Security question - how safe is our password/account?



  • @Jumper said in Security question - how safe is our password/account?:

    @luxe

    Hello Luxe, yeah it's me again.

    I was playing a bit with the security of the Burst code. Please note that my real job is related to software security so I was really interested to see how secure this BURST network is)

    So, I will not tell anyone how I did and will not replicate with any address people will provide here, but will tell you an example and will prove it.

    I picked up randomly a BURST address: (Hi owner of this address. What I will demonstrate below is only to show how easy I can access as an example your account. Nothing else. No one will get your passcode)

    As we can see, this account possibly related to a person in Russia (Based on the set name) and first transaction was 9 months ago and last transaction 5 months ago. ( I discovered BURST approx 3 months ago)

    So, my BURST address is BURST-YFW8-EJLM-U9HB-EDVZ3

    I will deposit 1000 BURST into that address. I know, that does not prove anything.

    However, I will also get back the coins to my own address (minus the fees)

    This is how secure is :)

    Interesting...
    you used brute force ? find randomly a Burst address by trying random characters ?
    Any proof that the other address is not one of yours ?

    Ben



  • @BenBurst

    Hehe, you believe in what you want. If you read my post, I said I will not tell anyone how I did.

    But yes. It is possible.



  • If these address are not yours and you get access to it, you do something illegal, there not a lot of ways to get in.
    I'm pretty sure we speack about brute forcing low secure passphrases address.

    Ben



  • @BenBurst The only possible way.



  • However if you solo mine and leave logs on then it isn't secure. Can we change that?



  • @BenBurst

    Well, it is illegal if I use it in malicious way.

    However, as I have previously written, I wanted to see how secure is. Result is not secure.

    Everyone interpet this the way they want. As for me, I will convert BURST to BTC, which is way more secure.

    That was my last post here. Sorry.



  • @Zeus said in Security question - how safe is our password/account?:

    @BenBurst The only possible way.
    Hay there,
    Not exactly, as Luxe say, get details from a fake online wallet is possible, but that mean, the error come from the user...

    Ben



  • i made a test wallet BURST-6VMU-X4YC-523C-H4PTE i dont plan on using it crack it if you can ... named it test wallet funded with 5 burst from faucet



  • @Jumper said in Security question - how safe is our password/account?:

    @BenBurst

    Well, it is illegal if I use it in malicious way.

    However, as I have previously written, I wanted to see how secure is. Result is not secure.

    Everyone interpet this the way they want. As for me, I will convert BURST to BTC, which is way more secure.

    That was my last post here. Sorry.

    You brute force 2 addresses with almost nothing on it , and Im pretty sure with auto-generated passwords and you say that Burst is not secure ?

    eheh, you're a good one.



  • If he worked in security as I do, he should know that every password, email, service, can be hacked in a way or another, he says BTC is far more secure, yet BTC had far more money stolen than any other cryptocurrency. And many many times, it's only the fault of the user for using passwords like the ones @luxe said.

    Using only a passphrase is far more secure than using an username/password while the username is already known and the password is only a couple of brute force minutes/hours away (like a 5 or less length password, very often used).

    Happy to see you leave. Good Bye! ^_^



  • This is a real problem. If you let the wallet generate your password, it can be easily guessed. Try making your own password, like "HelloThisIsMy_passWORDandNOONE_should__guess____it12345". The example above is very secure because it has 55 character length and contains numbers and _. It's almost bruteforce-proof.



  • @Miky yes, I was just talking to @gpedro about this. I would not recommend using the generated words, why? Because anyone can download the wordlist from the GitHub page, and that way the brute force can take less time than a completely random generated passphrase, me I use a password generator and have something like this for my string:

    $eS3pnf7Zpl!@UtW1A@G3%L%y?@?z$Hy.wz1MrVj$bFoFGWk-V.X]%[m[h5BzlBG4D!)uf[!cfVP-!?i2c^BdEG6YM3iYtqJuqyRH%4qZw}4pJ0iH!ibuPSQC%9^F^rXc8SQuzN$is!@^Wp@j#jJXZ{mtpRXXw0@Sytp%wKrHYtB}^[)MR2x(JGwk5J[cFUJ?RzQgC5j-Rd@5Gtz.A8XP%8FcmImb4DcMkZ*KtmE}#M@*JmWALppyrYJ{e)r

    Imagine trying to find that with brute force oufff many years lost just trying without success. And no, that's not the length I use either. So never discuss the length of your passphrase, like for example for a brute force here, people can already own the wordlist and even know how many words are used (12) so you only need to do is try all the possible combinations of words with a phrase of 12 words each.

    Still, this can take a very long time to accomplish, but not as secured as when the "hacker" doesn't know anything about your passphrase.

    I still have some autogenerated wallets, and I'm not very concern about the "safety" of them even if I hold more than 200k on those, but I know that the risk is extremely low.


  • admin

    @Zeus said in Security question - how safe is our password/account?:

    $eS3pnf7Zpl!@UtW1A@G3%L%y?@?z$Hy.wz1MrVj$bFoFGWk-V.X]%[m[h5BzlBG4D!)uf[!cfVP-!?i2c^BdEG6YM3iYtqJuqyRH%4qZw}4pJ0iH!ibuPSQC%9^F^rXc8SQuzN$is!@^Wp@j#jJXZ{mtpRXXw0@Sytp%wKrHYtB}^[)MR2x(JGwk5J[cFUJ?RzQgC5j-Rd@5Gtz.A8XP%8FcmImb4DcMkZ*KtmE}#M@*JmWALppyrYJ{e)r

    Yep however generated, thats how a password for secure account should look like :-)



  • IF you go to the plethora of email accounts you will find many with passwords that are easily hacked because people use their pet names etc. This can be the case here or am I mistaken?


  • admin

    @MikeMike I had a test account with a weak password - only 16 characters - it got hacked.Brute forcing is possible, but if you use the wallet generated passwords, you're pretty safe. You can always append to the recommended one to make it even harder.


  • admin

    @Jumper tell me, and just me how you did it, or your post is just FUD and I'll delete this thread. If there is a reproducible way to compromise an account, tell me what it is.



  • @haitch and we will fix it :) or at least someone from devs :D


  • admin

    @Zeus From memory there are about 1,300 words in the wallet dictionary for generating passwords. That gives a password complexity of about: 3.15951902191631E+3485 - that's 3 followed by 3,485 0's possible passphrases. For comparison, the upper range for the number of atoms in the entire universe is around 1E+82

    I'm too tired to do the math to work out how much more complex the possible passphrases are - but trust me, it's a friggin lot - more than the atoms in the universe ........



  • @haitch Good idea, just delete this, because it only just get people scared of things that should not be a concern, everyone knows that a freaking "123456" password is hackable, here and anywhere else.

    Yes I know that there is A LOT of generated words possibilities, even with that it's extremely hard to get an active working burst wallet.
    I still hold some pre-generated passphrases.


  • admin

    @Zeus I'll give @Jumper an opportunity to respond - but if he doesn't provide proof, then this is gone.


Log in to reply
 

Looks like your connection to Burst - Efficient HDD Mining was lost, please wait while we try to reconnect.