Bitcoin Forum
November 02, 2024, 06:12:56 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 ... 2094 2095 2096 2097 2098 2099 2100 2101 2102 2103 2104 2105 2106 2107 2108 2109 2110 2111 2112 2113 2114 2115 2116 2117 2118 2119 2120 2121 2122 2123 2124 2125 2126 2127 2128 2129 2130 2131 2132 2133 2134 2135 2136 2137 2138 2139 2140 2141 2142 2143 [2144] 2145 2146 2147 2148 2149 2150 2151 2152 2153 2154 2155 2156 2157 2158 2159 2160 2161 2162 2163 2164 2165 2166 2167 2168 2169 2170 2171 2172 2173 2174 2175 2176 2177 2178 2179 2180 2181 2182 2183 2184 2185 2186 2187 2188 2189 2190 2191 2192 2193 2194 ... 2557 »
  Print  
Author Topic: NXT :: descendant of Bitcoin - Updated Information  (Read 2761597 times)
wesleyh
Sr. Member
****
Offline Offline

Activity: 308
Merit: 250


View Profile
March 10, 2014, 09:29:20 PM
 #42861

So community, what do you think about the user's own password rules.

Quote
Your secret phrase must consist of at least 12 random words separated by spaces. Alternatively, you can choose a secret phrase that is at least 35 characters long and contains a mixture of lower/uppercase characters, numbers and special characters.

Is this too complicated? what do you suggest instead.

Not that this one is better, but maybe it is easier for the most users to understand:

1) at least 35 characters
2) less than 50 characters requires upper case and numbers

OK, so I could simply say:

Your secret phrase should be at least 35 characters long.

And then I can show the rest, (if the pass is less than 50), as an error message. Otherwise the description would be too long, agreed?

bitcoinpaul
Hero Member
*****
Offline Offline

Activity: 910
Merit: 1000



View Profile
March 10, 2014, 09:30:14 PM
 #42862

So community, what do you think about the user's own password rules.

Quote
Your secret phrase must consist of at least 12 random words separated by spaces. Alternatively, you can choose a secret phrase that is at least 35 characters long and contains a mixture of lower/uppercase characters, numbers and special characters.

Is this too complicated? what do you suggest instead.

Three thoughts:

- Just say Passphrase should be at least 50 characters long
- Show an indicator how good the chosen passphrase is
- Allow people to chose a weaker password
wesleyh
Sr. Member
****
Offline Offline

Activity: 308
Merit: 250


View Profile
March 10, 2014, 09:30:26 PM
 #42863

The difference between what? A secret phrase consists of multiple words, a password is typically one long word.

Why making this difference?

Because if you type a password it must be 35 characters in length AND have numbers AND uppercase AND special character. A 12 word phrase does not require this.

Uff. That's complicated.

Having 2 2 2 2 2 2 2 2 2 2 2 2 is okay, right? But that's only 24 characters.

No, it must always be at least 35 characters.


Passphrase Politics:


As the spreadsheet shows, password complexity is far less important than length when defending against brute-force crackers.  Hence, train your users to use long, easy-to-remember passphrases instead of short, random, hard-to-remember passwords.  Here's some advice for overcoming the political obstacles.

Don't announce to your users, "Henceforth all passwords must be 15-character passphrases", since this will only result in your assassination.  Instead, start a weekly internal e-mail security bulletin that includes a joke, cartoon, funny office story, or something else that will motivate users to open the e-mail instead of just deleting it.  Along with the joke or cartoon, include a security reminder (like "don't open e-mail attachments you're not expecting" or "alert IT staff if anyone asks for your password") and keep it as short as possible or else they're learn to trash the message on sight despite the jokes and cartoons.  

In your next weekly security reminder, include a tip like this:  

    "Passwords are hard to remember, so don't forget that you can use a pass-phrase instead (passphrases are short fun sentences with spaces between the words).  So imagine an incredible or funny scene and make that your easy-to-remember passphrase!  :-)    Here are some examples:

          kitty ate my face off!
          my 100 pups play fight
          naked clowns cost $$$
          20 carbs a day max
          I threw up a mellon?
          Vader is my father dude
          a 200% raise is nice
          I only love Star Wars
          Britney Spears = my wife


In the weeks to come afterwards, follow up with more reminders like this:

    "The more outrageous, dramatic, scandalous, humorous or shocking a passphrase is, the easier it is to remember and the better it is for security.  Go ahead, have fun!"  

    "Wouldn't it be nice if mis-speling words was a good thing?  It is!  The more words you missspell in your passphraze the better it is for netwerk sekurity!"

    "Song lyrics, well-known sayings, and famous poems are easy to remember, but not ideal as passphrases.  Here's a tip!  You can still use your favorite line, but change a word in it or make it goofy in some way...or IMPROVE it!  ;-) "  

    "A passphrase takes less time to type at your keyboard than a random-looking password, and it's easier to remember too.  Great passphrases are five words or longer (size does matter!) and please do include words that no self-respecting librarian would ever put in a dictionary!"

    "If everyone agreed to use passphrases instead of passwords, we wouldn't have to change them so darn often...hmmmmmm...."


After softening up your users like this for a couple months, enforce a passphrase policy, but only against the other administrators.  Why only the other admins first?  Because, one, the security of their accounts is vastly more important than those of regular users, and, two, THEY were the real targets of the above e-mail reminders anyway!  The real obstacle to enforcing a long passphrase policy is the prejudice of the other administrators who have always been taught that "nothing's better than a RANDOM passWORD".  Show them this spreadsheet (after deleting this paragraph) and run the numbers.  It's hard to argue against the math.  Once the other admins are convinced, you can get them to help you enforce the new policy throughout the forest.  "Enforcement" is the wrong word, however, since you'll get much further by educating users first about how passphrases can be easier to remember if they're funny/shocking/bizarre, and you might consider making a deal with them too, namely, if they accept the new passphrase policy then they won't have to change them as often.  

For the other admins, make sure they understand that 1) LM hashes are not stored if a password is 15 characters or longer, 2) their own passphrases should be 15+ characters long with mis-spellings, character complexity and/or very rare words, 3) cached credentials can be extracted from stolen laptops and possibly cracked, and 4) the actual strength of the encryption on a certificate's private key is really determined by the crackability of one's passphrase, not the advertised bit-length of the cipher used, and many things depend on the security of private keys, e.g., S/MIME, VPN, TLS, WPA, etc.  

Good luck!

https://www.dropbox.com/s/syd8vwf31y90ev4/Passphrase_Length_vs_Complexity.xls

I'll be sure to include this entire text on the password creation screen Wink
wesleyh
Sr. Member
****
Offline Offline

Activity: 308
Merit: 250


View Profile
March 10, 2014, 09:32:01 PM
 #42864

So community, what do you think about the user's own password rules.

Quote
Your secret phrase must consist of at least 12 random words separated by spaces. Alternatively, you can choose a secret phrase that is at least 35 characters long and contains a mixture of lower/uppercase characters, numbers and special characters.

Is this too complicated? what do you suggest instead.

Three thoughts:

- Just say Passphrase should be at least 50 characters long
- Show an indicator how good the chosen passphrase is
- Allow people to chose a weaker password

- 50 characters now? 35 is long enough I think, anyone else?
- Indicator, maybe in a later version. Good idea.
- Allow people to choose a weaker password? Do you mean less than 35 characters? if so, no. I like the approach of if < 50, then uppercase and numbers are required.
igmaca
Full Member
***
Offline Offline

Activity: 168
Merit: 100


View Profile
March 10, 2014, 09:33:04 PM
Last edit: March 10, 2014, 09:51:02 PM by igmaca
 #42865

Main article: Random number generator attack

Since much cryptography depends on a cryptographically secure random number generator for key and cryptographic nonce generation, if a random number generator can be made predictable, it can be used as backdoor by an attacker to break the encryption.
The NSA is reported to have inserted a backdoor into the NIST certified cryptographically secure pseudorandom number generator Dual_EC_DRBG. If for example an SSL connection is created using this random number generator, then according to Matthew Green it would allow NSA to determine the state of the random number generator, and thereby eventually be able to read all data sent over the SSL connection.[12] Even though it was apparent that Dual_EC_DRBG was a very poor and possibly backdoored pseudorandom number generator long before the NSA backdoor was confirmed in 2013, it had seen significant usage in practice until 2013, for example by the prominent security company RSA Security.[13] There have subsequently been accusations that RSA Security knowingly inserted a NSA backdoor into its products, possibly as part of the Bullrun program. RSA has denied knowingly inserting a backdoor into its products.[14]
It has also been theorized that hardware RNGs could be secretly modified to have less entropy than stated, which would make encryption using the hardware RNG susceptible to attack. One such method which has been published works by modifying the dopant mask of the chip, which would be undetectable to optical reverse-engineering.[15] For example for random number generation in Linux, it is seen as unacceptable to use Intel's RdRand hardware RNG without mixing in the RdRand output with other sources of entropy to counteract any backdoors in the hardware RNG. Especially after the revelation of the NSA Bullrun program.[16][17]

http://en.wikipedia.org/wiki/Random_number_generator_attack
Jerical13
Full Member
***
Offline Offline

Activity: 266
Merit: 100



View Profile
March 10, 2014, 09:34:16 PM
 #42866

Final draft. What do you guys think? I'm pretty sure this is what the bars are going to look like.





Cool. Cheesy
ChuckOne
Sr. Member
****
Offline Offline

Activity: 364
Merit: 250

☕ NXT-4BTE-8Y4K-CDS2-6TB82


View Profile
March 10, 2014, 09:36:21 PM
 #42867

So community, what do you think about the user's own password rules.

Quote
Your secret phrase must consist of at least 12 random words separated by spaces. Alternatively, you can choose a secret phrase that is at least 35 characters long and contains a mixture of lower/uppercase characters, numbers and special characters.

Is this too complicated? what do you suggest instead.

Three thoughts:

- Just say Passphrase should be at least 50 characters long
- Show an indicator how good the chosen passphrase is
- Allow people to chose a weaker password

- 50 characters now? 35 is long enough I think, anyone else?
- Indicator, maybe in a later version. Good idea.
- Allow people to choose a weaker password? Do you mean less than 35 characters? if so, no. I like the approach of if < 50, then uppercase and numbers are required.

I tend to agree. Less than 35 should be denied.
rdanneskjoldr
Sr. Member
****
Offline Offline

Activity: 288
Merit: 250


View Profile
March 10, 2014, 09:36:37 PM
 #42868

In the Asset Exchange,in 1OZSilver ..it says there are a total amount of 100.
There is a buy order for 190 of it.Shouldnt the quantity  be capped at the total number of items of that asset?To avoid misunderstanding something.
ChuckOne
Sr. Member
****
Offline Offline

Activity: 364
Merit: 250

☕ NXT-4BTE-8Y4K-CDS2-6TB82


View Profile
March 10, 2014, 09:38:53 PM
 #42869

So community, what do you think about the user's own password rules.

Quote
Your secret phrase must consist of at least 12 random words separated by spaces. Alternatively, you can choose a secret phrase that is at least 35 characters long and contains a mixture of lower/uppercase characters, numbers and special characters.

Is this too complicated? what do you suggest instead.

Not that this one is better, but maybe it is easier for the most users to understand:

1) at least 35 characters
2) less than 50 characters requires upper case and numbers

OK, so I could simply say:

Your secret phrase should be at least 35 characters long.

And then I can show the rest, (if the pass is less than 50), as an error message. Otherwise the description would be too long, agreed?

Seems good. Smiley
chanc3r
Sr. Member
****
Offline Offline

Activity: 952
Merit: 253



View Profile
March 10, 2014, 09:41:15 PM
 #42870

Anyone for a pint?


bitcoinpaul
Hero Member
*****
Offline Offline

Activity: 910
Merit: 1000



View Profile
March 10, 2014, 09:42:16 PM
 #42871

- 50 characters now? 35 is long enough I think, anyone else?
- Indicator, maybe in a later version. Good idea.
- Allow people to choose a weaker password? Do you mean less than 35 characters? if so, no. I like the approach of if < 50, then uppercase and numbers are required.


Passphrase must be at least 35 characters long.

If passphrase is less then 50 characters and contains no numbers and uppercases, prompt a message with this extra requirements.

edit: Ok Wink

OK, so I could simply say:

Your secret phrase should be at least 35 characters long.

And then I can show the rest, (if the pass is less than 50), as an error message. Otherwise the description would be too long, agreed?


wesleyh
Sr. Member
****
Offline Offline

Activity: 308
Merit: 250


View Profile
March 10, 2014, 09:42:39 PM
 #42872

So community, what do you think about the user's own password rules.

Quote
Your secret phrase must consist of at least 12 random words separated by spaces. Alternatively, you can choose a secret phrase that is at least 35 characters long and contains a mixture of lower/uppercase characters, numbers and special characters.

Is this too complicated? what do you suggest instead.

Not that this one is better, but maybe it is easier for the most users to understand:

1) at least 35 characters
2) less than 50 characters requires upper case and numbers

OK, so I could simply say:

Your secret phrase should be at least 35 characters long.

And then I can show the rest, (if the pass is less than 50), as an error message. Otherwise the description would be too long, agreed?

Seems good. Smiley

Is this a good error description (shown when less than 50 characters are entered):
 
            error = "Since your secret phrase is less than 50 characters long, it must contain both numbers and uppercase letters.";

btw, no requirement for special characters?
TwinWinNerD
Legendary
*
Offline Offline

Activity: 1680
Merit: 1001


CEO Bitpanda.com


View Profile WWW
March 10, 2014, 09:42:50 PM
 #42873

Hey guys, i just forged a block with 9799 NXT. Wasn't there a price for that?

Anyone can find that link?

igmaca
Full Member
***
Offline Offline

Activity: 168
Merit: 100


View Profile
March 10, 2014, 09:44:07 PM
 #42874


....

I'll be sure to include this entire text on the password creation screen Wink

see attached file

Depending on your adversary, edit the number of computers he or she will use in parallel for cracking and the average keyrate of each machine.  Assume that your adversary is using GPU (not CPU) processors to optimize performance (such as ElcomSoft's distributed password cracker using nVidia GPUs).  Increase the number for added pessimism and to account for Moore's Law.

The 31 special symbols are the non-alphanumerics commonly used in the United States (!@#$%^&*()-_+=~`[]{}\:;'"<>,.?/).  Add more if you wish and update the number in the red box.  Reduce the number for added pessimism.  

If the adversary does know the exact length of passphrase, he or she will not have to compute all possible smaller lengths first.  If length is not known, then each time in the spreadsheet includes the sum of all prior times in that column since presumably the adversary would have to exhaust all the smaller lengths first.  Assume adversary does know exact length for added pessimism.

The factors that are difficult to include are the "true randomness" of the passphrase being cracked and how "smart" the cracking program is.  These factors are lumped together in the "Percentage of Keyspace To Be Searched" value.  If this value is 100% then the passphrase is assumed to be truly random, whatever that might mean to you, and/or the cracking program attempts no optimizations based on human nature, dictionaries, common substitutions, etc.  But, as you guesstimate the relevant cracking program to be smart, or as you guesstimate the passphrase to be less than truly random, then lower the percentage number.  The percentage reduces the number of possible combinations that must be searched as a crude estimate of actual time; for example, a five-character lowercase password with 100% randomness yields 11,881,376 possibilities, but with 30% randomness only yields 3,564,413.  If your adversary is doing only brute force cracking (and no dictionary, hybrid or pre-computed searches), set the randomness to 100%.  If your adversary is a large corporation or national government, set it to 1% on the assumption that their cracking programs will be "smarter".

Keep in mind that, if you are considering the crackability of LanManager (LM) hashes, the effective passphrase  length is never greater than 7, even if the passphrase you type in is 14 characters long.  This is because the passphrase is cut in half and and is each hashed independently then concatenated together.  Also, don't forget that LM hashes are NOT case sensitive, so the "lowercase,numbers,<space>" set is the most relevant (with 7 characters max).

In the far right collumn is an area to compute the cracking of dictionary-only passphrases where "length" is not the number of characters but the number of words in the phrase.  The vast majority of sentences in everyday spoken english are drawn from a pool of only about 10,000 words (according to one linguistics web site) from the hundreds of thousands of english words in the Oxford dictionary (which doesn't include scientific terms by the way).  Hence, assuming the passphrase is made up of only these words, with no mis-spellings, no numbers, no symbols, no mixed cases, then 10000 can be assumed and used to compute cracking times.  But if even a single word in one's passphrase were not in the cracker's dictionary, or if one word were deliberately mis-spelled or strangely capitalized or punctuated, then the 10000-word assumption is a vast under-estimate of how large the cracker would have to expand the dictionary and hybridize it in order to flush out the elusive word(s) in question.

Finally, these are MAX times, as though the very last passphrase guessed is the correct one.  Cut times in half to get the average per passphrase when large collections of hashes are being cracked simultaneously.

https://www.dropbox.com/s/syd8vwf31y90ev4/Passphrase_Length_vs_Complexity.xls
bitcoinpaul
Hero Member
*****
Offline Offline

Activity: 910
Merit: 1000



View Profile
March 10, 2014, 09:45:18 PM
 #42875

Is this 1626 words dictionary enough now or should we go with a bigger one, also to allow less words?
Jerical13
Full Member
***
Offline Offline

Activity: 266
Merit: 100



View Profile
March 10, 2014, 09:52:39 PM
 #42876

So community, what do you think about the user's own password rules.

Quote
Your secret phrase must consist of at least 12 random words separated by spaces. Alternatively, you can choose a secret phrase that is at least 35 characters long and contains a mixture of lower/uppercase characters, numbers and special characters.

Is this too complicated? what do you suggest instead.

That is pretty straight forward and easy to understand.
igmaca
Full Member
***
Offline Offline

Activity: 168
Merit: 100


View Profile
March 10, 2014, 09:55:02 PM
 #42877


....

I'll be sure to include this entire text on the password creation screen Wink

other thinks

Main article: Random number generator attack

Since much cryptography depends on a cryptographically secure random number generator for key and cryptographic nonce generation, if a random number generator can be made predictable, it can be used as backdoor by an attacker to break the encryption.
The NSA is reported to have inserted a backdoor into the NIST certified cryptographically secure pseudorandom number generator Dual_EC_DRBG. If for example an SSL connection is created using this random number generator, then according to Matthew Green it would allow NSA to determine the state of the random number generator, and thereby eventually be able to read all data sent over the SSL connection.[12] Even though it was apparent that Dual_EC_DRBG was a very poor and possibly backdoored pseudorandom number generator long before the NSA backdoor was confirmed in 2013, it had seen significant usage in practice until 2013, for example by the prominent security company RSA Security.[13] There have subsequently been accusations that RSA Security knowingly inserted a NSA backdoor into its products, possibly as part of the Bullrun program. RSA has denied knowingly inserting a backdoor into its products.[14]
It has also been theorized that hardware RNGs could be secretly modified to have less entropy than stated, which would make encryption using the hardware RNG susceptible to attack. One such method which has been published works by modifying the dopant mask of the chip, which would be undetectable to optical reverse-engineering.[15] For example for random number generation in Linux, it is seen as unacceptable to use Intel's RdRand hardware RNG without mixing in the RdRand output with other sources of entropy to counteract any backdoors in the hardware RNG. Especially after the revelation of the NSA Bullrun program.[16][17]

http://en.wikipedia.org/wiki/Random_number_generator_attackhttp://

10 Immutable Laws of Security.

Law #1: If a bad guy can persuade you to run his program on your computer, it's not solely your computer anymore.
Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore.
Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.
Law #4: If you allow a bad guy to run active content in your website, it's not your website any more.
Law #5: Weak passwords trump strong security.
Law #6: A computer is only as secure as the administrator is trustworthy.
Law #7: Encrypted data is only as secure as its decryption key.
Law #8: An out-of-date antimalware scanner is only marginally better than no scanner at all.
Law #9: Absolute anonymity isn't practically achievable, online or offline.
Law #10: Technology is not a panacea.
wesleyh
Sr. Member
****
Offline Offline

Activity: 308
Merit: 250


View Profile
March 10, 2014, 09:55:18 PM
 #42878

So community, what do you think about the user's own password rules.

Quote
Your secret phrase must consist of at least 12 random words separated by spaces. Alternatively, you can choose a secret phrase that is at least 35 characters long and contains a mixture of lower/uppercase characters, numbers and special characters.

Is this too complicated? what do you suggest instead.

That is pretty straight forward and easy to understand.

Well people thought it was too long. I've changed it now. Try it at http://nxtra.org/nxt-client/ (click on don't have an account, then click on "want to choose your own secret phrase")
ChuckOne
Sr. Member
****
Offline Offline

Activity: 364
Merit: 250

☕ NXT-4BTE-8Y4K-CDS2-6TB82


View Profile
March 10, 2014, 09:56:25 PM
 #42879

So community, what do you think about the user's own password rules.

Quote
Your secret phrase must consist of at least 12 random words separated by spaces. Alternatively, you can choose a secret phrase that is at least 35 characters long and contains a mixture of lower/uppercase characters, numbers and special characters.

Is this too complicated? what do you suggest instead.

Not that this one is better, but maybe it is easier for the most users to understand:

1) at least 35 characters
2) less than 50 characters requires upper case and numbers

OK, so I could simply say:

Your secret phrase should be at least 35 characters long.

And then I can show the rest, (if the pass is less than 50), as an error message. Otherwise the description would be too long, agreed?

Seems good. Smiley

Is this a good error description (shown when less than 50 characters are entered):
 
            error = "Since your secret phrase is less than 50 characters long, it must contain both numbers and uppercase letters.";

btw, no requirement for special characters?


That is great.

Ufff.. Hmm. Special characters. I do not know. What do others think?

It is more secure then, right?
bitcoinpaul
Hero Member
*****
Offline Offline

Activity: 910
Merit: 1000



View Profile
March 10, 2014, 09:57:55 PM
 #42880

So community, what do you think about the user's own password rules.

Quote
Your secret phrase must consist of at least 12 random words separated by spaces. Alternatively, you can choose a secret phrase that is at least 35 characters long and contains a mixture of lower/uppercase characters, numbers and special characters.

Is this too complicated? what do you suggest instead.

That is pretty straight forward and easy to understand.

Well people thought it was too long. I've changed it now. Try it at http://nxtra.org/nxt-client/ (click on don't have an account, then click on "want to choose your own secret phrase")

+1
Pages: « 1 ... 2094 2095 2096 2097 2098 2099 2100 2101 2102 2103 2104 2105 2106 2107 2108 2109 2110 2111 2112 2113 2114 2115 2116 2117 2118 2119 2120 2121 2122 2123 2124 2125 2126 2127 2128 2129 2130 2131 2132 2133 2134 2135 2136 2137 2138 2139 2140 2141 2142 2143 [2144] 2145 2146 2147 2148 2149 2150 2151 2152 2153 2154 2155 2156 2157 2158 2159 2160 2161 2162 2163 2164 2165 2166 2167 2168 2169 2170 2171 2172 2173 2174 2175 2176 2177 2178 2179 2180 2181 2182 2183 2184 2185 2186 2187 2188 2189 2190 2191 2192 2193 2194 ... 2557 »
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!