Bitcoin Forum
December 11, 2024, 08:42:58 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 [2] 3 »  All
  Print  
Author Topic: NXT account hacked. All assets gone.  (Read 2567 times)
devphp
Sr. Member
****
Offline Offline

Activity: 336
Merit: 260


View Profile
August 31, 2014, 08:12:40 PM
 #21


Actually the PW strength probably wasn't the issue.


In NXT, which is a brain wallet, PW strength is exactly the issue.

OP says it was a word + number + symbol = 12 chars.

So, something like this: Generation5!

It was most likely brute-forced using a dictionary.

Something like this: MaQorLdNxE5!    would be much more secure, also 12 characters, but no dictionary words. At least 20 or more random characters are recommended for better security, with no dictionary words.
Nullu
Hero Member
*****
Offline Offline

Activity: 532
Merit: 500


View Profile
August 31, 2014, 08:24:05 PM
 #22

This is what worries me about NXT. Can't you just literally bruteforce it until you come across weak passwords?

BTC - 14kYyhhWZwSJFHAjNTtyhRVSu157nE92gF
devphp
Sr. Member
****
Offline Offline

Activity: 336
Merit: 260


View Profile
August 31, 2014, 08:27:32 PM
 #23

This is what worries me about NXT. Can't you just literally bruteforce it until you come across weak passwords?

Someone is doing exactly that. Try to create an account with a simple password, fund it with a few coins and track how long it'll take for coins to disappear Smiley Someone did that experiment in Bitcoin with a brain wallet too, brain wallet with a phrase like 'hello, world' or something, it was gone in 5 mins. Moral of the story: use a truely random pass of 20+ chars and keep your PC clean from trojans of course.
Spoetnik
Legendary
*
Offline Offline

Activity: 1540
Merit: 1011


FUD Philanthropist™


View Profile
August 31, 2014, 08:29:41 PM
 #24

This is what worries me about NXT. Can't you just literally bruteforce it until you come across weak passwords?

yeah and that is not FUD'ing but a valid concern !!!

FUD first & ask questions later™
Yuzu (OP)
Sr. Member
****
Offline Offline

Activity: 368
Merit: 250



View Profile
August 31, 2014, 08:30:34 PM
 #25

Thanks EvilDave.  While I'm changing ALL of my passwords I don't want to put my old one out yet.  It was very simple for a hacker and I meant to change it but kept putting it off.  It was just a Word+number+symbol.  Twelve characters.  Bad, bad, bad.  For anyone who is out there reading this and thinks they have a 'good enough' password, for goodness sakes update it right now.  This truly sucks, and you don't want to be in my postion.  Undecided

Actually the PW strength probably wasn't the issue.

Malware and using it on other sites are more than likely the issue.

If you were too lazy to change it,

then there is a high probability you reused it or a similar variation of it somewhere else.

~BCX~

Ah...trojans and dodgy sites are possible, but don't forget that there are also guys running rainbow tables against the NXT blockchain 24/7.
Any simple (or well known) password will be compromised, given enough time.
Had a guy on www.NXTforum.org a few days ago who had chosen a Bible verse as his password, and that got compromised pretty quickly.

The answer is simple: use a complex password, ffs. Not one that is easy to remember......
35 characters, upper+lower case, numbers and symbols.

@Yuzu: I know how much getting shit stolen hurts, so post or PM me your new NXT account (with a supersecure password) and I'll send 1000 NXT to help you back on track a little bit.

Dave, that's so damn nice of you.  But I can't take anything from anybody, though I appreciate the offer more than I can tell you.  Take that 1000NXT and get some of a nice asset like USDbitfnx.  It's a nice quiet little asset that pays out every two weeks.  I'm going to buy more of it when I get more funds.  But thanks, thanks, thanks!
Spoetnik
Legendary
*
Offline Offline

Activity: 1540
Merit: 1011


FUD Philanthropist™


View Profile
August 31, 2014, 08:31:59 PM
 #26

This is what worries me about NXT. Can't you just literally bruteforce it until you come across weak passwords?

Someone is doing exactly that. Try to create an account with a simple password, fund it with a few coins and track how long it'll take for coins to disappear Smiley Someone did that experiment in Bitcoin with a brain wallet too, brain wallet with a phrase like 'hello, world' or something, it was gone in 5 mins. Moral of the story: use a truely random pass of 20+ chars and keep your PC clean from trojans of course.

and even more importantly as BitcoinExpress just said.. DO NOT RE-USE YOUR PASSWORDS !

EVER !!!!!!!!!!!!!!!!!!!!!!! period !!!!!!!!!!!!!!!

you can have 9327587298467508926409750602916843509287640956 of random characters
but when you re-use it.. your fucked !

FUD first & ask questions later™
Nullu
Hero Member
*****
Offline Offline

Activity: 532
Merit: 500


View Profile
August 31, 2014, 08:37:10 PM
 #27

This is what worries me about NXT. Can't you just literally bruteforce it until you come across weak passwords?

yeah and that is not FUD'ing but a valid concern !!!

They could easily introduce some basic protection. Prevent weak passwords from being allowable. Temp I.P ban users who make too many password attempts. Force two-step verification. There are so many options to choose from, and I can't see any valid counter-argument to implementing some basic security protection.  You wouldn't expect your online bank to let you have such weak security.

BTC - 14kYyhhWZwSJFHAjNTtyhRVSu157nE92gF
Magic8Ball
Legendary
*
Offline Offline

Activity: 1050
Merit: 1000


View Profile
August 31, 2014, 08:42:28 PM
 #28

Thanks EvilDave.  While I'm changing ALL of my passwords I don't want to put my old one out yet.  It was very simple for a hacker and I meant to change it but kept putting it off.  It was just a Word+number+symbol.  Twelve characters.  Bad, bad, bad.  For anyone who is out there reading this and thinks they have a 'good enough' password, for goodness sakes update it right now.  This truly sucks, and you don't want to be in my postion.  Undecided

Very sad to hear. I hope that the thief gets his comeuppance soon.

I had one simple account created initially which had a few hundred NXT, but its all gone long back. I haven't looked into NXT since.
EvilDave
Hero Member
*****
Offline Offline

Activity: 854
Merit: 1001



View Profile
August 31, 2014, 08:46:20 PM
 #29

This is what worries me about NXT. Can't you just literally bruteforce it until you come across weak passwords?

Someone is doing exactly that. Try to create an account with a simple password, fund it with a few coins and track how long it'll take for coins to disappear Smiley Someone did that experiment in Bitcoin with a brain wallet too, brain wallet with a phrase like 'hello, world' or something, it was gone in 5 mins. Moral of the story: use a truely random pass of 20+ chars and keep your PC clean from trojans of course.

and even more importantly as BitcoinExpress just said.. DO NOT RE-USE YOUR PASSWORDS !

EVER !!!!!!!!!!!!!!!!!!!!!!! period !!!!!!!!!!!!!!!

you can have 9327587298467508926409750602916843509287640956 of random characters
but when you re-use it.. your fucked !

Its a strange moment....total agreement with Spoetnik!
This was the cause of the BTER hack: if you re-use a password, and it gets compromised somewhere.....the rest of your shit is immediately compromised.

@Yuzu: good luck, mate. I'll see if I can find some orphans to pass a 1000 NXT on to...... Wink

Nulli Dei, nulli Reges, solum NXT
Love your money: www.nxt.org  www.ardorplatform.org
www.nxter.org  www.nxtfoundation.org
EvilDave
Hero Member
*****
Offline Offline

Activity: 854
Merit: 1001



View Profile
August 31, 2014, 08:51:41 PM
 #30

This is what worries me about NXT. Can't you just literally bruteforce it until you come across weak passwords?

yeah and that is not FUD'ing but a valid concern !!!

They could easily introduce some basic protection. Prevent weak passwords from being allowable. Temp I.P ban users who make too many password attempts. Force two-step verification. There are so many options to choose from, and I can't see any valid counter-argument to implementing some basic security protection.  You wouldn't expect your online bank to let you have such weak security.

Account Control is coming up soon as a NXT feature....it'll allow you to cold-wallet and lockdown your account.
But the point is: the user is responsible for his own security.
NXT is safe, provided you use a decent password and the normal security precautions such as anti-malware scanners and not clicking on every link you see.

Nulli Dei, nulli Reges, solum NXT
Love your money: www.nxt.org  www.ardorplatform.org
www.nxter.org  www.nxtfoundation.org
Nullu
Hero Member
*****
Offline Offline

Activity: 532
Merit: 500


View Profile
August 31, 2014, 08:57:24 PM
 #31

This is what worries me about NXT. Can't you just literally bruteforce it until you come across weak passwords?

yeah and that is not FUD'ing but a valid concern !!!

They could easily introduce some basic protection. Prevent weak passwords from being allowable. Temp I.P ban users who make too many password attempts. Force two-step verification. There are so many options to choose from, and I can't see any valid counter-argument to implementing some basic security protection.  You wouldn't expect your online bank to let you have such weak security.

Account Control is coming up soon as a NXT feature....it'll allow you to cold-wallet and lockdown your account.
But the point is: the user is responsible for his own security.
NXT is safe, provided you use a decent password and the normal security precautions such as anti-malware scanners and not clicking on every link you see.

Ultimately it's the user's responsibility, yes, but even allowing weak passwords to begin with seems counter-intuitive if hackers are allowed unlimited password attempts.

BTC - 14kYyhhWZwSJFHAjNTtyhRVSu157nE92gF
MacDuro
Full Member
***
Offline Offline

Activity: 140
Merit: 100


View Profile
August 31, 2014, 08:58:33 PM
 #32

I'm still using the one that they randomly generate , I know bad move ... time to create another wallet , transfer funds and pay the damm NxT fess .
Yuzu (OP)
Sr. Member
****
Offline Offline

Activity: 368
Merit: 250



View Profile
August 31, 2014, 09:01:17 PM
 #33

I'm still using the one that they randomly generate , I know bad move ... time to create another wallet , transfer funds and pay the damm NxT fess .

Dude, do it right now.  Don't be like me!  Wink
EvilDave
Hero Member
*****
Offline Offline

Activity: 854
Merit: 1001



View Profile
August 31, 2014, 10:08:43 PM
 #34

I'm still using the one that they randomly generate , I know bad move ... time to create another wallet , transfer funds and pay the damm NxT fess .

The fee you see on the transfer page is only a suggestion.......1 NXT is the minimum, and it doesn't matter how much you transfer.
Someone should have told the BTER hacker that, as he paid out the recommended 51,000 NXT fee on the transfer out of BTERs account.....one very happy forger!

BTW: the random 12 word passphrase that current NXT clients have should be secure enough. We've never heard of a randomly generated passphrase being compromised, only bad user-chosen passwords. 

Nulli Dei, nulli Reges, solum NXT
Love your money: www.nxt.org  www.ardorplatform.org
www.nxter.org  www.nxtfoundation.org
MacDuro
Full Member
***
Offline Offline

Activity: 140
Merit: 100


View Profile
September 01, 2014, 12:10:42 AM
 #35

I'm still using the one that they randomly generate , I know bad move ... time to create another wallet , transfer funds and pay the damm NxT fess .

The fee you see on the transfer page is only a suggestion.......1 NXT is the minimum, and it doesn't matter how much you transfer.
Someone should have told the BTER hacker that, as he paid out the recommended 51,000 NXT fee on the transfer out of BTERs account.....one very happy forger!

BTW: the random 12 word passphrase that current NXT clients have should be secure enough. We've never heard of a randomly generated passphrase being compromised, only bad user-chosen passwords. 

Thax for all your advices , didn't know about the fess , I think I will create another account just because that password in English is really hard to rememeber for me .
sx100
Member
**
Offline Offline

Activity: 74
Merit: 10


View Profile
September 01, 2014, 12:24:46 AM
 #36



The fee you see on the transfer page is only a suggestion.......1 NXT is the minimum, and it doesn't matter how much you transfer.
Someone should have told the BTER hacker that, as he paid out the recommended 51,000 NXT fee on the transfer out of BTERs account.....one very happy forger!
 

Would the hacker's transaction have confirmed faster because he paid the 51,000 NXT fee, or would it have confirmed just as fast if he had paid a 1 NXT fee?
digital7
Newbie
*
Offline Offline

Activity: 55
Merit: 0


View Profile
September 01, 2014, 02:34:46 AM
 #37

oh, maybe you are water army   Grin Grin Grin
Zer0Sum
Legendary
*
Offline Offline

Activity: 1588
Merit: 1000


View Profile
September 01, 2014, 03:23:24 AM
 #38

This is what worries me about NXT. Can't you just literally bruteforce it until you come across weak passwords?

yeah and that is not FUD'ing but a valid concern !!!

They could easily introduce some basic protection. Prevent weak passwords from being allowable. Temp I.P ban users who make too many password attempts. Force two-step verification. There are so many options to choose from, and I can't see any valid counter-argument to implementing some basic security protection.  You wouldn't expect your online bank to let you have such weak security.

I doubt that you hear about even 10% of crypto hacks...
In fact, virtually all security deficiencies are automatically blamed on "password hacks".

Would you put $1,000,000 on the NXT platform?

OP, don't feel bad...
For every post I read where the user maybe was careless...
I read another one where victim was an amateur cryptologist, jumped through 100 hoops, and still got ripped off.

Decentralized crypto security = Free Lunch.
NattyLiteCoin
Hero Member
*****
Offline Offline

Activity: 912
Merit: 1021


If you don’t believe, why are you here?


View Profile
September 01, 2014, 04:05:10 AM
 #39

So the the password I got from NXT is not secure?

Freeze gulp magnetic vibe manifest knee sprain winter ungulate hoofed your mom

Solid fucking gold right there.

          ▄▄▄███████▄▄▄
       ▄▄█████████████████▄▄
     ▄████▀▀           ▀▀████▄
    ███▀                   ▀███
   ███   ███           ███   ███
  ███     ███         ███     ███
 ███       ███       ███       ███
 ███     ██████     ██████     ███
 ███        ████   ████        ███
 ███     █████████████████     ███
 ███         ███▄ ▄███         ███
  ███         ███████         ███
   ███▄        █████        ▄███
    ████▄       ███       ▄████
     ▀█████▄▄         ▄▄█████▀
       ▀▀█████████████████▀▀
            ▀▀███████▀▀
  25X FASTER THAN BITCOIN, LIGHTNING NETWORK & ATOMIC SWAPS  
  TWITTER          TELEGRAM          REDDIT          DISCORD          MEDIUM          LINKEDIN  
          ▄▄▄███████▄▄▄
       ▄▄█████████████████▄▄
     ▄████▀▀           ▀▀████▄
    ███▀                   ▀███
   ███   ███           ███   ███
  ███     ███         ███     ███
 ███       ███       ███       ███
 ███     ██████     ██████     ███
 ███        ████   ████        ███
 ███     █████████████████     ███
 ███         ███▄ ▄███         ███
  ███         ███████         ███
   ███▄        █████        ▄███
    ████▄       ███       ▄████
     ▀█████▄▄         ▄▄█████▀
       ▀▀█████████████████▀▀
            ▀▀███████▀▀
devphp
Sr. Member
****
Offline Offline

Activity: 336
Merit: 260


View Profile
September 01, 2014, 05:19:27 AM
 #40

So the the password I got from NXT is not secure?

Freeze gulp magnetic vibe manifest knee sprain winter ungulate hoofed your mom

Solid fucking gold right there.

12 random words generated by the client are secure.

It's when a user rejects that random pass and invents their own weak password that most of the hacks take place.

If you can't invent your own secure password, just use what the client software tells you to use and you'll be safe.
Pages: « 1 [2] 3 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!