NXT :: descendant of Bitcoin - Updated Information

[BitThink]

Added warning for secret phrases < 30 symbols.

Unlike Bitcoin, Nxt presently relies solely on brainwallets as the means of user authentication.  There is no "cold storage" alternative offered.  I see this security model as a vulnerability, and as future PR problem hurting mainstream adoption if Nxt coin heists do start happening.   Brainwallets are surprisingly tough to get right for the unsophisticated user.

I just disconnected from Internet, started the client & generated offline cold storage address (wallet).

Then you have no way to put any Nxt into this address.

[Kodoka]

I remember seeing that the network needed more well-know addresses. Do we still need more of those, and if so, how do I volunteer?

Yes, we need more. Post ur IP/domain.

My IP is: 69.146.88.14.

[2Kool4Skewl]

Added warning for secret phrases < 30 symbols.

Unlike Bitcoin, Nxt presently relies solely on brainwallets as the means of user authentication.  There is no "cold storage" alternative offered.  I see this security model as a vulnerability, and as future PR problem hurting mainstream adoption if Nxt coin heists do start happening.   Brainwallets are surprisingly tough to get right for the unsophisticated user.

I just disconnected from Internet, started the client & generated offline cold storage address (wallet).

Then you have no way to put any Nxt into this address.

You can generate an address offline and then deposit funds to it.

[BitThink]

Added warning for secret phrases < 30 symbols.

Unlike Bitcoin, Nxt presently relies solely on brainwallets as the means of user authentication.  There is no "cold storage" alternative offered.  I see this security model as a vulnerability, and as future PR problem hurting mainstream adoption if Nxt coin heists do start happening.   Brainwallets are surprisingly tough to get right for the unsophisticated user.

I just disconnected from Internet, started the client & generated offline cold storage address (wallet).

Then you have no way to put any Nxt into this address.

You can generate an address offline and then deposit funds to it.

Yes, but it does not solve the problem. Once people knows the brain-wallet password, he can withdraw the money on any computer. It does not matter whether you create the address online or offline.  Creating an address offline only avoid sniffering, but cannot avoid dictionary attacks at all.

[ImmortAlex]

Why can't an address be created that you associate a password with like Bitcoin?

It's just a different approach.

Either you have wallet.dat file with private keys which you must hold in dark cold place, affraid of viruses, bad blocks and your mom cleaning room early morning. Or you have just long passphrase associated - in your brain olny! - with some good old times when grass was greener and light was brighter... oh, nevermind

Both ways have some weak points, both required to understand things, both give you good ability to lost everything you have.

And I not even speak about thermorectal cryptoanalysis!

[msin]

Why can't an address be created that you associate a password with like Bitcoin?

It's just a different approach.

Either you have wallet.dat file with private keys which you must hold in dark cold place, affraid of viruses, bad blocks and your mom cleaning room early morning. Or you have just long passphrase associated - in your brain olny! - with some good old times when grass was greener and light was brighter... oh, nevermind

Both ways have some weak points, both required to understand things, both give you good ability to lost everything you have.

And I not even speak about thermorectal cryptoanalysis!

Ha, very nice!  I agree with you, both have weak points.  People can stress about a wallet file on their desktop that could be stolen, destroyed with the computer, etc..  I think there are ways to improve security with Nxt model, such as limiting unlock attempts per minute for a specific IP, or perhaps locking a specific Nxt address to an IP as an option for the user, so you could only login from a specific IP address, etc..  There is room for improvement and the good thing about Nxt is you won't get the online hosted wallet thefts like BTC is seeing.

[ImmortAlex]

Variant of user-friendly approach is to integrate some kind of password weakness test.
Or, at least, add a link to some online checking service (I saw something like that), which will guide user to select good passphrase.

[BitThink]

Variant of user-friendly approach is to integrate some kind of password weakness test.
Or, at least, add a link to some online checking service (I saw something like that), which will guide user to select good passphrase.

It's dangerous to test your phrase online. People could record them and add to their dictionary. Currently the only valid way is to restrict the minimum length. Even the entropy is low, unless you are using a sentence from books, a pass phrase of 30 characters should be pretty safe for normal accounts.

[puck2]

Variant of user-friendly approach is to integrate some kind of password weakness test.
Or, at least, add a link to some online checking service (I saw something like that), which will guide user to select good passphrase.

The NXT system told me my password was too short, so perhaps this is already implemented?

[bizz]

Added warning for secret phrases < 30 symbols.

Unlike Bitcoin, Nxt presently relies solely on brainwallets as the means of user authentication.  There is no "cold storage" alternative offered.  I see this security model as a vulnerability, and as future PR problem hurting mainstream adoption if Nxt coin heists do start happening.   Brainwallets are surprisingly tough to get right for the unsophisticated user.

I just disconnected from Internet, started the client & generated offline cold storage address (wallet).

Then you have no way to put any Nxt into this address.

You can generate an address offline and then deposit funds to it.

Yes, but it does not solve the problem. Once people knows the brain-wallet password, he can withdraw the money on any computer. It does not matter whether you create the address online or offline.  Creating an address offline only avoid sniffering, but cannot avoid dictionary attacks at all.

Why the hell would I go through hurdles of creating offline account for cold storage and then use password "12345"

Of course high entropy pass phrase should always be used regardless of cold/hot storage. Use 8+ (make that 10+) diceware words or random generated 30+ symbols.

[ImmortAlex]

Even the entropy is low, unless you are using a sentence from books, a pass phrase of 30 characters should be pretty safe for normal accounts.

You know it, I know it... But we talk about people who didn't realize that password "qwerty" is the key for their money... If we can guide them to right direction, it will be better for system.

[puck2]

Does my client need to be running to "mint" new NXT coins?

[bizz]

Does my client need to be running to "mint" new NXT coins?

Your server in cmd/terminal needs to be running and account needs to be unlocked in client (browser). Once you do that you can even close the browser but keep server running. I think?

[Chang Hum]

Why can't an address be created that you associate a password with like Bitcoin?

It's just a different approach.

Either you have wallet.dat file with private keys which you must hold in dark cold place, affraid of viruses, bad blocks and your mom cleaning room early morning. Or you have just long passphrase associated - in your brain olny! - with some good old times when grass was greener and light was brighter... oh, nevermind

Both ways have some weak points, both required to understand things, both give you good ability to lost everything you have.

And I not even speak about thermorectal cryptoanalysis!

I see what you mean but even a random single or double digit being issued would be easy to remember and work round the security floor. Or username/pw like on blockchain.info.

If you look at blockchain info even with that security measure in place they've changed things (obviously out of a need as they've got bigger) so email & pw is no longer acceptable.

[xyz]

Do I need to have some coins to get started? If yes, please, to my account 4183405989168842857

Thanks a lot!

[ImmortAlex]

Does my client need to be running to "mint" new NXT coins?

It depends on what you call "client".

That original funny web interface makes things a bit complex in terms if "client", "server", "peer", "account".

I prefer to name original software (Jetty + Nxt servlet, that you see as terrible black window) as "server". So we have p2p network of servers.
Browser, connected to one of servers, acts like lightweight "client". Client is dumb, it only show data from server, accept clicks on buttons and so on, but it doesn't perform any actual work for Nxt net.
Actually, there can be different client software even for original server, because server provides some API. And it can be not only browser. But for now there's only one original client.
"Account" is just a piece of data inside server's memory. When you unlock account, server software just create some bytes in memory and start to process it.

So, answer is: you need to unlock your account on some server (better you own server), than you can close your browser - server doesn't need it to perform work for net, and for mining too. If you restart server, you need to unlock account again.

[ImmortAlex]

I see what you mean but even a random single or double digit being issued would be easy to remember and work round the security floor. Or username/pw like on blockchain.info.

If you look at blockchain info even with that security measure in place they've changed things (obviously out of a need as they've got bigger) so email & pw is no longer acceptable.

Actually, I worry about my wallet.dat files not because it can be stolen. It's not a problem, they are password encrypted. I afraid of software and hardware failure, so I try to regulary make backups, keep them in different hidden secret places and have all that usual mess everyone have with backups, you know

Brain wallet keep me out of this classic problems. So I can sleep good, deep and peacful, and disarm my Mosin–Nagant

But, yes, my Nxt account passphrase is insanely long and complex, thanx to my l33t IT skillz

[aeddan1]

So I followed all the instructions but nothing happened... what do I do at this point?

[ImmortAlex]

So I followed all the instructions but nothing happened... what do I do at this point?

It's not a full log. Please make screenshot from start.

Oh, wait.
It tells that port is already in use. Some other software use port 7875 or 7874.
Are you sure you're have only one copy of Nxt running?

[aeddan1]

So I followed all the instructions but nothing happened... what do I do at this point?

It's not a full log. Please make screenshot from start.

Oh, wait.
It tells that port is already in use. Some other software use port 7875 or 7874.
Are you sure you're have only one copy of Nxt running?
[/quote

I have BFGminer open with my asics mining peercoin. Is this conflicting in anyway? And according to task manager NXT isn't running at all... However I did try to start it multiple times with nothing happening...