Topic: NXT :: descendant of Bitcoin - Updated Information - page 1962. (Read 2761645 times)

Need to have access to your wallet.dat file to attack it.

Correct me if I'm wrong, but all account numbers and passwords are encoded into the NXT blockchain, and it is this that is being brute forced, if there really is an attack.

Tell us ur password.

Use 30+ random passwords and u'll be fine. Noone is able to pick such passwords.

Had to try and get a couple hours sleep.. Ok so I know I seem like small potatoes after someone says they lost more than me this morning...

But can someone please actually try and help instead of calling my loss...tricks or a bad pr scheme??

How am I this guy's big catch?..
16204974692852323982

Why hasn't he tried to get rid of the NXT from this account? wouldn't a hacker do that?
Is there anyway to stop this person from selling my NXT (that they stole from me the 7808 transaction) on Dgex.com? Put a block on it? Send it back to me!!?

Finally, I know this is decentralized.. so it would be difficult to have a two factor auth. system as some as suggested, but I can't emphasize enough
that I had a 35 Char totally random, Uppers, Lowers, #'s, entire keyboard etc. style pass, never put it out in the open (never went into my client except locally,
never used my PW somewhere else, mistakenly, etc..)

Believe me.. I'm trying to figure it out myself!..

I almost feel like this had something to do with a glitch or a fork in the blockchain? something, believe me.. I woulda slept a lot better had it just been something as simple as... "oh I put my PW out there, dumb of me".. but I really didn't and I can't figure out how it was taken..

In the end, i know it's gone and it was stolen, I know it's not much, but it was my entire lot, and I haven't sold
or given any coins to anyone, etc. only to another client of mine to get a 1 NXT confirmation etc.

+1

If they can do this with NXT why can't they do it with Bitcoin?

good to hear. i think pools are a big weakness in bitcoin and the absence of them in nxt will be one of the key arguments in the case for why nxt is the next generation crypto. And the beauty of forging instead of mining is that at some point in the future, with the right apps/hardware devices reducing the barriers to entry to forging to ~0, we could end up with ~100% participation rate even without pools. This is a HUGE selling point because pools kill decentralization.

offline mining of all NXT accounts in parallel
problem gets worse the more NXT accounts there are
this attracts more hackers the more NXT is worth
This will create an equilibrium effect like a boat anchor to a hot air balloon. The more NXT succeeds, the more it will be hacked.

CfB, tell me there is a solution that is more effective than the user needs to not be unlucky

James

Thirded

Edit: joe also added a security page to the wiki: http://wiki.nxtcrypto.org/wiki/Account_Security

Let's hope that filters out a lot of weaker passes.

I don't really like pools for forging. This is like one step back to centralized system.

I know we need to do something to allow small stakeholders to forge and get fee's everyday, but not this way.

Jl777 and I absolutely see eye to eye on all of this.

Brute force attack is completely offline.

Can someone test potential passwords locally without going out to the network if he has the latest blockchain?

James

The account will not show up in the blockchain before a transaction is made.

Good idea. As I wrote on Twitter, Pooled Forging may be added, not is being added.

Quick question on the theft issue:

If someone is just running a brute force attack on the whole NXT network attempting to hit the jackpot, wont this activity be very visible in the blockchain?
Way I see it, every password generated by the brute force attack will create an account.
Can anyone (with more skillz than me) have a look at the account creation (possibly vs IP address) stats and see if something wierd is showing up?

ok, then I guess I misunderstood.

It has been always been 256 bits.

CfB

all the nodes would have to cryptographically store all the seeds for all accounts in a way that each node can reconstruct the desired output, without knowing the actual seed. Probably close to impossible, but not actually provably impossible. Maybe even a nice challenge for BCNext?

We don't need to use google authenticator, we just need some system that is distributed that achieves the desired result. That's a pretty open requirement and I doubt you can prove it is impossible. If it is not impossible, then it can be done.

I would like better minds than mine to figure out how to do this. I know mathematically it is probably the same odds of being hacked, but requiring an orthogonal step even after finding an account whose password you stumbled into would make everybody feel much safer.

As it is now a monkey typing random keys on the keyboard can stumble into an acct.

James

P.S. I understand why the current localhost will disappear, it has to so clients can add the new layer of security. Enforcing passwords that are strong enough is a good first step, but longer term please open your mind to the possibility of the "impossible", it will make a huge difference in NXT valuation

Not only that. Íf there is some bad mediacoverage, we can point out that these issues have been debated amongst the stakeholders before launch and prove that we take security seriously and are also thinking beyond the scope of advanced users. I'm trying to think long term about these things as much as possible.