 32 bit of entropy,  as it's possible to scan every book ever published (isn't google already doing something like this?)  and check if someone used a sentence from a book (or slight variant of the sentence)  as a password.  It's much harder (though possible) to crack random 12 char password.  20+ is pretty safe, as long it's not in some database.

Not all Nxt users read this forum, so people will never understand this and will continue losing money with a brain wallet.  Brain wallet should NOT have been default option. It should have been "advanced option".  Private keys should be generated by cryptographically secure random generator, then encrypted by user's password.    HumanFractal  is working on something like this to be implemented in Javascript client. Wesley should hide "brain wallet" in advanced option (not make it easy to use) combined with HumanFractal's deterministic wallet.

So the solution isn't to tell people to use strong passwords (as they are never going to read these articles, or read instructions, or even visit this forum) but make the software design as such that makes it difficult for users to make mistakes, but yet the software remains user friendly and easy to use  (asking people to type 20+ char is not usable software).

If the 12 words of NXT Client are select by strong random generator then result is as save as a generate private key. So there is simply no real adavanced for a wallet file. And it won't help to repeat that wallet files are more save fairytale.

The Solution in my opionion is, to not allow user to selected password by them self. Just give them the option for the 12 words password. And if wallet files couldn't be avoided (In case nxt will loose user, cause that wallet file issue), we could inculde a lightweight passwordmanger into the NXT client, and give the User the adavanced option of an wallet file, simly by encrypting (with salt) the 12 words with a userpassword and save it to a wallet.file. So the rest of the code doesn't need any changes at all.

And for real adavanced (pro) users, there is no requirement of an extra option to choose a brainwallet password by them self. Cause if you understand the concept behind everything you will know how to do it anyway.

FireF
« Last Edit: August 07, 2014, 08:48:50 am by firefighter »
Logged
NXT-SYDZ-HECY-YF3A-76E5Q

Eadeqa

  • Hero Member
  • *****
  • Karma: +83/-68
  • Offline Offline
  • Posts: 1888
    • View Profile
Re: WARNING! PLEASE READ BEFORE MAKING YOUR NXT ACCOUNT! [Please Sticky]
« Reply #16 on: August 07, 2014, 09:04:34 am »

0. The strength of a password creation system is not how many letters, digits, and symbols you end up with, but how many ways you could get a different result using the same system. (Orgin: agilebits.com)
  - Only real Random Passwords are secure.
  - If a Pattern occurs or you use common tips to create remindable passwords, then you don't have a random password at all.

  - You should always look at http://blog.agilebits.com/2011/06/21/toward-better-master-passwords/ to understand password security.
 1. Take the 12 words password which are suggest from the NXT Client.
   - This is far more secure to select a password of your self - in most cases.
   - Don't generate passwords with an pattern, cause pw chrackter know such patters to.
2. Use a strong password generator in combination with an password manager
  - 1password for example
3. If you need a strong passwords, which are easy to rember, for example Masterpassword of the Passwordmanager -> see www.diceware.com


Great post, especially that parts that I made bold. Now that's written by someone who truly understands the topic.  I would suggest the OP should be replaced with these points.

16 (even 20) char passwords are easy to crack  if they are not random.

Here are examples of passwords that were cracked.

Quote
Philippians4:6-7
qeadzcwrsfxv1331
k1araj0hns0n
Sh1a-labe0uf
Apr!l221973
Qbesancon321
DG091101%

Algorithms can be tweaked to find passwords like that.

In comparison, this 12 char password "XeVpe4wcygr9 " is bloody hard to crack, as it's random. You can't write an algorithms to find random passwords, so it requires full brute force going through all possibilities, making it very difficult to hack -- even just 12 chars (not that anyone should use 12 chars for nxt passwords, please stick to 20+ chars). 

By the way, if someone doesn't trust random generator (some random generators are bad -- for example, Javascript Math.random) , they can also use a 62 card deck. Assign an alphabet to each card (A to Z, a - z, and 0 - 9) with a marker. Shuffle it really good for 5-10 minutes. Pick the top card. That's first alphabet in your password. Mix the card back in the deck (that's important) and shuffle again, and pick another top card, mix t back, repeat, etc .. Do it 22 times, and there you have 22 char password with full 128 bits of entropy without any human bias or software glitches (like math.random())

« Last Edit: August 07, 2014, 09:16:32 am by Eadeqa »
Logged
NXT-GZYP-FMRT-FQ9K-3YQGS

Berzerk

  • Ex-Staff Member
  • Hero Member
  • *****
  • Karma: +118/-40
  • Offline Offline
  • Posts: 1530
    • View Profile
Re: WARNING! PLEASE READ BEFORE MAKING YOUR NXT ACCOUNT! [Please Sticky]
« Reply #17 on: August 07, 2014, 11:35:49 am »

Stickied. Next time please write me a PM. :)
Logged

firefighter

  • Jr. Member
  • **
  • Karma: +5/-1
  • Offline Offline
  • Posts: 70
    • View Profile
Re: WARNING! PLEASE READ BEFORE MAKING YOUR NXT ACCOUNT! [Please Sticky]
« Reply #18 on: August 07, 2014, 04:23:34 pm »


Great post, especially that parts that I made bold. Now that's written by someone who truly understands the topic.  I would suggest the OP should be replaced with these points.

16 (even 20) char passwords are easy to crack  if they are not random.

There is one Problem with that. As far as I can rember (Not sure I can :-) ) Default Client wants to have at least 35 chars and if some conditions are not given (low/Up Case, digits, symbolsm etc.) you are ask to have at least 50 chars.

So it would be fine to have a common understanding of passpharse security thats matching with the mind set of the core devs. Other wise we end up with Hints that generate warning messages and then Users will loose trust.


Quote
By the way, if someone doesn't trust random generator (some random generators are bad -- for example, Javascript Math.random) , they can also use a 62 card deck. Assign an alphabet to each card (A to Z, a - z, and 0 - 9) with a marker. Shuffle it really good for 5-10 minutes. Pick the top card. That's first alphabet in your password. Mix the card back in the deck (that's important) and shuffle again, and pick another top card, mix t back, repeat, etc .. Do it 22 times, and there you have 22 char password with full 128 bits of entropy without any human bias or software glitches (like math.random())

Yeas thats a good hint or use diceware instead.


BTW

Real Secure Password Generation Systems are Real secure cause you can tell everybody that you use this system and don't loose the strengh of your password.

My Main account is create by using diceware and I have the trust and knowlegde that this wont help a cracker anyhow. I will also state that my entrop matches the strenght of a 35 char random password, but easier to rember.
Since I've generated it when I entered nxt,  I now would vote for a smaller one next time which would be fare easier to rember.


6 Diceware Words + 1 Diceware symbol = 87,4 bit entropy = just 7 things to rember (this could be manged by most people)
8 Diceware Words + 2 Diceware symbol = 123 bit entropy
15 Diceware Words + 4 Diceware symbols = 233,5 bit entropy
35 random chars (Out of 94 different chars) = 229,41 bit entropy

80 bit of entropy can be considere as save.
- for a dailywallet Account I would use 6 Words + 1 symbol
- for a save storage I would use 8 Words + 2 symbols
- for my paranoid (Fort Knox) storage I would use 15 Words + 4 symbols or 35 random chars.

Use Case for 15 Words + 4 symbols is that it is easier to type manually by reading it from a password manager that is located on an other device. It is not so error prone then trying to type 35 chars.


FireF



Logged
NXT-SYDZ-HECY-YF3A-76E5Q

colin012

  • Hero Member
  • *****
  • Karma: +65/-18
  • Offline Offline
  • Posts: 851
  • NXTOrganization Marketing
    • View Profile
Re: WARNING! PLEASE READ BEFORE MAKING YOUR NXT ACCOUNT! [Please Sticky]
« Reply #19 on: August 07, 2014, 04:36:24 pm »

Stickied. Next time please write me a PM. :)

Will do!

Now that's written by someone who truly understands the topic.  I would suggest the OP should be replaced with these points.

DONE! Thank you for the suggestion!
« Last Edit: August 07, 2014, 04:53:35 pm by colin012 »
Logged
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬  ▄▀▀▀▀▀▀▀▀▄  ▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬●  nimirum  ●▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬ ◖ENDING CENSORSHIP ONLINE◗  ◖ ICO OPEN NOW◗ ▬▬▬
Pages: [1] 2  All
 

elective-stereophonic
elective-stereophonic
assembly
assembly