elective-stereophonic
elective-stereophonic
Wallet.dat file singapore
Please login or register.

Login with username, password and session length
Advanced search  

News:

Latest Stable Nxt Client: Nxt 1.12.2

Pages: 1 [2] 3 4 ... 9  All

Author Topic: Wallet.dat file  (Read 56740 times)

antanst

  • Full Member
  • ***
  • Karma: +36/-0
  • Offline Offline
  • Posts: 216
    • View Profile
    • nxtblocks.info
Re: Wallet.dat file
« Reply #20 on: July 18, 2014, 08:32:46 pm »

Indeed, we have additional reasons to enforce strong wallet passwords on nxtblocks, that's precisely why we do so. Bear in mind the following two cases though, in case a wallet is implemented within the official client:

A) The user decides to upload his encrypted wallet in a compatible web wallet service, such as nxtblocks. In this case, if his password is not strong, he will have uploaded an insecure wallet, and we can't do anything about it.

B) The wallet does not offer any additional security if the user can still create NXT accounts with custom, weak passphrases. Removing this lax behavior will pose compatibility issues for current NXT users, as they should always be able to use their existing accounts.
« Last Edit: July 18, 2014, 08:35:30 pm by antanst »
Logged

Eadeqa

  • Hero Member
  • *****
  • Karma: +83/-68
  • Offline Offline
  • Posts: 1888
    • View Profile
Re: Wallet.dat file
« Reply #21 on: July 18, 2014, 08:48:50 pm »

The wallet does not offer any additional security if the user can still create NXT accounts with custom, weak passphrases. Removing this lax behavior will pose compatibility issues for current NXT users, as they should always be able to use their existing accounts.

The ability to use own passwords would not be removed. It will not be a default option. You are missing the whole "ease of use" issue. Nxt in it's current form is not a usable software for most users as no one can enter 128 bits passwords every time they login and send transactions without using additional software (like Lastpass)  or putting passwords in a plain text file and copying and pasting (which is far worse than a wallet file).

Even just 8 char encryption password with 100,000 rounds of pbKDF2 would be pretty costly to brute force (that's more difficult to bruteforce than 64 bit darknxt account ID).

Let the user use their own encryption passwords (that's the whole point of wallet file, -- ease of use), and wallet file should be implemented. It's absolutely must for security and usability -- far more important than "instant transactions"

This is one thing Nem does clearly better.
« Last Edit: July 18, 2014, 09:00:10 pm by Eadeqa »
Logged
NXT-GZYP-FMRT-FQ9K-3YQGS

mczarnek

  • Hero Member
  • *****
  • Karma: +68/-4
  • Offline Offline
  • Posts: 898
    • View Profile
    • Nxt Place - Craigslist for Nxt
Re: Wallet.dat file
« Reply #22 on: July 18, 2014, 09:19:36 pm »

Eadeqa brings up another good point, one of the main reasons I never log in and spend time checking out the AE for is example, it because it is a hassle to dig up my password every time I want to.  Memorable password would be ok in this situation.

Instant transactions are a really cool feature, but I think we need basics first.. if someone else wants to do this, I can focus on instant transactions.
Logged
NXT Organization: Tech
Donations greatly appreciated: NXT-DWVJ-G89C-RHNL-6QW6Q

antanst

  • Full Member
  • ***
  • Karma: +36/-0
  • Offline Offline
  • Posts: 216
    • View Profile
    • nxtblocks.info
Re: Wallet.dat file
« Reply #23 on: July 18, 2014, 09:26:22 pm »

Quote
You are missing the whole "ease of use" issue.

No. I clearly stated that a wallet is primarily a convenience/usability feature in this very thread. Besides, if I would be missing it, I wouldn't have built a web wallet in the first place, would I?

The ability to use own passwords would not be removed. It will not be a default option.

Your point is that with a wallet, the user won't have as much an incentive to specify his own NXT account password, since he won't have to remember it. I agree. The thing I've been pointing out in the last posts is that especially while there are other clients that don't feature a compatible wallet out there, there will still be cases with users that, when given the choice, they will still enter their own, insecure account password. And that's unfortunate.
« Last Edit: July 18, 2014, 09:29:00 pm by antanst »
Logged

Eadeqa

  • Hero Member
  • *****
  • Karma: +83/-68
  • Offline Offline
  • Posts: 1888
    • View Profile
Re: Wallet.dat file
« Reply #24 on: July 18, 2014, 09:31:06 pm »

there will still be cases with users that, when given the choice, they will still enter their own, insecure account password. And that's unfortunate.

It's going to happen far less once it's not the default option. I am not concerned about that.

Logged
NXT-GZYP-FMRT-FQ9K-3YQGS

msin

  • Hero Member
  • *****
  • Karma: +138/-18
  • Offline Offline
  • Posts: 1288
    • View Profile
Re: Wallet.dat file
« Reply #25 on: July 18, 2014, 10:33:12 pm »

Eadeqa brings up another good point, one of the main reasons I never log in and spend time checking out the AE for is example, it because it is a hassle to dig up my password every time I want to.  Memorable password would be ok in this situation.

Instant transactions are a really cool feature, but I think we need basics first.. if someone else wants to do this, I can focus on instant transactions.

mczarnek, on the topic of Instant Transactions, I think it would be great if you can tell us what kind of help you will need to expedite development, testing, and implementation as the community can definitely contribute.  As JL said, it's very important. 
Logged

mczarnek

  • Hero Member
  • *****
  • Karma: +68/-4
  • Offline Offline
  • Posts: 898
    • View Profile
    • Nxt Place - Craigslist for Nxt
Re: Wallet.dat file
« Reply #26 on: July 19, 2014, 04:48:03 am »

Eadeqa brings up another good point, one of the main reasons I never log in and spend time checking out the AE for is example, it because it is a hassle to dig up my password every time I want to.  Memorable password would be ok in this situation.

Instant transactions are a really cool feature, but I think we need basics first.. if someone else wants to do this, I can focus on instant transactions.

mczarnek, on the topic of Instant Transactions, I think it would be great if you can tell us what kind of help you will need to expedite development, testing, and implementation as the community can definitely contribute.  As JL said, it's very important.

Talked a little bit with Damelon. Think we're going to be able to figure something out. Basically, I need one other coder to help me out or it's going to take 4 months.  I'm fine doing IT instead, I realize that's important and I'm the best one for the job, given the time already spent figuring it out.

But, it's going to take me at least twice as long to implement without one, and some funds in the meantime, would be nice. Because I need to pay someone else and because at this moment, the funding will only be about 75% of minimum wage(should be same if split).. I could make more than triplet it at a full-time job and buy more Nxt that way. I think Nxt will go up and any bounty will become worth more but I hope you can see where I'm coming from.

And just to be clear, I was already asking for at least 100k more, preferably 200k before the price went down.
« Last Edit: July 19, 2014, 06:04:38 pm by mczarnek »
Logged
NXT Organization: Tech
Donations greatly appreciated: NXT-DWVJ-G89C-RHNL-6QW6Q

Eadeqa

  • Hero Member
  • *****
  • Karma: +83/-68
  • Offline Offline
  • Posts: 1888
    • View Profile
Re: Wallet.dat file
« Reply #27 on: July 21, 2014, 05:50:13 am »

There is another solution that doesn't involve core (java) and can be implemented in Javascript (even browser version).

Overall it will increase usability and security, IMO.

Provide (optional) online wallet that is encrypted locally on user computer (with 200K rounds of PBKDF2). We can even provide 2FA authentication this way, and it should work with javascript as the wallet will not be  saved on user machine. (there could be optional method to save a backup or get a backup in zip file via email). 

It will work like this: the user provides an email and a password.

Hash (email + password)  with 200,000 rounds of PBKDF2, AES256 encryption key for the wallet.
one additional Hash (AES256 key) as token to login and download the wallet (with optional 2FA)

The wallet  file will be encrypted/decrypted locally on user machine.

One wallet can have multiple Nxt accounts.

We would need a reliable partner for online server, mynxtinfo or nxtblocks are obvious candidates. (maybe both sites as a way for a backup?) 

I am sure this will increase overall security and usability of Nxt. Plus 2FA will make people happy, as they will feel more "secure."  (psychological).   Even just 8 char password with 200K rounds  will provide plenty of security (plus 2FA will help too with safeguarding the wallet file).

This system can work even with "light" version of the client that does local signing  and uses public nodes.

Thoughts?
« Last Edit: July 21, 2014, 06:24:04 am by Eadeqa »
Logged
NXT-GZYP-FMRT-FQ9K-3YQGS

jl777

  • Hero Member
  • *****
  • Karma: +718/-123
  • Offline Offline
  • Posts: 6170
    • View Profile
Re: Wallet.dat file
« Reply #28 on: July 21, 2014, 05:59:04 am »

There is another solution that doesn't involve core (java) and can be implemented in Javascript (even browser version).

Overall it will increase usability and security, IMO.

Provide (optional) online wallet that is encrypted locally on user computer (with 200K rounds of PBKDF2). We can even provide 2FA authentication this way, and it should work with javascript as the wallet will not be  saved on user machine. (there could be optional method to save a backup). 

It will work like this: the user provides an email and a password.

Hash (email + password) -- token used by the client to login to an online server to download the wallet file (with optional google authenticator for extra security)
Hash (email + password)  with 200,000 rounds of PBKDF2, AES256 encryption key for the wallet.

The wallet  file will be encrypted/decrypted locally on user machine.

One wallet can have multiple Nxt accounts.

We would need a reliable partner for online server, mynxtinfo or nxtblocks are obvious candidates. (maybe both sites as a way for a backup?) 

I am sure this will increase overall security and usability of Nxt. Plus 2FA will make people happy, as they will feel more "secure."  (psychological).  There would not be a need for long 12 words "secret phrases". Nxt secret phrases will be auto generated and added to the user's wallet.  Even just 8 char password with 200K rounds  will provide plenty of security (plus 2FA will help too with safeguarding the wallet file).

This system will work even with "light" version of the client that does local signing  and uses public nodes.

Thoughts?
can you implement this?
Logged
There are over 1000 people in SuperNET slack! http://slackinvite.supernet.org/ automatically sends you an invite

I am just a simple C programmer

Eadeqa

  • Hero Member
  • *****
  • Karma: +83/-68
  • Offline Offline
  • Posts: 1888
    • View Profile
Re: Wallet.dat file
« Reply #29 on: July 21, 2014, 06:33:18 am »

can you implement this?

Would Wesley/JL agree as this requires cooperation with a third party server (mynxtinfo and/or nxtblocks)? If everyone agrees, the right person to implement it would be HumanFractal  as he has been working with 2FA and wallet ideas for a while.

I am pretty sure it increases security and usability. Plus even third party software (like MGW client) would be able to use the online wallet as it will be open source and platform neutral.


Logged
NXT-GZYP-FMRT-FQ9K-3YQGS

Berzerk

  • Hero Member
  • *****
  • Karma: +118/-40
  • Offline Offline
  • Posts: 1530
    • View Profile
Re: Wallet.dat file
« Reply #30 on: July 21, 2014, 06:38:49 am »

No third party things on the official client please.
Logged

bitcoinpaul

  • Hero Member
  • *****
  • Karma: +590/-590
  • Offline Offline
  • Posts: 3097
  • Karmageddon
    • View Profile
Re: Wallet.dat file
« Reply #31 on: July 21, 2014, 06:59:14 am »

Wtf. No third party in official client. The client update thing is centralized enough already.
Logged
Like my Avatar? Reply now! NXT-M5JR-2L5Z-CFBP-8X7P3

Eadeqa

  • Hero Member
  • *****
  • Karma: +83/-68
  • Offline Offline
  • Posts: 1888
    • View Profile
Re: Wallet.dat file
« Reply #32 on: July 21, 2014, 07:13:01 am »

Wtf. No third party in official client. The client update thing is centralized enough already.

The Nxt network is isn't centralized, but the client and Java server is 100% centralized already. It's controlled by JL on server side, and Wesley on the client side, 



Logged
NXT-GZYP-FMRT-FQ9K-3YQGS

bitcoinpaul

  • Hero Member
  • *****
  • Karma: +590/-590
  • Offline Offline
  • Posts: 3097
  • Karmageddon
    • View Profile
Re: Wallet.dat file
« Reply #33 on: July 21, 2014, 07:18:13 am »

Wtf. No third party in official client. The client update thing is centralized enough already.

The Nxt network is isn't centralized, but the client and Java server is 100% centralized already. It's controlled by JL on server side, and Wesley on the client side,

That's the excuse for throwing in some more centralized shit?
Logged
Like my Avatar? Reply now! NXT-M5JR-2L5Z-CFBP-8X7P3

Eadeqa

  • Hero Member
  • *****
  • Karma: +83/-68
  • Offline Offline
  • Posts: 1888
    • View Profile
Re: Wallet.dat file
« Reply #34 on: July 21, 2014, 07:23:18 am »

That's the excuse for throwing in some more centralized shit?

It's not "centralization" . The network is decentralized. The software isn't. It's controlled and developed by developers which is 100% centralized.  It's an optional online wallet. No one has to use it. The network itself still stays the same decentralized

Logged
NXT-GZYP-FMRT-FQ9K-3YQGS

antanst

  • Full Member
  • ***
  • Karma: +36/-0
  • Offline Offline
  • Posts: 216
    • View Profile
    • nxtblocks.info
Re: Wallet.dat file
« Reply #35 on: July 21, 2014, 08:24:03 am »

The official NXT client should not have features that depend on third party sites/services, however lucrative those features might be.
Logged

Berzerk

  • Hero Member
  • *****
  • Karma: +118/-40
  • Offline Offline
  • Posts: 1530
    • View Profile
Re: Wallet.dat file
« Reply #36 on: July 21, 2014, 08:58:59 am »

Wtf. No third party in official client. The client update thing is centralized enough already.

The Nxt network is isn't centralized, but the client and Java server is 100% centralized already. It's controlled by JL on server side, and Wesley on the client side, 

There are many more wallets from others. Maybe one from me as well soon. So it's kind of decentralized. :)
Logged

Eadeqa

  • Hero Member
  • *****
  • Karma: +83/-68
  • Offline Offline
  • Posts: 1888
    • View Profile
Re: Wallet.dat file
« Reply #37 on: July 21, 2014, 09:44:54 am »

Wtf. No third party in official client. The client update thing is centralized enough already.

The Nxt network is isn't centralized, but the client and Java server is 100% centralized already. It's controlled by JL on server side, and Wesley on the client side, 

There are many more wallets from others. Maybe one from me as well soon. So it's kind of decentralized. :)

True, but Nxt server software is centralized -- unless someone wants to write a C++ version.
Logged
NXT-GZYP-FMRT-FQ9K-3YQGS

Berzerk

  • Hero Member
  • *****
  • Karma: +118/-40
  • Offline Offline
  • Posts: 1530
    • View Profile
Re: Wallet.dat file
« Reply #38 on: July 21, 2014, 09:46:50 am »

Wtf. No third party in official client. The client update thing is centralized enough already.

The Nxt network is isn't centralized, but the client and Java server is 100% centralized already. It's controlled by JL on server side, and Wesley on the client side, 

There are many more wallets from others. Maybe one from me as well soon. So it's kind of decentralized. :)

True, but Nxt server software is centralized -- unless someone wants to write a C++ version.

Sure, it can't be handled in another way.
Logged

k_day

  • Full Member
  • ***
  • Karma: +12/-0
  • Offline Offline
  • Posts: 149
    • View Profile
Re: Wallet.dat file
« Reply #39 on: July 21, 2014, 06:28:37 pm »

Guess I should add my voice to the growing chorus of us screaming please, please, please do not add services that depend on centralized resources to the client that nearly everybody uses.

I would love to have official wallet.dat support and think we should push this forward. I may not be 100% understanding the initial proposal though, so maybe someone could help clarify. As I imagined it there are two separate cases:

1)A user already has a private key and wants to create a wallet. In this case, you can give the api your private key, desired security level, and password, and it will spit out a wallet.dat that you save on your computer.

2)A new user creates an account and instead of entering a private key, enters a password. The client generates a secure private key, calls the api to create a wallet with their pw, and spits out a wallet.dat.

In each case, once you have a wallet.dat, you could easily take it to another client/machine, and unlock your account by choosing your wallet.dat and entering your wallet pw. Do I have this correct? If the wallet.dat is just a file that lives on your computer, what is the purpose of the proposed Delete/Edit wallet api methods? Wouldn't deleting a wallet just be as simple as deleting the file? Why does the core have to be involved? Sorry if I am missing something obvious.
Logged
NXT --> NXT-BY7Y-UB4X-6Z3C-8PP3V
Pages: 1 [2] 3 4 ... 9  All
 

elective-stereophonic
elective-stereophonic
assembly
assembly