Security question - how safe is our password/account?



  • my 2 cents :

    1. either it was his own account
    2. was a public node wallet...

    but then again, i am a tad tech retarded. either way, i concur with the option to delete this thread because account security has never been an issue in NXT, BURST or HZ unless ofc you use your pet name as a password...



  • Think of the service this guy could provide, getting back accounts with forgotten or miss typed passphrases!

    How silly lol

    Jumper also runs a pool... sounds fishy



  • I guess some / most of us on our first wallet used the auto generated 12 Word phrase, so there are probably a lot of passphrases around of that style?

    It would be an interesting experiment for someone to have a piece of code that worked through some of the 12 word groups and checked if any of them gave an in use Burst Address?

    It may be highly unlikely but one day someone is going to uses the auto generated passphrase and it's going to pop out with an in uses Burst Address?

    Rich



  • Nonsense, Passphrases cannot be Brute-Forced ..
    Name inside Demo Wallet is not Russian (apparently Google Translate)
    Jumper does not work in security cause those in the field knows something called ethics and methodology which I didn't sense in his presentation. The Aim of presenting a vulnerability or a flaw is basically to offer (or sell) a fix.
    If this is true, then its a gold-mine which i fail to understand why he's sharing, in my opinion he's freaking people out nothing more.

    If someone freaked, they can open Local wallet and choose their passphrase carefully (Or Generate random pass with OpenSSL, but that's an extreme) Print it (Hard Copy) and never store it on Computer (Soft Copy) and Never use it in Online Wallets.

    If that's so hard cause you use your wallet often, then open an online wallet for daily use, transfer funds to above wallet and leave what you can afford to be stolen



  • @rnahlawi The risk that I see is not in the likelihood that someone could fluke a passphrase but that there might be a bug in the algorithm that generates the Passphrase in the first place, or that understanding the algorithm could reduce the search needed, or finally that someone could put up a fake piece of software that generates genuine wallets that could then easily be cracked by them?

    All of which points at the need for a truly random passphrase, however that is not what most of us will have used for our first wallet. Perhaps the code should be changed and ask for you to insert an additional word?

    Rich



  • @RichBC Agree, 1300 word list combination can be cracked by time or with right algorithm.
    When you start generating Burst, you will start being creative to protect your investment, stop using defaults for a start ;)
    Maybe exporting and importing Private key as an option would be great value


  • admin

    @rnahlawi I disagree. 12 words of 1300 in a random order are 128 bit of entropy which is enough. For example Lyrics of a song are way worse.



  • @daWallet But only if the algorithm that is choosing them is truly random, bug free, and unhackable.

    Rich



  • @daWallet I did say "by time" which is infinite :(
    @RichBC Dude, Let it be hackable. Users with high amounts usually favors cold wallets.
    Lets think of adding better security to wallets and especially online ones.



  • you just type in what you want your pass phrase to be and it will generate you a new wallet using that pass phrase .. no you cant change a wallets pass phrase



  • or use the adress-generator and get an really long password!-)



  • @Jumper Have you got a Burstcoin-Faucet still? or is down permanently.



  • Is there a way to change the passphrase I was original given, I want to use some of the tips above and change mine now.



  • @GamerKurisu no... the address is generated from your passphrase so the only thing you can do is create a new account with the passphrase you desire and send all to the new account...

    Your passphrase is the private key of your account if i am not mystaken!



  • Can someone give me a link with the wordlist used to generate passphrases?



  • So to put in perspective how many passwords can be generated by a list of 1626 words in a 12 word combination, the number would be
    341,543,870,028,173,427,817,970,975,906,355,941,376
    or
    341 undecillion
    which can be broken down into
    341 billion billion billion billion

    Now for a look at the account address:
    with a combination of 16 of 36 chars (numbers and alpha) the equation would look like this 36^16
    which looks like this in integer from
    7,958,661,109,946,400,884,391,936
    or
    7 septillion
    which can be broken down into
    7 million billion billion

    At first glance you may notice the first equation has much higher output which also may lead you to believe that their must be an over lap somewhere or not enough addresses for passphrases, but you'd be wrong.
    You see there are only 7,483,400,959 people in the world. http://www.worldometers.info/world-population/

    This means that each person on the planet today gets ~1,063,565,563,269,597 Accounts to them selves.
    or
    This means that each person on the planet today gets ~45,642,639,319,547,431,219,827,739,664 Passphrases to them selves.

    This also showcases that the chance for replication is less than the chance of a new generated key by a factor of billions. This doesn't mean that it's impossible but more likely than not a simple check to make sure the account isn't in use is made.

    As for what @jumper has said above. I have took it upon myself to make an application that will brute force the local db. It only took 2 hours and I made it in C#.

    I'm not sure of the sharing policy on the forums about releasing bruteforce apps to knock on the gates of the Burstcoins security, but the program will be posted on my github page.

    Big Thanks to http://www.wolframalpha.com/ for crunching this numbers as normal computer programs can't handle the task due to insufficient numeric memory allocation

    @Miky GoTo: https://forums.burst-team.us/topic/3838/regarding-the-recent-theft-of-burst-accounts/11


Log in to reply
 

Looks like your connection to Burst - Efficient HDD Mining was lost, please wait while we try to reconnect.