elective-stereophonic
elective-stereophonic
Think I may have been hacked
Please login or register.

Login with username, password and session length
Advanced search  

News:

Latest Nxt Client: Nxt 1.11.15

Pages: 1 2 [3] 4  All

Author Topic: Think I may have been hacked  (Read 7192 times)

achim

  • Hero Member
  • *****
  • Karma: +50/-6
  • Offline Offline
  • Posts: 648
    • View Profile
Re: Think I may have been hacked
« Reply #40 on: June 02, 2014, 05:34:46 am »

post a new nxt account and use a much stronger passphrase.. il send you some nxt to get you back on your feet. its clearly a hack so id be happy to help you out. :) wont be able send for an hour or 2 though.

use keepass to create and save your passphrase.. also much safer that notepad or word doc or what ever..

Ha! Really? NXT-3Z5P-GNEN-W3HY-HACH7

Sent a small sum your way  ;)
Logged

Eadeqa

  • Hero Member
  • *****
  • Karma: +83/-68
  • Offline Offline
  • Posts: 1888
    • View Profile
Re: Think I may have been hacked
« Reply #41 on: June 02, 2014, 05:41:13 am »

I'm guessing now it would be safe for you to share with us that 49 character password.

can you post your passphrase just to give us an real example of a hackable passphrase?

*Hangs head in shame*

I picked my secret phrase thinking that it was used to sign a key of some kind, not that it is the only barrier to entry to my account. This obviously was my ignorance. Consider this a donation to improving the security user experience of NXT.

One small step for man one giant leap for mankind


Why didn't you use the password that is generated by the client itself? That is perfectly secure


« Last Edit: June 02, 2014, 05:43:12 am by Eadeqa »
Logged
NXT-GZYP-FMRT-FQ9K-3YQGS

jeremiah

  • Jr. Member
  • **
  • Karma: +1/-0
  • Offline Offline
  • Posts: 15
    • View Profile
Re: Think I may have been hacked
« Reply #42 on: June 02, 2014, 06:26:14 am »

Sent a small sum your way  ;)

Thank you for your kindness in the midst of my ignorance. :)
Logged

achim

  • Hero Member
  • *****
  • Karma: +50/-6
  • Offline Offline
  • Posts: 648
    • View Profile
Re: Think I may have been hacked
« Reply #43 on: June 02, 2014, 06:36:26 am »

Sent a small sum your way  ;)

Thank you for your kindness in the midst of my ignorance. :)

You're welcome. I just hate to see the Nxt community losing even one new member because of initial difficulties / mistakes.
Logged

CryptKeeper

  • Hero Member
  • *****
  • Karma: +78/-5
  • Offline Offline
  • Posts: 1235
    • View Profile
Think I may have been hacked
« Reply #44 on: June 02, 2014, 06:42:42 am »

The whole idea of the brainwallet is flawed. IMHO it only makes sense if you compute a phrase from a good random seed and don't let the user choose his own!

When you use "traditional" passwords you can somehow measure the "strongness" by length, inclusion of different character sets (alpha,numeric,special chars), that doesn't work with brainwallets. I recommend using keepass or similar and use a random 30+ password.
Logged
Follow me on twitter for the latest news on bitcoin and altcoins!
Vanity Accounts Sale :-)

jeremiah

  • Jr. Member
  • **
  • Karma: +1/-0
  • Offline Offline
  • Posts: 15
    • View Profile
Re: Think I may have been hacked
« Reply #45 on: June 02, 2014, 06:43:00 am »

Why didn't you use the password that is generated by the client itself? That is perfectly secure

I think that I have answered this previously, but I'll try again.

It's unclear to newcomers, particularly those coming from Bitcoin, that the secret phrase *is* your identity and that the only thing someone needs to do in order to compromise your account is to guess your secret phrase. Using a password that functions as an identifier and as a secret is not a very common security model. This was a misalignment of my understanding of how NXT works and how NXT actually works. It's my fault for not doing more research. From a UX perspective, it's NXT's fault for not preventing me from making that mistake when it's the one that deviates from a more common convention.

I hope my ~$200 mistake helps NXT improve because I like many of the ideas it is championing. It just sucks that it was an unintentional investment in this UX improvement.

FWIW I think that client-generated list of 10 words is doing users a disservice. They're not particularly memorable to a user, so the user has to store it somewhere. The client might as well generate 256 characters (or whatever the max is) of random symbols.
Logged

Eadeqa

  • Hero Member
  • *****
  • Karma: +83/-68
  • Offline Offline
  • Posts: 1888
    • View Profile
Re: Think I may have been hacked
« Reply #46 on: June 02, 2014, 08:03:29 am »

Why didn't you use the password that is generated by the client itself? That is perfectly secure

I think that I have answered this previously, but I'll try again.

It's unclear to newcomers, particularly those coming from Bitcoin, that the secret phrase *is* your identity and that the only thing someone needs to do in order to compromise your account is to guess your secret phrase. Using a password that functions as an identifier and as a secret is not a very common security model. This was a misalignment of my understanding of how NXT works and how NXT actually works. It's my fault for not doing more research. From a UX perspective, it's NXT's fault for not preventing me from making that mistake when it's the one that deviates from a more common convention.

I hope my ~$200 mistake helps NXT improve because I like many of the ideas it is championing. It just sucks that it was an unintentional investment in this UX improvement.

FWIW I think that client-generated list of 10 words is doing users a disservice. They're not particularly memorable to a user, so the user has to store it somewhere. The client might as well generate 256 characters (or whatever the max is) of random symbols.

It's a big improvement from what we used to have before. That previous client started with just login dialog and many new users  just entered a blank password.

As for memorable short password, unfortunately that's not an option as private key, which is SHA256 (password), is open to offline brute force attack.

We have always recommended that people use password managers. I use Lastpass https://lastpass.com/   .. it's free for desktop, does local encryption on the user computer, autofil, you get two factor authentication and encrypted online backups that is synced with any computer you use. It's perfectly alright to use memorable master password with password manager as offline attack is very unlikely, especially if you use two factor authentication, but this is not an option with Nxt 


« Last Edit: June 02, 2014, 08:07:49 am by Eadeqa »
Logged
NXT-GZYP-FMRT-FQ9K-3YQGS

bluemeanie1

  • Hero Member
  • *****
  • Karma: +54/-140
  • Offline Offline
  • Posts: 616
  • ALTCHAIN.ORG
    • View Profile
    • ALTCHAIN.ORG
Re: Think I may have been hacked
« Reply #47 on: June 02, 2014, 04:05:42 pm »

Why didn't you use the password that is generated by the client itself? That is perfectly secure

I think that I have answered this previously, but I'll try again.

It's unclear to newcomers, particularly those coming from Bitcoin, that the secret phrase *is* your identity and that the only thing someone needs to do in order to compromise your account is to guess your secret phrase.

AND compile the private key from this phrase.  This is computationally expensive and this is why it's infeasible to guess every single possible phrase.  They cut down on the possibilities by eg. using common phrases from literature and music.  :)

-bm
Logged
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬  ▄▀▀▀▀▀▀▀▀▄  ▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬●  nimirum  ●▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬ ◖ENDING CENSORSHIP ONLINE◗  ◖ ICO OPEN NOW◗ ▬▬▬

wesley

  • Ex-Staff Member
  • Hero Member
  • *****
  • Karma: +204/-3
  • Offline Offline
  • Posts: 1159
    • View Profile
Re: Think I may have been hacked
« Reply #48 on: June 02, 2014, 04:08:19 pm »

Currently the client says:

Quote
Your automatically generated secret phrase is:

...

Please write down or memorize these 12 words (their order and capitalization matters - always lowercase). This secret phrase is needed in order to access your Nxt account.

Attention: Don't ever disclose your secret phrase. If you lose it you lose access to your account!

And if you click on the link to choose your own password:

Quote
Your secret phrase must be at least 35 characters long.

Attention: Don't ever disclose your secret phrase. If you lose it you lose access to your account!

If anyone has better instructions / wording, please let me know in this thread and we can change it.
Logged

bluemeanie1

  • Hero Member
  • *****
  • Karma: +54/-140
  • Offline Offline
  • Posts: 616
  • ALTCHAIN.ORG
    • View Profile
    • ALTCHAIN.ORG
Re: Think I may have been hacked
« Reply #49 on: June 02, 2014, 04:26:23 pm »

consider also that in the Bitcoin model, people misplace or accidentally erase their keys- and they are 100% unrecoverable.  So there are plusses and minuses to each approach.  Many credible experts do endorse the Brain Wallet model.
Logged
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬  ▄▀▀▀▀▀▀▀▀▄  ▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬●  nimirum  ●▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬ ◖ENDING CENSORSHIP ONLINE◗  ◖ ICO OPEN NOW◗ ▬▬▬

Eadeqa

  • Hero Member
  • *****
  • Karma: +83/-68
  • Offline Offline
  • Posts: 1888
    • View Profile
Re: Think I may have been hacked
« Reply #50 on: June 02, 2014, 04:35:23 pm »

Currently the client says:

Quote
Your automatically generated secret phrase is:

...

Please write down or memorize these 12 words (their order and capitalization matters - always lowercase). This secret phrase is needed in order to access your Nxt account.

Attention: Don't ever disclose your secret phrase. If you lose it you lose access to your account!

And if you click on the link to choose your own password:

Quote
Your secret phrase must be at least 35 characters long.

Attention: Don't ever disclose your secret phrase. If you lose it you lose access to your account!

If anyone has better instructions / wording, please let me know in this thread and we can change it.

"Do not use a sentence that appears in song or literature. Don't ever disclose your secret phrase. Anyone with access to your secret phrase will have full access to your Nxt account.  If you lose it you lose access to your account!"
« Last Edit: June 02, 2014, 04:37:41 pm by Eadeqa »
Logged
NXT-GZYP-FMRT-FQ9K-3YQGS

VanBreuk

  • Administrator
  • Hero Member
  • *****
  • Karma: +362/-19
  • Offline Offline
  • Posts: 2772
    • View Profile
Re: Think I may have been hacked
« Reply #51 on: June 02, 2014, 04:39:54 pm »

Quote
Your secret phrase must be at least 35 characters long.

Attention: Don't ever disclose your secret phrase. If you lose it you lose access to your account!

If anyone has better instructions / wording, please let me know in this thread and we can change it.

"Your secret phrase must be composed of 12 or more truly random words, or at least 35 random characters including uppercase and lowercase letters, numbers and symbols."
Logged
GPG Fingerprint: B020 D1C1 F289 3B2C 3577  9EAD 455D D175 5913 C7F1

barbierir

  • Sr. Member
  • ****
  • Karma: +36/-2
  • Offline Offline
  • Posts: 316
    • View Profile
Re: Think I may have been hacked
« Reply #52 on: June 02, 2014, 04:52:40 pm »



And if you click on the link to choose your own password:

Quote
Your secret phrase must be at least 35 characters long.

Attention: Don't ever disclose your secret phrase. If you lose it you lose access to your account!


"The secret phrase is everything that stands between your account and the rest of the world. Do not use any meaningful sentence, especially any that appears in song or literature. Don't ever disclose your secret phrase. If you lose it you lose access to your account!"
Logged

bluemeanie1

  • Hero Member
  • *****
  • Karma: +54/-140
  • Offline Offline
  • Posts: 616
  • ALTCHAIN.ORG
    • View Profile
    • ALTCHAIN.ORG
Re: Think I may have been hacked
« Reply #53 on: June 02, 2014, 05:42:13 pm »

it might be interesting to many as to how this hacker did this, and just to be clear this is a very obvious hack and this person was exploiting general ignorance of how brain wallets work.

What he/she did(likely- and he/she is probably reading this), was take a language corpus and compute phrases in order of frequency of occurrence.  for instance,

"the sun also rises"
"there is more in heaven and earth"
"one great step for man"

then they run a quad core PC and keep computing the account IDs for each of these phrases.  Then with this database of passphrases to IDs, they build a master index.  Then, they watch the block chain to see if any funds show up in the accounts in the index.  Once there are enough funds in enough accounts, they run a script to evacuate the funds into an account owned by the hacker.

so the security of your account depends on how far down in this list your passphrase is.  If it contains non-standard words, punctuation, numbers, it is trillions and billions from the beginning of the list, ie. never going to get computed.  That's where you want your passphrase to be. :)

-bm
Logged
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬  ▄▀▀▀▀▀▀▀▀▄  ▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬●  nimirum  ●▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬ ◖ENDING CENSORSHIP ONLINE◗  ◖ ICO OPEN NOW◗ ▬▬▬

farl4bit

  • Global Moderator
  • Hero Member
  • *****
  • Karma: +210/-45
  • Offline Offline
  • Posts: 3463
    • View Profile
    • Blockchain Twitter
Re: Think I may have been hacked
« Reply #54 on: June 02, 2014, 08:09:17 pm »

A bit scary a bot did a few account at the same time. His passphrase was 10 words and Nxtwallet gives passphrases of 12 words. How much safer is this?
Logged

bluemeanie1

  • Hero Member
  • *****
  • Karma: +54/-140
  • Offline Offline
  • Posts: 616
  • ALTCHAIN.ORG
    • View Profile
    • ALTCHAIN.ORG
Re: Think I may have been hacked
« Reply #55 on: June 02, 2014, 08:11:13 pm »

his phrase was "well known", but personally I would use some mispellings, numbers and punctuation.

-bm
Logged
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬  ▄▀▀▀▀▀▀▀▀▄  ▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬●  nimirum  ●▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬ ◖ENDING CENSORSHIP ONLINE◗  ◖ ICO OPEN NOW◗ ▬▬▬

chanc3r

  • Hero Member
  • *****
  • Karma: +124/-50
  • Offline Offline
  • Posts: 1019
  • NXTInspect
    • View Profile
Re: Think I may have been hacked
« Reply #56 on: June 02, 2014, 08:15:36 pm »

A bit scary a bot did a few account at the same time. His passphrase was 10 words and Nxtwallet gives passphrases of 12 words. How much safer is this?

I suspect the bot has pre-calculated the account numbers for its dictionary of phrases (not hard), you can do this for millions of account numbers and monitors the block chain for a TX against that account number, checks the balance and if there is NXT there goes and gets it.
Logged
NXT: 29996814460165 (NXT-JTA7-B2QR-8BFC-2V222)
@imrimr @NXTinspect

Eadeqa

  • Hero Member
  • *****
  • Karma: +83/-68
  • Offline Offline
  • Posts: 1888
    • View Profile
Re: Think I may have been hacked
« Reply #57 on: June 02, 2014, 08:26:40 pm »

A bit scary a bot did a few account at the same time. His passphrase was 10 words and Nxtwallet gives passphrases of 12 words. How much safer is this?

Big difference. His password was famous quote from Neil Armstrong

https://www.google.com/search?q=One+small+step+for+man+one+giant+leap+for+mankind&rlz=1C1CHMO_enUS560US560&oq=One+small+step+for+man+one+giant+leap+for+mankind&aqs=chrome..69i57&sourceid=chrome&es_sm=122&ie=UTF-8

It was not random.

Weird even regular people like farl4bit (a mod) still don't understand entropy after we have gone through this hundreds  of times

If his password were just 12 char (forget words) but random it would have been far more secure

The client generated password is total random with 128 bits entropy
« Last Edit: June 02, 2014, 08:31:29 pm by Eadeqa »
Logged
NXT-GZYP-FMRT-FQ9K-3YQGS

Tosch110

  • Ex-Staff Member
  • Hero Member
  • *****
  • Karma: +211/-18
  • Offline Offline
  • Posts: 2365
    • View Profile
Re: Think I may have been hacked
« Reply #58 on: June 02, 2014, 08:29:36 pm »

Indeed. But I think most people got that using one of the most cited / most phamous sentences as passphrase is not very secure

Thames

  • Sr. Member
  • ****
  • Karma: +32/-11
  • Offline Offline
  • Posts: 371
    • View Profile
Re: Think I may have been hacked
« Reply #59 on: June 02, 2014, 09:57:06 pm »

A bit scary a bot did a few account at the same time. His passphrase was 10 words and Nxtwallet gives passphrases of 12 words. How much safer is this?

Big difference. His password was famous quote from Neil Armstrong

https://www.google.com/search?q=One+small+step+for+man+one+giant+leap+for+mankind&rlz=1C1CHMO_enUS560US560&oq=One+small+step+for+man+one+giant+leap+for+mankind&aqs=chrome..69i57&sourceid=chrome&es_sm=122&ie=UTF-8

It was not random.

Weird even regular people like farl4bit (a mod) still don't understand entropy after we have gone through this hundreds  of times

If his password were just 12 char (forget words) but random it would have been far more secure

The client generated password is total random with 128 bits entropy
Which is why i chose a bitcoin private key that was created here... https://www.bitaddress.org/  and then slightly altered it for a bit more randomness, before writing it down. I think i even remember generating 10 addresses and randomly chose one, before i altered it.
Logged
Pages: 1 2 [3] 4  All
 

elective-stereophonic
elective-stereophonic
assembly
assembly