elective-stereophonic
elective-stereophonic
The DO NOTs  
Please login or register.

Login with username, password and session length
Advanced search  

News:

Latest Nxt Client: Nxt 1.11.15

Author Topic: The DO NOTs  (Read 636 times)

firefighter

  • Jr. Member
  • **
  • Karma: +5/-1
  • Offline Offline
  • Posts: 70
    • View Profile
The DO NOTs
« on: July 28, 2014, 08:41:14 pm »

Hi All,

That shouldn't or must not be implementet in nxt  imho.

1. Wallet file

A Wallet file does not do a good job for security. If someone selects weak password, how would he protect his wallet file at all ?
Choose a strong passphrase by using diceware (*1 and *2) or a strong password generator and there is no need for an wallet.file. Save the password in a password manager like 1password, keepass or lastpass or simply note it on a paper.

So from Information Security (IS) point there is no real benefit. But one new risk -> Loosing the avalabilty of the wallet.file, leads to loosing your funds.

For user sake or marketing reason you could implement a random key generator 256 bit key and protect it with aes 128 . And

Anyhow a wallet file should not be default option and you should carefully considere if it should be available on default client at all.
 
2. Seeding / Salting the wrong way done

In a thread in this forum, somebody suggest to use a salt and storing the salt localy.  -> That shouldn't be done. Since the security reason for salting combined with key strengthing (SCRYPT or PBDKF2) is to defeat rainbow tables.

So the salt should be additional 4 letters to the nxt base-58 format or 7 digits to the numeral nxt format. (32 bit)
But as my feelings vote for salting and key scrypt, there most be a real security gain for it. Maybe some cryptography expert should check this.


-----


What do you thing about my points and do you have other „do not’s“ ?


1) For password Security: search  blog.agilebits.com -> toward-better-master-passwords and the geek version better-master-passwords-the-geek-edition

I advice to use 1password as password manager since this guys know what they are doing. I'm a long term customer.

2) Google for diceware

I'm not allowed to post external links
Logged
NXT-SYDZ-HECY-YF3A-76E5Q
 

elective-stereophonic
elective-stereophonic
assembly
assembly