Thanks for helping me out and letting the community know about what happened. I know that the NXT team is hard at work & continually making improvements. Keep it up!
I hope this can help developers quickly sort out the problems I highlight, and make it easier for the end user to use NXT as a currency.
We know that a weak password is the user's responsibility, but it's also true that the current base client is not user friendly in that sense, at all. Regardless, in this case, contacting @onemanatatime, finding the related blockchain information and trying to perhaps partially or fully compensate the leeching would be a VERY smart PR move.
Edit: I just saw the amounts. 400K+. I'm sorry for him, but buying and transferring that amount without doing your homework is beyond reckless. I agree his actions are beyond reckless, but HIS ACTIONS ARE KILLING NXT. When one guy loses 20% of his portfolio on NXT due to poor password security and tweets it out to *** 2100 *** followers, WE JUST LOST 2100 PEOPLE WHO WON'T TOUCH NXT NOW.
THIS IS A DISASTER.
WE COULD HAVE AVOIDED THIS DISASTER IF WE HAD IMPLEMENTED INTEGRATED AUTOMATIC STRONG PASSWORD GENERATION IN ALL CLIENTS A MONTH AGO.
ARE WE IN AGREEMENT TO IMPLEMENT IT ACROSS THE BOARD NOW?
Actually, I just looked at his account and he is very open about using a short and unsafe pass.
He isn't attacking Nxt at all and acknowledges he wasn't smart to do it.
I don't see it as a major PR problem. The reactions he gets are good, too. Most of his followers are traders themselves who had losses, too.
I'm not saying I think we shouldn't care, but he did this himself and knows it was stupid. If people want to help him, that's cool.
And we should get it sorted, but that will be done.
Thanks for highlighting this. I am not here to flame NXT of course. I like the innovation, and met a few NXTcoin representatives in Berlin recently, and also know of some upcoming development plans. I have always kept my NXTcoins in DGEX since I first bought them, but since DGEX removed the NXT fees, I decided to move them into a local client. Explained at the bottom is why I used an 8 character password.
I'm just here to say 1 thing; security is a huge issue with cryptocurrencies and I understand that, and take necessary precautions to protect my funds. I'm not a developer designer or anything, but I consider myself a rather tech-savvy person that could navigate around websites, software, and hardware without reading a manual. But this is the first time I've ever used a login process which only requires a password and acts also as a username.
On hindsight, I am surprised the client does not automatically prevent you from using a non secure password. If a website requires a secure password, they implement several restrictions to help their users save themselves in case they are careless. As much as this version of the client is a "beta" version, I am still disappointed that the system allows users to make such a simple error, knowing very well that creating an account and sending NXT into any account w <20 chars password will get hacked immediately.
Like I said, security is #1 priority in crypto. I just find it amusing that the client has such a big loophole to leave users vulnerable.
I don't think its a disaster, its unfortunate, and when the 'official' client's are all out with a better solution, put up a page and tweet a url to it with the same tags.
I agree we have to protect the unwary from having direct access to a brain wallet but we will always have this if people do not follow instructions, he doesn't say what client he uses... Was it NRS directly?
Currently you get this when you click 'unlock' in NRS....
If opening a new account, please note:
A simple passphrase will certainly result in your NXT being stolen!
Do not use any phrase that appears in any printed or online material,
no matter how long or obscure. A secure passphrase will be at least
35 characters long and consist of random letters, numbers, and special
characters, or a meaningless combination of 10 random words.
And if you ignore that and type in a stupid password you get...
Your secret phrase is too short
and can be easily picked by a hacker!
So that was TWO WARNINGS that he did something stupid, unless he used some other client and that means we have a downloadable client on our site that accepts bad practice without any warnings, or he got a client from somewhere else which means it could have a trojan in it anyway...
We cannot protect the gullible from themselves and we cannot protect ourselves completely from the bad news that the gullible being taken advantage of will always generate...
But I do agree we could/need-to be better at security than we are currently.Yes chanc3r we need a better & more secure system that can cater to non-technical users, which imo is the most vital ingredient in making NXT a viable and sustainable currency. But as to why I continued to be stupid and use a short password:
It's not about the password. I misintepreted how the client functions. I expected it to work like how a normal wallet works; that you require 1 username and 1 password to access the account. I assumed the password entered was an encryption password or similar. even up reading the warnings, it doesn't at any point ring any bells that this password is both an account username & password together.
I admit, it's a simple but costly mistake. But my point here is that the NXT client is really un-user-friendly. I like the idea of having ur password as your login, but most users are not accustomed to such a system. the NXTcoin teams needs to seriously educate users properly about how to manage the wallet etc. I followed the guide on nxtcrypto.org, and the guide doesn't mention the differences the client has with a normal Cryptocoin wallet. If any other user like me blindly follows this guide, I'm sure a small percentage would have done the exact same thing I did.
Just trying to help.
