NXT :: descendant of Bitcoin - Updated Information

[mynxtcoin]

Is it possible to see a list of blocks your account has solved, the time it was created, and the nxt paid for that block?

[1714203351]

1714203351

[mercenar1e]

do we expect a price increase during/after the Bitcoin conference?

[Thingamajig]

Started with my blog. Click at "NXT News" to take a glimpse.

I will add important news of the past to complete it.

http://ilgunf.wix.com/nxtmovement

When I post something new. I will tweet it at https://twitter.com/NXTmovement

You need to get rid of this advertising stuff. Domains are cheap nowadays.

Have a look at nxtion.com, nxtcrypto.org, mynxt.org, ...

there are still people that are not using adblock?
adblockplus.org

I get the feeling this is besides the point. Hardly encourages confidence in a rising currency when it's own sites rely on ad revenue.

[TwinWinNerD]

do we expect a price increase during/after the Bitcoin conference?

wait a minute, i need to warm up my glassball

[Damelon]

Started with my blog. Click at "NXT News" to take a glimpse.

I will add important news of the past to complete it.

http://ilgunf.wix.com/nxtmovement

When I post something new. I will tweet it at https://twitter.com/NXTmovement

You need to get rid of this advertising stuff. Domains are cheap nowadays.

Have a look at nxtion.com, nxtcrypto.org, mynxt.org, ...

there are still people that are not using adblock?
adblockplus.org

I get the feeling this is besides the point. Hardly encourages confidence in a rising currency when it's own sites rely on ad revenue.

It's a site made by a Nxt owner who wants to help out.
I feel it's a bit weird to impose standards for site as fellow stakeholders.

Sure, we can have opinions, but it's not like there is a central bureaucracy endorsing sites here

[EvilDave]

It's easy to defeat bruteforce.

Instead of using the password for account, use the password as an input for PBKDF2 with number of iterations inversely related to password's length.
The relation: one second for safe passwords, longer for unsafe, let's say it's 15 second for something like "apple".

This makes bruteforcing much harder even for short passwords.

It's possible to add a second simple field, even an user's real name, and use it as a salt. The combination would make bruteforcing almost impossible.

For compatibility with other accounts, it's enough to add a checkbox 'use older password system'.

I can implement this in JS. Jitted JS in new browsers is fast enough. I asked Jean-Luc if he would include this if I did (no point writing only for myself - I have a secure password) but he wasn't interested.  

https://forums.nxtcrypto.org/viewtopic.php?f=17&t=557

Forgive me for not being all that technically brilliant.
My understanding of what this idea translates to is a timeout in between each password log-in attempt, with the timeout period  increasing for simpler passwords. Have I got the idea?

It seems like a good idea to me, maybe just set a default time between log-in attempts of 10-30 seconds. That will at least slow directed BF attacks down considerably. However, there is nothing to stop the attacker attacking multiple accounts simultaneously, switching between targets as it gets locked out.

Someone, whose name I shall not mention, did float the idea of creating a hashcat(?)-based tool to carry out an automated bruteforce attack on the entire NXT blockchain, ie all accounts. Maybe this has been implemented.......we need to keep a very good watch out for hacking reports, and take them seriously.

[Fatih87SK]

Started with my blog. Click at "NXT News" to take a glimpse.

I will add important news of the past to complete it.

http://ilgunf.wix.com/nxtmovement

When I post something new. I will tweet it at https://twitter.com/NXTmovement

You need to get rid of this advertising stuff. Domains are cheap nowadays.

Have a look at nxtion.com, nxtcrypto.org, mynxt.org, ...

there are still people that are not using adblock?
adblockplus.org

I get the feeling this is besides the point. Hardly encourages confidence in a rising currency when it's own sites rely on ad revenue.

I didn't activated any ads. It is activated by its own because you can build free websites there. I don't get any revenue for the ads. In fact I have to pay an amount of money per month to get rid of it. Maybe I will do it soon.

Let's get on topic now. Lot's of work to do.

[iruu]

It's easy to defeat bruteforce.

Instead of using the password for account, use the password as an input for PBKDF2 with number of iterations inversely related to password's length.
The relation: one second for safe passwords, longer for unsafe, let's say it's 15 second for something like "apple".

This makes bruteforcing much harder even for short passwords.

It's possible to add a second simple field, even an user's real name, and use it as a salt. The combination would make bruteforcing almost impossible.

For compatibility with other accounts, it's enough to add a checkbox 'use older password system'.

I can implement this in JS. Jitted JS in new browsers is fast enough. I asked Jean-Luc if he would include this if I did (no point writing only for myself - I have a secure password) but he wasn't interested.  

https://forums.nxtcrypto.org/viewtopic.php?f=17&t=557

Forgive me for not being all that technically brilliant.
My understanding of what this idea translates to is a timeout in between each password log-in attempt, with the timeout period  increasing for simpler passwords. Have I got the idea?

It seems like a good idea to me, maybe just set a default time between log-in attempts of 10-30 seconds. That will at least slow directed BF attacks down considerably. However, there is nothing to stop the attacker attacking multiple accounts simultaeneously, switching between targets as it gets locked out.

Someone, whose name I shall not mention, did float the idea of creating a hashcat(?)-based tool to carry out an automated bruteforce attack on the entire NXT blockchain, ie all accounts. Maybe this has been implemented.......we need to keep a very good watch out for hacking reports, and take them seriously.

Yes to the timeout. 1 second in js should mean that gpu crackers take at least few ms per password (taking parallel cracking into account), which is enough to make cracking infeasible for all but simplest dictionary passwords. 

[Capitan Cook]

When the price drops 0,00005 btc?

[BitcoinForumator]

It's easy to defeat bruteforce.

Instead of using the password for account, use the password as an input for PBKDF2 with number of iterations inversely related to password's length.
The relation: one second for safe passwords, longer for unsafe, let's say it's 15 second for something like "apple".

This makes bruteforcing much harder even for short passwords.

It's possible to add a second simple field, even an user's real name, and use it as a salt. The combination would make bruteforcing almost impossible.

For compatibility with other accounts, it's enough to add a checkbox 'use older password system'.

I can implement this in JS. Jitted JS in new browsers is fast enough. I asked Jean-Luc if he would include this if I did (no point writing only for myself - I have a secure password) but he wasn't interested.  

https://forums.nxtcrypto.org/viewtopic.php?f=17&t=557

Forgive me for not being all that technically brilliant.
My understanding of what this idea translates to is a timeout in between each password log-in attempt, with the timeout period  increasing for simpler passwords. Have I got the idea?

It seems like a good idea to me, maybe just set a default time between log-in attempts of 10-30 seconds. That will at least slow directed BF attacks down considerably. However, there is nothing to stop the attacker attacking multiple accounts simultaeneously, switching between targets as it gets locked out.

Someone, whose name I shall not mention, did float the idea of creating a hashcat(?)-based tool to carry out an automated bruteforce attack on the entire NXT blockchain, ie all accounts. Maybe this has been implemented.......we need to keep a very good watch out for hacking reports, and take them seriously.

Yes to the timeout. 1 second in js should mean that gpu crackers take at least few ms per password (taking parallel cracking into account), which is enough to make cracking infeasible for all but simplest dictionary passwords. 

This is exactly what I was asking myself - doesn't it take "seconds" to input password then login -> How is it then possible to brutforce with tons of passwords?

[NxtChg]

It seems like a good idea to me, maybe just set a default time between log-in attempts of 10-30 seconds. That will at least slow directed BF attacks down considerably. However, there is nothing to stop the attacker attacking multiple accounts simultaneously, switching between targets as it gets locked out.

This won't help. They do not brute-force it like this.

What matters is the amount of entropy in the passphrase.

[iruu]

It seems like a good idea to me, maybe just set a default time between log-in attempts of 10-30 seconds. That will at least slow directed BF attacks down considerably. However, there is nothing to stop the attacker attacking multiple accounts simultaneously, switching between targets as it gets locked out.

This won't help. They do not brute-force it like this.

What matters is the amount of entropy in the passphrase.

Please read what PBKDF2 is.  
It's even in principle possible to make a system where single word passwords like 'apple12' are safe, but key generation would be way too long.

[Damelon]

This really makes me sad  

Hope the guys don't feel too bad and had a good day at the conference.

[Passion_ltc]

Is it possible to see a list of blocks your account has solved, the time it was created, and the nxt paid for that block?

yes. You want this?

[Anon136]

i really think the solution is obvious. an optional user specified secondary password. or a manual salt. this would be a password that you could be sloppy with. upload it in plaintext to google drive for example. Store a second copy in plain text in a text file on your desktop. hell you could even post it here in this thread. even if every nxt user publicly broad-casted his second password, it would expand the total keyspace that brute forcers would need to search 15,000 times making brute forcing 1/15000th as profitable and it would be orders of magnitude more effective than that if they were sloppy with them but didn't actually post it publicly.

This could just be a modification to the client where it would display a second field under password that would be grayed out unless you checked a box saying that you wanted to use a secondary password. then the client could simply tack it on to the end of the first password behind the scenes. it really would be an almost totally superficial change to NRS that would cut the profitability of rainbow tables down to a fraction of what it is now.

[NxtChg]

Please read what PBKDF2 is.  
It's even in principle possible to make a system where single word passwords like 'apple12' are safe, but key generation would be way too long.

I know what PBKDF2 is, I was replying to EvilDave, not to you.

[McDoxy]

This really makes me sad  

Hope the guys don't feel too bad and had a good day at the conference.

What happened? Do they still get to speak?

I hope they still got to spread the word about Nxt, and that was definitely not the last opportunity to attend a conference

[pandaisftw]

some day it should be user-friendly - no person can handle a real 30+ random character password. for creating, well that is needed, but please make sure that the user gets a way (probably 2-Factor Securitized) Password for day to day usage

Luckily, this can be done client-side.

For example, SuperNXTWallet has the feature to either:

A) Generate a 30+ char password for the client based off of the username+password they input + random salt (perhaps stored in a wallet.dat file). However, this means that the user will have to use the same client and have the wallet.dat file ready in order to access his account. Or he can request the client to print out his true password (with a lot of warnings) and try to memorize that too.
B) (Advanced) Let the user define his own brainwallet password of 30+ chars. This should come with a lot of warnings, but this will allow the user, like right now, to use his wallet anywhere in the world and on any device that is a node.

And RS code will be implemented on top of this, providing protection of sending NXT to wrong accounts.

[loopgate88]

Password needs are something that even bitcoin doesn't have truly figured out. But it is further ahead than we are.

Bitcoin just gives you your private account number and tells you to never share it. Even if someone doesn't password protect their wallet, their account is safe.

NXT is placing the responsibility of security at a sophisticated level on the hands of users. This will always be an issue and the source of very bad press.

What is the solution for this?

A client that has a "create account" button that generates a random password of either a fixed or random number of chars between 30 and 50 and tells the user this random password is the user's private NXT ID and advises the user to keep it somewhere safe?
This could also be referred to as their NXT private ID and the only thing they need to take away from a machine to another in order to access their account on the NXT network.

Any thoughts?

[msin]

But he has aliases

Yes I have 13 of them

how long was your pass phrase?

11

Thats definitely not long enough. Should aim for at least 30 chars.

Great, there goes my NXT experience. Hope you all do well.  I have myself to blame.

I have a 10 character password that has 100 Nxt in it, just letters and a # and it still hasn't been hacked.  I think there is something going on here.  Perhaps the same password used for something else?