In light of the recent theft of @lexicon 's account and possibly @ZapBuzZ , many people are throwing around solutions like 2FA, Google Authenicator etc. Others are asking about hardware options, which from what I gather do not exist. Other claim Burst security is flawed because people without any permission can drop asset and/or coin into their accounts.
The underlying question for me is that unlike, the Bitcoin protocol, I have no idea how a Burst account public address is generated from a random passphrase.
Hold that thought while we look at Bitcoin. Ether is a similar situation.
A private key of a Bitcoin address is one of 2^256, 256 bit numbers. If you have this key you have access to the address. If the address has coin associated with it, you can get it.
The recognizable private key is some sort of hashing of the 256 bit number, but is a one to one mapping. So given any 256 bit number, I can generate the bitcoin private key and the bitcoin address.
So to steal all the bitcoin in every address, I can generate a random 256 bit number, find the address associated with it. Look at that address on a blockchain explorer, and if there is coin at the address, use the private key to remove it.
The reason that is not viable is that there are ~10^77 unique 256 bit numbers. This number is larger than all the atoms in the universe, etc. etc.
Point being, you will never randomly stumble onto an active bitcoin address.
If you did have supercomputing power to even try, it would be more viable to just devote that power to mining and obtain coin legally.
Can we say the same about Burstcoin account numbers?
How is a Burstcoin account number generated from a random passphrase?
How many unique account numbers are there?
What if there are 10 million. I can write a program to just generate a random passphrase, look to see if there is any Burst in the associated account and clean them out. 10 million might take a day to check all possible addresses. OK, maybe there are 100 million, it will take longer. 1 billion, longer. But are there more addresses than grains of sand in the universe and are all private keys mapped one to one to a public address? Point is how many are there? Also, where is the algorithm documentation to show that two different passphrases won't generate the same account. As far as I know there is no transparency in this space.
So, maybe it IS possible for a brute force attack. Maybe a 7 digit passphrase generates the same account number as @lexicon 's 222 digit passphrase?
If there was full documentation of the Burstcoin protocol relating to address generation, it would satisfy the cry for hardware storage, and paper style wallets.
Right now, the only way I know how to generate a Burstwallet address is to use the AIO wallet software.
If the algorithm for address generation was public knowledge, then I could write a program to generate that address on an air gapped computer and either store that passphrase on that air gapped machine (hardware wallet) or a piece of paper (paper wallet).
I wrote a 30 line python program to do just that. To generate Bitcoin and Ether paper wallet addresses. I use them exclusively to store the bulk of my BTC and ETH. I use online wallets for small amounts, shopping money etc., but the bulk amounts are stored in addresses that have never touched the internet.
Additionally, I see no security issue with anyone dropping anything in my Burst account. This is no different than any other blockchain currency AFAIK.
Food for thought.
