This quote from senior forum member on the bitcoin forum "scintill" has made me think twice about using ripple.
Re: ripple account hacked
May 06, 2013, 05:47:57 AM
#12
Quote from: loudpete on May 06, 2013, 05:28:13 AM
So what were you using for passwords? now that you wont be using them anymore...
Still, seems like they'd have to try 62,000 passwords per user account, wouldn't the ripple servers block more then 5 attemps (for like an hour) making this impossible?
No, the Ripple webclient wallet is decrypted client-side in the user's browser. So they just grabbed the encrypted wallet and cracked it locally. Blockchain.info wallets works the same way, so they can also be cracked like this.
It's possible they grabbed a bunch of wallets around the same time that maybe should have tripped an alarm on the Ripple wallet server, but we don't know, and there's nothing Ripple can really do to perfectly prevent this. The user has to pick a good passphrase and ideally also a non-obvious wallet ID as well.
I think by "wallet server" he means the "blob vault". If so--looking at the API, it seems you need to send an encrypted wallet name and passphrase to retrieve a wallet. So why did scintill say that someone could "grab" multiple wallets at once and crack them locally? Don't you potentially have to make thousands of api calls to be able to guess the password from a list of common passwords? (This is still easy, but an important distinction to me, because it leaves a record that can be used to incriminate the attacker.)