NXT :: descendant of Bitcoin - Updated Information - page 1961.

Come-from-Beyond

legendary

Activity: 2142

Merit: 1010

Newbie

Quote from: Vega on January 01, 2014, 02:22:29 PM

Making them reveal the password don't help if they really have (had) Nxt, not just picking a random account/transaction for back PR. Anyone who has Nxt can transfer them to a new account and say they been hacked, revealing password won't disprove that.

I've already seen 2 trolls who were too lazy to create accounts with secure passwords in advance. They just stated that were hacked but were unable to provide passwords that would match account ids.

rickyjames

full member

Activity: 196

Merit: 100

Quote from: mr_random on January 01, 2014, 01:50:39 PM

Quote from: jl777 on January 01, 2014, 01:48:29 PM

offline mining of all NXT accounts in parallel
problem gets worse the more NXT accounts there are
this attracts more hackers the more NXT is worth
This will create an equilibrium effect like a boat anchor to a hot air balloon. The more NXT succeeds, the more it will be hacked.

CfB, tell me there is a solution that is more effective than the user needs to not be unlucky

James

If they can do this with NXT why can't they do it with Bitcoin?

You can take bitcoin offline and put it in a safe deposit box with an airgap disconnected from the internet. Not everybody does this, but IT IS AN AVAILABLE OPTION. We need a similar available option.

Come-from-Beyond

legendary

Activity: 2142

Merit: 1010

Newbie

Quote from: laowai80 on January 01, 2014, 02:17:08 PM

What's a legit DDoS attack? You mean newcomers doing something legit all at the same time and overloading the network?

Or hackers DDoSing the network when newcomers try new features to show NXT in unfavorable light?

Just a lot of users overloading public nodes. Game publishing companies face this problem each time they launch an online game.

joefox

full member

Activity: 210

Merit: 100

Damelon and I both had the same impulse and created an "account security" page for passphrase generation warnings.

I've merged his and mine together here: http://wiki.nxtcrypto.org/wiki/Account_Security

It's intended to be written for laypeople, so I stayed away from math (even though it pains me to day so). Frankly, I think I may have tipped the balance too far into "you WILL be robbed" territory, but I'd rather make people paranoid than have too many more folks using "boobs" as a password.

At this point, the How To Create Account page is littered with warnings (and, I hope, TOOLS to manage the issue)

laowai80

member

Activity: 98

Merit: 10

Quote from: notsoshifty on January 01, 2014, 02:21:15 PM

Your reasons are valid, and I don't see why you should be asked to put your password on a public forum. The very most you should be expected to do is send it to a trusted third party (e.g. c-f-b), who can verify that e.g. i) your password does indeed equate to your accountId, and ii) it looks like a nice long randomish password.

What if not everyone trusts that trusted third-party and still will believe the account was hacked or not.
The password should be in public.

Vega

hero member

Activity: 739

Merit: 500

Quote from: laowai80 on January 01, 2014, 02:13:41 PM

I would say, the future policy on hack claims should be:
No password revealed = no hack happened.
Everyone can say they were hacked, prove it.
Otherwise, hundreds of black PR artists all could claim they were hacked and post some obscure transaction.

Making them reveal the password don't help if they really have (had) Nxt, not just picking a random account/transaction for back PR. Anyone who has Nxt can transfer them to a new account and say they been hacked, revealing password won't disprove that.

(Just for the record I believe PaulyC, not sure about the other guy.)

Edit: Of course revealing the password are also a good way to make sure they are truthful about the strong enough password claim.

notsoshifty

sr. member

Activity: 378

Merit: 250

Quote from: PaulyC on January 01, 2014, 02:11:38 PM

@Cfb

Good point, is it the consensus of the forum folk, I should do this? haha

sorry seems crazy but everything I said is true, so i have nothing to hide.

I'm just thinking what if someday say someone develops a way and people agree aliases should be transferable, and the hacker just happens
to be sleeping when it is announced, and I'm able to transfer my aliases!? just wondering.? hope hope.

Your reasons are valid, and I don't see why you should be asked to put your password on a public forum. The very most you should be expected to do is send it to a trusted third party (e.g. c-f-b), who can verify that e.g. i) your password does indeed equate to your accountId, and ii) it looks like a nice long randomish password.

xyzzyx

sr. member

Activity: 490

Merit: 250

I don't really come from outer space.

Quote from: Come-from-Beyond on January 01, 2014, 02:13:59 PM

Password or this didn't happen.

One of my accounts was hacked: 2980315497189667873

Totally, absolutely, cross-my-fingers randomly generated password: boobs

Of course, I think it is hilarious he had to send in 1 NXT to spend the 1 NXT that was there. I was saving that to register the alias 2girls1cup.

Edit: all joking aside, a great article, one which opened my eyes, is How the Bible and YouTube are fueling the next frontier of password cracking at Ars Technica

BitAddict

legendary

Activity: 1190

Merit: 1001

Quote from: laowai80 on January 01, 2014, 02:17:08 PM

Quote from: Come-from-Beyond on January 01, 2014, 02:15:35 PM

We should be ready for legit DDoS attack when millions newcomers want to try new features... No idea about numbers.

What's a legit DDoS attack? You mean newcomers doing something legit all at the same time and overloading the network?

Or hackers DDoSing the network when newcomers try new features to show NXT in unfavorable light?

Both things will happen at the same time.

laowai80

member

Activity: 98

Merit: 10

Quote from: Come-from-Beyond on January 01, 2014, 02:15:35 PM

We should be ready for legit DDoS attack when millions newcomers want to try new features... No idea about numbers.

What's a legit DDoS attack? You mean newcomers doing something legit all at the same time and overloading the network?

Or hackers DDoSing the network when newcomers try new features to show NXT in unfavorable light?

Come-from-Beyond

legendary

Activity: 2142

Merit: 1010

Newbie

Quote from: laowai80 on January 01, 2014, 02:12:05 PM

CfB,

so how many times larger should the network be than what it is now, in your opinion?
At least some numbers would be great.
Of course, it's the larger the better, but still?

We should be ready for legit DDoS attack when millions newcomers want to try new features... No idea about numbers.

Come-from-Beyond

legendary

Activity: 2142

Merit: 1010

Newbie

Quote from: PaulyC on January 01, 2014, 02:11:38 PM

@Cfb

Good point, is it the consensus of the forum folk, I should do this? haha

sorry seems crazy but everything I said is true, so i have nothing to hide.

I'm just thinking what if someday say someone develops a way and people agree aliases should be transferable, and the hacker just happens
to be sleeping when it is announced, and I'm able to transfer my aliases!? just wondering.? hope hope.

Password or this didn't happen.

laowai80

member

Activity: 98

Merit: 10

Quote from: PaulyC on January 01, 2014, 02:11:38 PM

@Cfb

Good point, is it the consensus of the forum folk, I should do this? haha

sorry seems crazy but everything I said is true, so i have nothing to hide.

I'm just thinking what if someday say someone develops a way and people agree aliases should be transferable, and the hacker just happens
to be sleeping when it is announced, and I'm able to transfer my aliases!? just wondering.? hope hope.

I would say, the future policy on hack claims should be:

No password revealed = no hack happened.

Everyone can say they were hacked, prove it.

Otherwise, hundreds of black PR artists all could claim they were hacked and post some obscure transaction.

laowai80

member

Activity: 98

Merit: 10

CfB,

so how many times larger should the network be than what it is now, in your opinion?
At least some numbers would be great.
Of course, it's the larger the better, but still?

PaulyC

member

Activity: 82

Merit: 10

@Cfb

Good point, is it the consensus of the forum folk, I should do this? haha

sorry seems crazy but everything I said is true, so i have nothing to hide.

I'm just thinking what if someday say someone develops a way and people agree aliases should be transferable, and the hacker just happens
to be sleeping when it is announced, and I'm able to transfer my aliases!? just wondering.? hope hope.

Come-from-Beyond

legendary

Activity: 2142

Merit: 1010

Newbie

Quote from: PaulyC on January 01, 2014, 01:58:27 PM

Edit @ CfB

Quote from: Come-from-Beyond on January 01, 2014, 01:55:30 PM

Quote from: PaulyC on January 01, 2014, 01:52:43 PM

How am I this guy's big catch?..
16204974692852323982

Tell us ur password.

My account # is
16821029889165561706

That account is the guy who stole it from me.
1/1/2014 4:04:50 AM 16204974692852323982

I at this point have very little need so I could give it (to be honest being asked it seems crazy to me)
BUT, as i asked earlier, don't I still own my twelve or so Aliases? They're still in there..
Can I transfer them? before I give my PW I'd like to know that. thanks.

U can't transfer aliases, but the hacker already has access to ur account so u can reveal ur password, this will change nothing.

BitAddict

legendary

Activity: 1190

Merit: 1001

Quote from: relm9 on January 01, 2014, 02:01:25 PM

Quote from: EvilDave on January 01, 2014, 01:57:29 PM

Quote from: mr_random on January 01, 2014, 01:50:39 PM

Quote from: jl777 on January 01, 2014, 01:48:29 PM

offline mining of all NXT accounts in parallel
problem gets worse the more NXT accounts there are
this attracts more hackers the more NXT is worth
This will create an equilibrium effect like a boat anchor to a hot air balloon. The more NXT succeeds, the more it will be hacked.

CfB, tell me there is a solution that is more effective than the user needs to not be unlucky

James

If they can do this with NXT why can't they do it with Bitcoin?

Need to have access to your wallet.dat file to attack it.

Correct me if I'm wrong, but all account numbers and passwords are encoded into the NXT blockchain, and it is this that is being brute forced, if there really is an attack.

Don't need wallet.dat, someone could try brute forcing the private key of any given address. Statistically it's near impossible to brute force though.

NXT should just generate the passphrase itself, don't give the user an option to enter one - user generated passphrases are always going to be less secure than a truly random one.

Or not allowing to create accounts without secure password. For example you can't create one account with less than 40 random characters.

laowai80

member

Activity: 98

Merit: 10

Quote from: relm9 on January 01, 2014, 02:01:25 PM

NXT should just generate the passphrase itself, don't give the user an option to enter one - user generated passphrases are always going to be less secure than a truly random one.

Yeah, and print 'if you don't use this random pass phrase you can be hacked' message.
Won't save from key-loggers though.

relm9

hero member

Activity: 840

Merit: 1000

Quote from: EvilDave on January 01, 2014, 01:57:29 PM

Quote from: mr_random on January 01, 2014, 01:50:39 PM

Quote from: jl777 on January 01, 2014, 01:48:29 PM

offline mining of all NXT accounts in parallel
problem gets worse the more NXT accounts there are
this attracts more hackers the more NXT is worth
This will create an equilibrium effect like a boat anchor to a hot air balloon. The more NXT succeeds, the more it will be hacked.

CfB, tell me there is a solution that is more effective than the user needs to not be unlucky

James

If they can do this with NXT why can't they do it with Bitcoin?

Need to have access to your wallet.dat file to attack it.

Correct me if I'm wrong, but all account numbers and passwords are encoded into the NXT blockchain, and it is this that is being brute forced, if there really is an attack.

Don't need wallet.dat, someone could try brute forcing the private key of any given address. Statistically it's near impossible to brute force though.

NXT should just generate the passphrase itself, don't give the user an option to enter one - user generated passphrases are always going to be less secure than a truly random one.

PaulyC

member

Activity: 82

Merit: 10

Edit @ CfB

Quote from: Come-from-Beyond on January 01, 2014, 01:55:30 PM

Quote from: PaulyC on January 01, 2014, 01:52:43 PM

How am I this guy's big catch?..
16204974692852323982

Tell us ur password.

My account # is
16821029889165561706

That account is the guy who stole it from me.
1/1/2014 4:04:50 AM 16204974692852323982

I at this point have very little need so I could give it (to be honest being asked it seems crazy to me)
BUT, as i asked earlier, don't I still own my twelve or so Aliases? They're still in there..
Can I transfer them? before I give my PW I'd like to know that. thanks.

Topic: NXT :: descendant of Bitcoin - Updated Information - page 1961. (Read 2761645 times)