@rds i think i can shed light on burst account generation
i researched after reading this thread
https://forums.burst-team.us/topic/142/security-question-how-safe-is-our-password-account/4
- passphrase (of whatever length) is hashed sha2 256 (same private key address space as bitcoin 256 bits)
- hash output is used as private key in curve25519 to generate (32 byte) public key
- public key is hashed sha2 256
- first 8 bytes are order reversed (little endian) by bytes and used as long id
- long id is displayed using nxt reed solomon (see https://nxtwiki.org/wiki/RS_Address_Format) for human readablity and error correction in entry
wallet source outlining the steps:
https://github.com/burst-team/burstcoin/blob/master/src/java/nxt/crypto/Crypto.java#L53
https://github.com/burst-team/burstcoin/blob/master/src/java/nxt/Account.java#L338
https://github.com/burst-team/burstcoin/blob/master/src/java/nxt/util/Convert.java#L99
as far as collisions, the 8 byte long id presents a problem, but if the public key is on the block chain (after first out going transaction) it is checked for outgoing transaction verification. so the account is protected by full 256 bit private key, same space as bitcoin.
hope this is clear and helps.
additional there is analysis of the strength currve25519 implementation of nxt
http://crypto.stackexchange.com/questions/12743/is-curve25519-java-secure