Pages:
Author

Topic: Nxt Coins stolen/ Hacked be warned - page 3. (Read 4600 times)

legendary
Activity: 1372
Merit: 1000
September 24, 2014, 07:17:57 AM
#38
Nullu no one is blaming anyone really it is merely a warning to people wanting to invest in Nxt. If they see it as a trust worthy coin then they must use a 3rd party random character generating app. Simple as that and if they dont they could well lose all their coin.
hero member
Activity: 532
Merit: 500
September 24, 2014, 03:57:17 AM
#37
Threads like this annoy me.

Mainly because, it's always NXT that's blamed, and not the user for not taking adequate security measures. In cases such as these, it's never proven to be an NXT security flaw. It could just as easily have been a trojan on your PC, a keylogger, or a man-in-the-middle attack, if YOU got hacked, then there's nothing wrong with NXT. Your system was compromised.

That's like blaming the bank because someone stole your credit card.

Security could be much better with NXT, and that is where the criticism should be aimed here, but I seriously doubt someone managed to "hack" into your NXT account unless they compromised you or your password. Otherwise, people would be losing NXT left, right and centre.

Perspective, please.
legendary
Activity: 1372
Merit: 1000
September 24, 2014, 03:35:21 AM
#36
Hi the pass phrase I always use which are different every time is a mixture between Chinese pinyin and simple English words. So I guess you can really say they are random yes.
sr. member
Activity: 336
Merit: 260
September 24, 2014, 02:34:09 AM
#35
I also heard that Mark Karpeles was hacked and lost 800,000BTC coz NXT is not safe enough.

We must blame NXT folks!!!  Cheesy

Edit: I was being sarcastic

Whatever happens, blame Canada NXT.
legendary
Activity: 952
Merit: 1000
Yeah! I hate ShroomsKit!
September 24, 2014, 02:31:52 AM
#34
I also heard that Mark Karpeles was hacked and lost 800,000BTC coz NXT is not safe enough.

We must blame NXT folks!!!  Cheesy

Edit: I was being sarcastic
sr. member
Activity: 336
Merit: 260
September 24, 2014, 01:27:34 AM
#33
You have to think about each word as if it was a single letter in an alphabet, because that's how the cracker would work, it would shift through words instead of letters.

Except if you use words there are thousands in the 'alphabet' (=dictionary) to choose from not just 26 letters, and thousands of different 'letters' ensure 128+ bit entropy, which is impossible to crack.
legendary
Activity: 1536
Merit: 1000
electronic [r]evolution
September 23, 2014, 08:21:17 PM
#32
To me it seems that length is more important than the amount of different characters so to say. If random, obviously. If OP's password was indeed random I don't see how a password that long could possibly be brute forced.
I'm not a supporter of NXT, but that is a common misconception. The OP used what appears to be a list of lowercase English words. It's quite easy to build a brute forcer which cracks those types of pass phrases. You have to think about each word as if it was a single letter in an alphabet, because that's how the cracker would work, it would shift through words instead of letters. Now when you think about it that way it's easy to see why the OP's password was weak. EDIT: well actually no, it would be hard to crack, but I think it would be possible.
hero member
Activity: 854
Merit: 1001
September 23, 2014, 07:34:06 PM
#31
Sort of sad that one has to generate some crazy password in order to secure an account.  Every time someones NXT gets stolen, it's always the same thing. Oh your password wasn't good enough.  Can someone point out some other coins that have this issue?  Cause it seems to me NXT gets a lot of stolen NXT reports and would point to a fundamental problem with NXT.  Just sayin.

Because NXT is a brain wallet, your password is your account.
No need for a local wallet.dat that can get lost/stolen (and there's lots of malware that looks for wallet.dat these days), if your house burns down, taking your PC with it, no worries. No need for backups.....I like the brainwallet, I've had no problems so far with it and I've been using NXT very actively, on multiple accounts, over the last 10 months.

Every guide to NXT, and the client itself, gives information about password security, the client itself provides a (so far) unbreakable password generator, but still some people use a stupid password like a phrase from the Bible or the Russian constitution.
This is what is happening: http://en.wikipedia.org/wiki/Rainbow_table
Btw,a rainbow table is also what the bad guys will use to open your wallet.dat if they can steal it, so pay attention to NXT level of password security on ALL crypto.
Securing a BTC wallet with a quote from your favourite song will not keep out the bad guys for more than a few minutes at most, if they can access/copy it.

Anyway, there is a problem, and we need to try to solve it. I've posted much of the info that I have on the thefts on nxtforum.org:
https://nxtforum.org/general-discussion/help!-my-nxt-account-stolen-account-for-nxt-wczn-dgql-xm69-62l3n/msg106530/#msg106530
(copy and paste, the stupid ! breaks the URL)

I'm offering a 5000 NXT bounty for help with recovery of the stolen funds, so if you want to help......feel free to join in.

sr. member
Activity: 686
Merit: 320
September 23, 2014, 07:03:50 PM
#30
Sort of sad that one has to generate some crazy password in order to secure an account.  Every time someones NXT gets stolen, it's always the same thing. Oh your password wasn't good enough.  Can someone point out some other coins that have this issue?  Cause it seems to me NXT gets a lot of stolen NXT reports and would point to a fundamental problem with NXT.  Just sayin.
hero member
Activity: 617
Merit: 528
September 23, 2014, 06:31:04 PM
#29
I understand. And its crap that you got robbed. But all I'm trying to say is that a string of random words is the best password imaginable.

http://en.wikipedia.org/wiki/Password_strength#Determining_password_strength

http://en.wikipedia.org/wiki/Diceware

Since I only understand about 50% of what I just posted above. I sometimes use counterwallet.co for generating passwords.
sr. member
Activity: 368
Merit: 250
September 23, 2014, 06:16:10 PM
#28
I'm really sorry your account got hacked.  It happened to me last month.  It was my own fault; my password was too weak.  I felt really terrible.  It's a crappy thing to have happen.  I will never use words as a password again.  I now have 50 random characters.

This is BS if I may. A sufficiently long set of random words is safer than random characters. Random characters are a pain in the ass to copy/type from paper, are prone to ctrl+c mistakes and look terrible.

Obviously "in the beginning the lord created the heaven and the earth" isn't a good password.
"nail presence nature closet flame deal movement sanity chill yourself shimmer" is however.

If you're smart and rely on a series of words as a seed you should of course always realize that the human brain is especially terrible at creating randomness. So, when in need of a good and usable password. Have a computer generate a random string of 12 words for you.

In OP's case. I'm curious as to which extent this was a random password.


You can say it's BS all you want.  I'm relating from experience.  I know that my password now is stronger than it was.  I don't have the wherewithal to calculate the strength of passwords, so I'm going with what I've got.
hero member
Activity: 617
Merit: 528
September 23, 2014, 06:08:28 PM
#27
I'm really sorry your account got hacked.  It happened to me last month.  It was my own fault; my password was too weak.  I felt really terrible.  It's a crappy thing to have happen.  I will never use words as a password again.  I now have 50 random characters.

This is BS if I may. A sufficiently long set of random words is safer than random characters. Random characters are a pain in the ass to copy/type from paper, are prone to ctrl+c mistakes and look terrible.

Obviously "in the beginning the lord created the heaven and the earth" isn't a good password.
"nail presence nature closet flame deal movement sanity chill yourself shimmer" is however.

If you're smart and rely on a series of words as a seed you should of course always realize that the human brain is especially terrible at creating randomness. So, when in need of a good and usable password. Have a computer generate a random string of 12 words for you.

In OP's case. I'm curious as to which extent this was a random password.


Again it seems you don't bruteforce anything to know that different characters and symbols will make everyone take more effort to crack your password. And once they are about to do it, you are supposed to change your password every year or half a year.Depends how many times you use it, and which location.

To me it seems that length is more important than the amount of different characters so to say. If random, obviously. If OP's password was indeed random I don't see how a password that long could possibly be brute forced. So, OP got hacked, OP's password wasn't random or NXT has a vulnerability. I opt for 1 or 2.
hero member
Activity: 617
Merit: 528
September 23, 2014, 05:54:11 PM
#26
I'm really sorry your account got hacked.  It happened to me last month.  It was my own fault; my password was too weak.  I felt really terrible.  It's a crappy thing to have happen.  I will never use words as a password again.  I now have 50 random characters.

This is BS if I may. A sufficiently long set of random words is safer than random characters. Random characters are a pain in the ass to copy/type from paper, are prone to ctrl+c mistakes and look terrible.

Obviously "in the beginning the lord created the heaven and the earth" isn't a good password.
"nail presence nature closet flame deal movement sanity chill yourself shimmer" is however.

If you're smart and rely on a series of words as a seed you should of course always realize that the human brain is especially terrible at creating randomness. So, when in need of a good and usable password. Have a computer generate a random string of 12 words for you.

In OP's case. I'm curious as to which extent this was a random password.
sr. member
Activity: 462
Merit: 250
September 23, 2014, 04:26:48 PM
#25
Assuming it's a vulnerability in NXT seems like leap at this point.  It seems equally likely from here, for instance, that some national intelligence service is surveilling you, and one of its agents decided to take personal advantage of knowing your NXT account's password. Smiley

After all, so far you're the only person to claim this, and the amount they could steal was relatively small and a matter of public record.  If they can do that, why would they pick on small fry?
sr. member
Activity: 368
Merit: 250
September 23, 2014, 02:41:58 PM
#24
I'm really sorry your account got hacked.  It happened to me last month.  It was my own fault; my password was too weak.  I felt really terrible.  It's a crappy thing to have happen.  I will never use words as a password again.  I now have 50 random characters.
legendary
Activity: 1588
Merit: 1000
September 23, 2014, 02:22:27 PM
#23
hi devphp the pass phrase is like this
tim cum sim prawn gin yuk bim rarl per tip pop from

It is NO more complicated or NO MORE simplified. If you want to call me a liar by not posting MY pass phrase to cover up security issues with nxt then carry on please.

If I was going to lie about it I would include numbers and characters to make myself look bullet proof to any hacks. The fact is I was hacked and no body has said there is a problem with the pass phrase. Which means nxt in my opinion is not secure enough if the strength of my pass phrase is ok.

I'm totally with you on this.

Here you have these pro-devs and uber-geeks...
SCOLDING you that to use NXT you must become an amateur cryptologist...
And use THIRD PARTY software to secure your account...
Plus a long list of other things you should do probably involving a clean Linux install or whatever...
And it never ends there... because there IS NO ENDPOINT TO CRYPTO SECURITY.

Let's see...
You have a wallet written by anon devs...
In fact, there are multiple 3rd party wallets and "official" sites for NXT...
Controlled by about 10 people who control NXT...
And you log into their web site with your "secret" password... what can possibly go wrong?

In a world of biometrics, ubiquitous security fobs, smart cards, etc, etc...
These rocket scientists have decided that you will be protected ONLY by a password...
Which is 3,000 year old technology used by the Romans.

Normal adult people would rather just use a bank, Visa, and Paypal...
Than live a SHADY life constantly worried about being hacked or scammed.

member
Activity: 121
Merit: 10
September 23, 2014, 11:31:19 AM
#22
NxT says you need at last a passphrase about 100 digits big if not longer.

It doesn't have to be that long (30-50 chars is enough), but it has to be strong. Here are some guidelines:

http://wiki.nxtcrypto.org/wiki/How-To:GenerateStrongPassword
http://nxtcoin.blogspot.de/2014/01/nxtmyths-5-unsafe-password.html
http://en.wikipedia.org/wiki/Password_strength#Guidelines_for_strong_passwords

Use KeePass/1Password to generate and manage your strong passwords, it makes it easy and comfortable

Configure Keepass to generate a random 100 character password of upper and lower case letters, digits, and special characters.
legendary
Activity: 924
Merit: 1000
September 23, 2014, 11:01:26 AM
#21
i have less than 30 alphabet password and never got hacked, No number,dot,comma or anything. Dont blame coin for your own mistakes, if someone can hack in to your computer and copy wallet.dat file without the encryption will you still blame BTC for that?

Same here: only 24 chars in my case, until the Nxt client added a force to put in 36 or more, after which I shifted to a 48-char passphrase that was two 24-chars concatenated together. I've never been robbed, once. Chalk it up to "randomly-generated."

Of course, I also use the PerfectGuard anti-keylogger suite...
sr. member
Activity: 336
Merit: 260
September 23, 2014, 09:08:46 AM
#20
OK well it is funny how the nxt community didnt say it wasnt strong enough and they also said it could not be brute forced.

It's never enough when it comes to security, but since you don't post your passphrase, it's hard to tell if it's strong enough or not. What's generated by the client for newbies is strong enough. This has been verified by a few security experts. When you make your own passphrase, nobody can say if it's secure enough, especially if you don't present it. I am not saying you're a liar, but I don't have to believe you either.

Other software projects use the same 12-word approach, like Counterparty or Dogeparty, where you have 12 random words that the private key is generated from (https://wallet.dogeparty.io/). Just 12 dictionary words, selected randomly, so it's not like NXT is pioneering anything here in generation of passphrases for newbies.
legendary
Activity: 1372
Merit: 1000
September 23, 2014, 08:42:05 AM
#19
Bitcoin is more secure full stop. Also the nxt community should be warningh against these pass phrases if they are not secure. I am not blaming anyone for my own stupid mistake by chosing a pass phrase that the nxt community did  NOT think was a risk. I am merely posting this as a warning for new people who are thinking about buying nxt coins.

I would not wish this to happen to anyone else and I would not like any hacker to benefit from it.
So you have the same security pass phrase after reading this will you open a new account?
Pages:
Jump to: