mynxtcoin
Newbie
Offline
Activity: 20
Merit: 0
|
|
January 24, 2014, 11:15:56 PM |
|
Is it possible to see a list of blocks your account has solved, the time it was created, and the nxt paid for that block?
|
|
|
|
mercenar1e
Member
Offline
Activity: 112
Merit: 10
|
|
January 24, 2014, 11:16:38 PM |
|
do we expect a price increase during/after the Bitcoin conference?
|
|
|
|
Thingamajig
|
|
January 24, 2014, 11:18:53 PM |
|
You need to get rid of this advertising stuff. Domains are cheap nowadays. Have a look at nxtion.com, nxtcrypto.org, mynxt.org, ... there are still people that are not using adblock? adblockplus.org I get the feeling this is besides the point. Hardly encourages confidence in a rising currency when it's own sites rely on ad revenue.
|
|
|
|
TwinWinNerD
Legendary
Offline
Activity: 1680
Merit: 1001
CEO Bitpanda.com
|
|
January 24, 2014, 11:24:08 PM |
|
do we expect a price increase during/after the Bitcoin conference?
wait a minute, i need to warm up my glassball
|
|
|
|
Damelon
Legendary
Offline
Activity: 1092
Merit: 1010
|
|
January 24, 2014, 11:26:33 PM |
|
You need to get rid of this advertising stuff. Domains are cheap nowadays. Have a look at nxtion.com, nxtcrypto.org, mynxt.org, ... there are still people that are not using adblock? adblockplus.org I get the feeling this is besides the point. Hardly encourages confidence in a rising currency when it's own sites rely on ad revenue. It's a site made by a Nxt owner who wants to help out. I feel it's a bit weird to impose standards for site as fellow stakeholders. Sure, we can have opinions, but it's not like there is a central bureaucracy endorsing sites here
|
|
|
|
EvilDave
|
|
January 24, 2014, 11:32:10 PM |
|
It's easy to defeat bruteforce. Instead of using the password for account, use the password as an input for PBKDF2 with number of iterations inversely related to password's length. The relation: one second for safe passwords, longer for unsafe, let's say it's 15 second for something like "apple". This makes bruteforcing much harder even for short passwords. It's possible to add a second simple field, even an user's real name, and use it as a salt. The combination would make bruteforcing almost impossible. For compatibility with other accounts, it's enough to add a checkbox 'use older password system'. I can implement this in JS. Jitted JS in new browsers is fast enough. I asked Jean-Luc if he would include this if I did (no point writing only for myself - I have a secure password) but he wasn't interested. https://forums.nxtcrypto.org/viewtopic.php?f=17&t=557Forgive me for not being all that technically brilliant. My understanding of what this idea translates to is a timeout in between each password log-in attempt, with the timeout period increasing for simpler passwords. Have I got the idea? It seems like a good idea to me, maybe just set a default time between log-in attempts of 10-30 seconds. That will at least slow directed BF attacks down considerably. However, there is nothing to stop the attacker attacking multiple accounts simultaneously, switching between targets as it gets locked out. Someone, whose name I shall not mention, did float the idea of creating a hashcat(?)-based tool to carry out an automated bruteforce attack on the entire NXT blockchain, ie all accounts. Maybe this has been implemented.......we need to keep a very good watch out for hacking reports, and take them seriously.
|
|
|
|
Fatih87SK
|
|
January 24, 2014, 11:33:32 PM |
|
You need to get rid of this advertising stuff. Domains are cheap nowadays. Have a look at nxtion.com, nxtcrypto.org, mynxt.org, ... there are still people that are not using adblock? adblockplus.org I get the feeling this is besides the point. Hardly encourages confidence in a rising currency when it's own sites rely on ad revenue. I didn't activated any ads. It is activated by its own because you can build free websites there. I don't get any revenue for the ads. In fact I have to pay an amount of money per month to get rid of it. Maybe I will do it soon. Let's get on topic now. Lot's of work to do.
|
|
|
|
iruu
|
|
January 24, 2014, 11:43:06 PM |
|
It's easy to defeat bruteforce. Instead of using the password for account, use the password as an input for PBKDF2 with number of iterations inversely related to password's length. The relation: one second for safe passwords, longer for unsafe, let's say it's 15 second for something like "apple". This makes bruteforcing much harder even for short passwords. It's possible to add a second simple field, even an user's real name, and use it as a salt. The combination would make bruteforcing almost impossible. For compatibility with other accounts, it's enough to add a checkbox 'use older password system'. I can implement this in JS. Jitted JS in new browsers is fast enough. I asked Jean-Luc if he would include this if I did (no point writing only for myself - I have a secure password) but he wasn't interested. https://forums.nxtcrypto.org/viewtopic.php?f=17&t=557Forgive me for not being all that technically brilliant. My understanding of what this idea translates to is a timeout in between each password log-in attempt, with the timeout period increasing for simpler passwords. Have I got the idea? It seems like a good idea to me, maybe just set a default time between log-in attempts of 10-30 seconds. That will at least slow directed BF attacks down considerably. However, there is nothing to stop the attacker attacking multiple accounts simultaeneously, switching between targets as it gets locked out. Someone, whose name I shall not mention, did float the idea of creating a hashcat(?)-based tool to carry out an automated bruteforce attack on the entire NXT blockchain, ie all accounts. Maybe this has been implemented.......we need to keep a very good watch out for hacking reports, and take them seriously. Yes to the timeout. 1 second in js should mean that gpu crackers take at least few ms per password (taking parallel cracking into account), which is enough to make cracking infeasible for all but simplest dictionary passwords.
|
|
|
|
Capitan Cook
Newbie
Offline
Activity: 53
Merit: 0
|
|
January 24, 2014, 11:44:46 PM |
|
When the price drops 0,00005 btc?
|
|
|
|
BitcoinForumator
Legendary
Offline
Activity: 1120
Merit: 1000
|
|
January 24, 2014, 11:45:41 PM |
|
It's easy to defeat bruteforce. Instead of using the password for account, use the password as an input for PBKDF2 with number of iterations inversely related to password's length. The relation: one second for safe passwords, longer for unsafe, let's say it's 15 second for something like "apple". This makes bruteforcing much harder even for short passwords. It's possible to add a second simple field, even an user's real name, and use it as a salt. The combination would make bruteforcing almost impossible. For compatibility with other accounts, it's enough to add a checkbox 'use older password system'. I can implement this in JS. Jitted JS in new browsers is fast enough. I asked Jean-Luc if he would include this if I did (no point writing only for myself - I have a secure password) but he wasn't interested. https://forums.nxtcrypto.org/viewtopic.php?f=17&t=557Forgive me for not being all that technically brilliant. My understanding of what this idea translates to is a timeout in between each password log-in attempt, with the timeout period increasing for simpler passwords. Have I got the idea? It seems like a good idea to me, maybe just set a default time between log-in attempts of 10-30 seconds. That will at least slow directed BF attacks down considerably. However, there is nothing to stop the attacker attacking multiple accounts simultaeneously, switching between targets as it gets locked out. Someone, whose name I shall not mention, did float the idea of creating a hashcat(?)-based tool to carry out an automated bruteforce attack on the entire NXT blockchain, ie all accounts. Maybe this has been implemented.......we need to keep a very good watch out for hacking reports, and take them seriously. Yes to the timeout. 1 second in js should mean that gpu crackers take at least few ms per password (taking parallel cracking into account), which is enough to make cracking infeasible for all but simplest dictionary passwords. This is exactly what I was asking myself - doesn't it take "seconds" to input password then login -> How is it then possible to brutforce with tons of passwords?
|
|
|
|
NxtChg
|
|
January 24, 2014, 11:46:49 PM |
|
It seems like a good idea to me, maybe just set a default time between log-in attempts of 10-30 seconds. That will at least slow directed BF attacks down considerably. However, there is nothing to stop the attacker attacking multiple accounts simultaneously, switching between targets as it gets locked out.
This won't help. They do not brute-force it like this. What matters is the amount of entropy in the passphrase.
|
|
|
|
iruu
|
|
January 24, 2014, 11:51:25 PM |
|
It seems like a good idea to me, maybe just set a default time between log-in attempts of 10-30 seconds. That will at least slow directed BF attacks down considerably. However, there is nothing to stop the attacker attacking multiple accounts simultaneously, switching between targets as it gets locked out.
This won't help. They do not brute-force it like this. What matters is the amount of entropy in the passphrase. Please read what PBKDF2 is. It's even in principle possible to make a system where single word passwords like 'apple12' are safe, but key generation would be way too long.
|
|
|
|
Damelon
Legendary
Offline
Activity: 1092
Merit: 1010
|
|
January 24, 2014, 11:51:45 PM |
|
This really makes me sad Hope the guys don't feel too bad and had a good day at the conference.
|
|
|
|
Passion_ltc
|
|
January 24, 2014, 11:55:19 PM |
|
Is it possible to see a list of blocks your account has solved, the time it was created, and the nxt paid for that block?
yes. You want this?
|
|
|
|
Anon136
Legendary
Offline
Activity: 1722
Merit: 1217
|
|
January 24, 2014, 11:58:36 PM |
|
i really think the solution is obvious. an optional user specified secondary password. or a manual salt. this would be a password that you could be sloppy with. upload it in plaintext to google drive for example. Store a second copy in plain text in a text file on your desktop. hell you could even post it here in this thread. even if every nxt user publicly broad-casted his second password, it would expand the total keyspace that brute forcers would need to search 15,000 times making brute forcing 1/15000th as profitable and it would be orders of magnitude more effective than that if they were sloppy with them but didn't actually post it publicly.
This could just be a modification to the client where it would display a second field under password that would be grayed out unless you checked a box saying that you wanted to use a secondary password. then the client could simply tack it on to the end of the first password behind the scenes. it really would be an almost totally superficial change to NRS that would cut the profitability of rainbow tables down to a fraction of what it is now.
|
Rep Thread: https://bitcointalk.org/index.php?topic=381041If one can not confer upon another a right which he does not himself first possess, by what means does the state derive the right to engage in behaviors from which the public is prohibited?
|
|
|
NxtChg
|
|
January 24, 2014, 11:59:52 PM |
|
Please read what PBKDF2 is. It's even in principle possible to make a system where single word passwords like 'apple12' are safe, but key generation would be way too long. I know what PBKDF2 is, I was replying to EvilDave, not to you.
|
|
|
|
McDoxy
Member
Offline
Activity: 96
Merit: 10
|
|
January 25, 2014, 12:01:06 AM |
|
This really makes me sad Hope the guys don't feel too bad and had a good day at the conference. What happened? Do they still get to speak? I hope they still got to spread the word about Nxt, and that was definitely not the last opportunity to attend a conference
|
|
|
|
pandaisftw
|
|
January 25, 2014, 12:01:18 AM |
|
some day it should be user-friendly - no person can handle a real 30+ random character password. for creating, well that is needed, but please make sure that the user gets a way (probably 2-Factor Securitized) Password for day to day usage
Luckily, this can be done client-side. For example, SuperNXTWallet has the feature to either: A) Generate a 30+ char password for the client based off of the username+password they input + random salt (perhaps stored in a wallet.dat file). However, this means that the user will have to use the same client and have the wallet.dat file ready in order to access his account. Or he can request the client to print out his true password (with a lot of warnings) and try to memorize that too. B) (Advanced) Let the user define his own brainwallet password of 30+ chars. This should come with a lot of warnings, but this will allow the user, like right now, to use his wallet anywhere in the world and on any device that is a node. And RS code will be implemented on top of this, providing protection of sending NXT to wrong accounts.
|
NXT: 13095091276527367030
|
|
|
loopgate88
|
|
January 25, 2014, 12:03:08 AM |
|
Password needs are something that even bitcoin doesn't have truly figured out. But it is further ahead than we are.
Bitcoin just gives you your private account number and tells you to never share it. Even if someone doesn't password protect their wallet, their account is safe.
NXT is placing the responsibility of security at a sophisticated level on the hands of users. This will always be an issue and the source of very bad press.
What is the solution for this?
A client that has a "create account" button that generates a random password of either a fixed or random number of chars between 30 and 50 and tells the user this random password is the user's private NXT ID and advises the user to keep it somewhere safe? This could also be referred to as their NXT private ID and the only thing they need to take away from a machine to another in order to access their account on the NXT network.
Any thoughts?
|
|
|
|
msin
Legendary
Offline
Activity: 1470
Merit: 1004
|
|
January 25, 2014, 12:03:14 AM |
|
But he has aliases
Yes I have 13 of them how long was your pass phrase? 11 Thats definitely not long enough. Should aim for at least 30 chars. Great, there goes my NXT experience. Hope you all do well. I have myself to blame. I have a 10 character password that has 100 Nxt in it, just letters and a # and it still hasn't been hacked. I think there is something going on here. Perhaps the same password used for something else?
|
|
|
|
|