Author Topic: Stolen coins. (Read 243 times)

cubist77 · « **on:** December 07, 2013, 07:30:18 PM »

As a user pf other altcoins, I'm flabergasted to find out that an an account is only linked to a passphrase and not an actual private key. Imagine my dismay when I checked my balance today to find 14k coins gone from my account. Is there any way to mark coins as stolen? It's not a lot of money, but the security is unacceptable. How could a passphrase be the nly thing needed to access an account from any location? this is short sided and extremely insecure. WHen I downloaded the client and purchased the coins on dgex, it was unclear that the whole system was accessed with only a passphrase. The post is still not clear that only a password is needed to access coins, i suggest the dev team remedy this.

The thief sent the coins to an address with other small transfers, so one can only assume they have a script of some sort to try rainbow tables.

krisjoseph · « **Reply #1 on:** December 08, 2013, 02:08:30 AM »

Quote from: cubist77 on December 07, 2013, 07:30:18 PM

As a user pf other altcoins, I'm flabergasted to find out that an an account is only linked to a passphrase and not an actual private key. Imagine my dismay when I checked my balance today to find 14k coins gone from my account. Is there any way to mark coins as stolen? It's not a lot of money, but the security is unacceptable. How could a passphrase be the nly thing needed to access an account from any location? this is short sided and extremely insecure. WHen I downloaded the client and purchased the coins on dgex, it was unclear that the whole system was accessed with only a passphrase. The post is still not clear that only a password is needed to access coins, i suggest the dev team remedy this.

The thief sent the coins to an address with other small transfers, so one can only assume they have a script of some sort to try rainbow tables.

Sorry to hear about your theft

I think the devs are taking security issues seriously and hopefully they will augment the system soon with 2-factor or some other authentication method.

Your passphrase IS your private key, right now.

How long/complex was your passphrase?

cubist77 · « **Reply #2 on:** December 08, 2013, 05:41:52 AM »

14k coins gone. My password was 15 characters.

loggg · « **Reply #3 on:** December 08, 2013, 05:51:08 AM »

Quote from: cubist77 on December 08, 2013, 05:41:52 AM

14k coins gone. My password was 15 characters.

Was the password secure? At any rate, yes the developers must definitely see this as an issue now and preferably will implement a 2-fact auth.

cubist77 · « **Reply #4 on:** December 08, 2013, 06:50:40 AM »

It was a mix of upper/lower and special chars, no words. There was no possibility of a dictionary attack.

Come-from-Beyond · « **Reply #5 on:** December 08, 2013, 10:05:48 AM »

Quote from: cubist77 on December 08, 2013, 06:50:40 AM

It was a mix of upper/lower and special chars, no words. There was no possibility of a dictionary attack.

Such a 15 chars long password requires computational power equal to 1 million Bitcoin networks to pick the password within 1 year. Could u share ur password with us? It's already hacked, right?

ben · « **Reply #6 on:** December 08, 2013, 10:58:34 AM »

@come-from-beyond:

add a second "value" to the secret passphrase with is "count-of-sha-256-rounds"

so ppl would insert their passphrase and how many sha-256 rounds are "run"...

this would be a good security increase...........

starik69 · « **Reply #7 on:** December 08, 2013, 11:29:05 AM »

Quote from: cubist77 on December 07, 2013, 07:30:18 PM

How could a passphrase be the nly thing needed to access an account from any location? this is short sided and extremely insecure.

How do you think people having >1M NXT care about this?

Come-from-Beyond · « **Reply #8 on:** December 08, 2013, 11:34:15 AM »

Quote from: ben on December 08, 2013, 10:58:34 AM

@come-from-beyond:

add a second "value" to the secret passphrase with is "count-of-sha-256-rounds"

so ppl would insert their passphrase and how many sha-256 rounds are "run"...

this would be a good security increase...........

Good idea.

hilton · « **Reply #9 on:** December 08, 2013, 12:32:16 PM »

the only thing we can do is make a looooong passpord i think.

oakwarrior · « **Reply #10 on:** December 08, 2013, 12:54:56 PM »

I wonder how Java's inherent security problems factor into this...

Jean-Luc · « **Reply #11 on:** December 08, 2013, 02:22:25 PM »

Quote from: oakwarrior on December 08, 2013, 12:54:56 PM

I wonder how Java's inherent security problems factor into this...

The usual java security problems that you hear about are with running java applets in the browser. Nxt doesn't use applets. Server-side java is pretty safe and widely used.

Come-from-Beyond · « **Reply #12 on:** December 08, 2013, 02:46:57 PM »

I'm still waiting for the passphrase to make sure that wasn't an attempt to spread FUD...

cubist77 · « **Reply #13 on:** December 09, 2013, 01:14:05 AM »

No I will not share my password. I use it for a couple of other things as well.

Graviton · « **Reply #14 on:** December 09, 2013, 01:27:53 AM »

Quote from: Come-from-Beyond on December 08, 2013, 10:05:48 AM

Such a 15 chars long password requires computational power equal to 1 million Bitcoin networks to pick the password within 1 year. Could u share ur password with us? It's already hacked, right?

Exactly. There must another attack vector in work here.

Author Topic: Stolen coins. (Read 243 times)

cubist77

Stolen coins.

krisjoseph

Re: Stolen coins.

cubist77

Re: Stolen coins.

loggg

Re: Stolen coins.

cubist77

Re: Stolen coins.

Come-from-Beyond

Re: Stolen coins.

ben

Re: Stolen coins.

starik69

Re: Stolen coins.

Come-from-Beyond

Re: Stolen coins.

hilton

Re: Stolen coins.

oakwarrior

Re: Stolen coins.

Jean-Luc

Re: Stolen coins.

Come-from-Beyond

Re: Stolen coins.

cubist77

Re: Stolen coins.

Graviton

Re: Stolen coins.