Quote
Fun fact: the genesis account http://www.mynxt.info/blockexplorer/details.php?action=ac&ac=1739068987193023818 that credited all the original stakeholders used this passphrase:
Quote from: 1984 - George Orwell
It was a bright cold day in April, and the clocks were striking thirteen.
As I've pointed out in my first post https://nextcoin.org/index.php/topic,3608.msg34002.html
1.5% of NXT accounts are trivially crackable with a 15 line script and a widely-available passphrase list (the rockyou leak dataset).
I've let my script keep running on more lists since then and at current measure have recovered the passphrases of a little more than 3% of all accounts that have ever been used. Since genesis ~8M NXT has been sent to these "weak" accounts.
As I pointed out in my original post, my motivation for doing this was to investigate the root cause of the rash of thefts that had been reported (since I suspected weak passphrases) as well as prod the devs to drop the brainwallet-based key management scheme as the default option. I actually cracked the genesis account a few days ago but originally thought my code was just buggy when I saw it's balance was negative ... LOL.
As a side note, I should point out that widespread knowledge of the genesis account key isn't a security issue per se. Although I'd advise devs to be defensive moving forward about the possibility of integer overflow/underflow whenever dealing with amounts/fees now that the whole world has access to an account with a negative balance.
Breaking news... Nxt genesis account compromised. 3% of all Nxt accounts already compromised.
Breaking news...FCs spread their usual FUD.
And don't acknowledge the source:
https://nextcoin.org/index.php/topic,3752.0.html
In other words, don't worry too much.
