Robbed more than 100,000 NXT

[devphp]

This guy did, first known victim of this thief:
https://nxtforum.org/general-discussion/help!-my-nxt-account-stolen-account-for-nxt-wczn-dgql-xm69-62l3n/msg92255/#msg92255
His pass was just a random phrase from Genesis, complete with full stop.

Yes, and it was a simple dictionary attack with the Bible quotes as source. I wonder why people don't use the pass phrase provided the NXT client, it's random enough and can't be cracked in a billion years.

[danynx]

Thats why i dont invest on nxt   

[donn2012]

This guy did, first known victim of this thief:
https://nxtforum.org/general-discussion/help!-my-nxt-account-stolen-account-for-nxt-wczn-dgql-xm69-62l3n/msg92255/#msg92255
His pass was just a random phrase from Genesis, complete with full stop.

Yes, and it was a simple dictionary attack with the Bible quotes as source. I wonder why people don't use the pass phrase provided the NXT client, it's random enough and can't be cracked in a billion years.

that's part of my password:

Uhf;lfybyj,zpfy

more I see no reason to write my password

[devphp]

that's part of my password:

Uhf;lfybyj,zpfy

more I see no reason to write my password

Does this mean anything in another language/keyboard layout? Google says it does.

[LiQio]

This guy did, first known victim of this thief:
https://nxtforum.org/general-discussion/help!-my-nxt-account-stolen-account-for-nxt-wczn-dgql-xm69-62l3n/msg92255/#msg92255
His pass was just a random phrase from Genesis, complete with full stop.

Yes, and it was a simple dictionary attack with the Bible quotes as source. I wonder why people don't use the pass phrase provided the NXT client, it's random enough and can't be cracked in a billion years.

that's part of my password:

Uhf;lfybyj,zpfy

more I see no reason to write my password

Googling this gives me a referat.ru hit - is it possible that the reminder can also be found there?

[mr_random]

that's part of my password:

Uhf;lfybyj,zpfy

more I see no reason to write my password

If you've lost all your funds from the account, why wouldn't you share the password?

Unless you're using the password somewhere else or haven't told the complete truth, you have no reason not to give us the password so we can verify the accuracy of your claims.

[donn2012]

that's part of my password:

Uhf;lfybyj,zpfy

more I see no reason to write my password

If you've lost all your funds from the account, why wouldn't you share the password?

Unless you're using the password somewhere else or haven't told the complete truth, you have no reason not to give us the password so we can verify the accuracy of your claims.

Why do you need my account and password? You do not believe that someone stole my NXT? Password I do not want to disclose a number of reasons, which do not consider it necessary to describe here.

[Come-In-Behind]

Join the club, mine disappeared mysteriously too. No more NXT for me, and don't tell me it was my 128 character randomly generated cut and paste password either.

The NXT asset exchange and wallets were compromised I seen.

I would avoid using NXT.

[devphp]

Why do you need my account and password? You do not believe that someone stole my NXT? Password I do not want to disclose a number of reasons, which do not consider it necessary to describe here.

1) Your pass phrase would confirm your claim is legitimate. And yes, why would anyone believe your claim in this nest of vipers that this forum is
2) Your pass phrase would shed light on whether your account was hacked due to the weak pass phrase, which it most likely was because Google search reveals the part of the pass phrase you provided is in Google's database.

[donn2012]

Why do you need my account and password? You do not believe that someone stole my NXT? Password I do not want to disclose a number of reasons, which do not consider it necessary to describe here.

1) Your pass phrase would confirm your claim is legitimate. And yes, why would anyone believe your claim in this nest of vipers that this forum is
2) Your pass phrase would shed light on whether your account was hacked due to the weak pass phrase, which it most likely was because Google search reveals the part of the pass phrase you provided is in Google's database.

Want to Pick up on password using google to my account.
I can send you any messages from my account to confirm ownership. Password will not write.
The question is how to punish a thief? Maybe I should write a letter to the stock exchanges with his account, or are there any ways?

[starik69]

Oh, not Bible but russian constitution? 

Password weak -> money loss. Can not do nothing. 

If NXT password system is so weak why we do not see hacking of >10M accounts? (Bter or Klee were hacked not because of password) 

[TaunSew]

Jeff Garzik (Bitcoin core developer) thinks there could be a backdoor in NXT that is resulting in all these thefts.

Sorry but I'm not buying it that some brute forcer is inserting every quotation from the bible into the password generator, or that they can crack 125 character passwords consisting of gibberish.

[LiQio]

Thanks starik69: google translate proposed "citizen must" for the part provided - but russian text is impossible to understand. (if you don't speak it ;-))

[donn2012]

Oh, not Bible but russian constitution? 

UGOLOVNYI KODEKS, tam ishi parol. 

[LiQio]

Sorry but I'm not buying it that some brute forcer is inserting every quotation from the bible into the password generator, or that they can crack 125 character passwords consisting of gibberish.

This is exactly what is happening and has happened for months: opening lines, bible quotes, citations, etc. in different languages and from different sources.
How do you think doctorevil found the 1984 quote that leads to the genesis account?

These are simply no passwords but crap.
And that's not bruteforce but dictionary attacks.

[Come-In-Behind]

Jeff Garzik (Bitcoin core developer) thinks there could be a backdoor in NXT that is resulting in all these thefts.

Sorry but I'm not buying it that some brute forcer is inserting every quotation from the bible into the password generator, or that they can crack 125 character passwords consisting of gibberish.

There probably is a backdoor, too many NXT coins have been stolen with No explanation as to how.


NXT is hacked.

[donn2012]

Thanks starik69: google translate proposed "citizen must" for the part provided - but russian text is impossible to understand. (if you don't speak it ;-))

All right google translated, but it's not the beginning of the password it is composed of several phrases and symbols.

[LiQio]

the following possibilities come to my mind:

password weak: you should disclose the now completely useless password
bad client: which one are you running?
bad third party software / keylogger: possible?
fishing: have you entered your passphrase on an external server or downloaded the client from a "fake" source?
physical theft: did you write it on paper and could this have been copied/stolen?

[scv00]

Jeff Garzik (Bitcoin core developer) thinks there could be a backdoor in NXT that is resulting in all these thefts.

Sorry but I'm not buying it that some brute forcer is inserting every quotation from the bible into the password generator, or that they can crack 125 character passwords consisting of gibberish.

Can you post a link to something he has written about this.

[TaunSew]

Jeff Garzik (Bitcoin core developer) thinks there could be a backdoor in NXT that is resulting in all these thefts.

Sorry but I'm not buying it that some brute forcer is inserting every quotation from the bible into the password generator, or that they can crack 125 character passwords consisting of gibberish.

Can you post a link to something he has written about this.

https://twitter.com/jgarzik/status/511866795582427136