I dont know if this is relevant...but there is someone who is stealing nxtcoins from "bad-protected" accounts.
I've just created an account with the pass: "mtvraps" to check and play. I made the nxtra.org faucet and they sent me 2nxt to this account "14345877598619007537". One minute after, someone sent these 2nxtcoins to other account (of course it was not me). The account was: "1413811113623034318". I suppose there is a bot checking all the possible weak passwords...
It could be funny but......TAKE CARE!
I'm not a coder and I have no knowledge of softwaresecurity....but is there an option to use a 2w-factor-verification? Securityweakness could be the most dangerous problem to NXT mass adaption.
would be necessary to encourage any client developer to implement 2 factor authenticationWhat would you like to protect with 2FA? The startup of a client or do you think you can protect the secret with 2FA?
If the later, could you please list the steps how that would work?
then after reading a lot about the key generation choose to use absurd and nonsensical phrases formed by not less than 50 characters memorize words and 2 phrases from roughly 50 characters for the master password kee pass .
Install the plugin otpkeyprov keepass password and activate two factors to open kee pass with google authenticator
the first 50 characters of a sentence and the second sentence of 48 characters to activate google autenthicator 48 characters and match the standard b32 . the advantage of two-factor master password is if you can not make all phishing password .
Within keepass generate passwords you want including accounts of nxt ( nxt also advise to memorize words and not less than 50 characters consisting of nonsensical words )
Enable tools options " change master key in a secure desktop " every time you open your nxt account using automatic writing
Enable automatic writing on the flap of each password " Obfuscation 2 channel automatic writing"
I hope you can help with these tips. in any case you can write me for any questions in kee pass and handle the "plug in" otpkeyprov .
Finally the technique of two-factor authentication for passwords nxt would be a good option against phishing . I leave it open to discussion forum .
The difficulty arises with the user authenticator Google documentation . One Base32 ( secret ) key is expected . You must set the secret key to Base32 in KeePass and restrict your secret key to the base 32 character set : az, 2-7. KeePass allows "= " but not Google authenticator . Base32 length secret key Apart expressed in multiples of 8 characters.
A configuration that works :
Adjust the settings OTP Lock :
Long: 6
Secret key : abcdefghxz234567 ( Base32 )
Counter : 0 ( Dec)
OTP Number 3
Looking forward 9 (allows 3 failed attempts to unlock using KeePass newly generated OTPs before a recovery is needed because the counters have become too out of sync. )
Set Google Authenticator
secret key : abcdefghxz234567
counter : counter based
The first 6 OTPs are:
442843
724600
994 767
847 513
160505
583 080
Make sure you never lose the secret key or it will be permanently locked out of KeePass if counters lose synchronization. It also recognizes that the real secret is the secret key is not the OTP .
OtpKeyProv
Plugin Author: Dominik Reichl, Plugin Language: Englishhttp://keepass.info/plugins.html#keeotpOtpKeyProv is a key provider based on one-time passwords. After protecting your database using this plugin, you need to generate and enter one-time passwords in order to open your database.
All generator tokens that follow the OATH HOTP standard (RFC 4226) are supported.
Download plugin: [v2.2 for KeePass 2.20 and higher]
Download source code: [v2.2 for KeePass 2.20 and higher]
If you instead want KeePass to generate one-time passwords, see the {HMACOTP} placeholder. For generating time-based OTPs, see the KeeOtp and Tray TOTP plugins.
