Idea of a hypothetical attack on the nxt network

[strimbello]

Hi there NXT coin community,

I wanted to launch an idea, more of a concept of an attack actually, just to know whether this is something we would have to worry about or not. 

What if an attacker (or a group) would launch a so-called scorched earth attack on a cryptocurrency, NXT in this case - but I assume others would be vulnerable too in the future...

Such an attack would be launched by having a botnet or supercomputer-network make tens of thousands of random passwords with as many 'new' NXT accounts.  This would require a big amount of planning and would also be some sort of DDOS attack, but at the same time it would slowly and gradually deplete the number of free accounts.

In theory there are only 20 digits of numbers and accounts available; which means 10^77 account numbers in theory (looks like almost infinite, but for a targeted attack like this in combination with enough processing power, this should maybe be doable.) 
Even so, the most common passphrases (in the most notorious bruteforcer wordlists) can be counted in to account for a lot of positive hits here...  but the purpose of such an attack would be not to gain access to accounts (that's a surplus maybe), but to drain the account numbers.

The computer starts with 000000000000000000001 by giving in a random 72 characters password, then moves on to account 000000000000000000002 ... 

After x-time... some users and new accounts would have problems using the network, even if they type in a totally new passphrase (one that no user or computer ever used)... the new user would have no account number over to be distributed.  Kinda like having a DHCP request but the full range of IP addresses is already taken by other users and computers.
Since there is one big difference with the DHCP and NXT network: the computers don't need to be online or cross any lease-time to have the account or ip redistributed.  A computer can just take one account number, and never go back in that account again.

Maybe there should be some way to clear unused accounts after a certain amount of time? (Let's say the time that 100.000 new accounts were made is the "lease" time for unused accounts with no transactions in or out (even with funds!) - This would prevent such an attack and free up some account numbers over time.  If you build in a warning system of some kind, to prevent real humans to hold their inactive account, this would be great.

Just my two cents (tip me some NXT if you think this helps, otherwise just ignore me

grts
Strimbello, a NXT enthusiast (without real processing power).

[pat]

Hi there NXT coin community,

I wanted to launch an idea, more of a concept of an attack actually, just to know whether this is something we would have to worry about or not. 

What if an attacker (or a group) would launch a so-called scorched earth attack on a cryptocurrency, NXT in this case - but I assume others would be vulnerable too in the future...

Such an attack would be launched by having a botnet or supercomputer-network make tens of thousands of random passwords with as many 'new' NXT accounts.  This would require a big amount of planning and would also be some sort of DDOS attack, but at the same time it would slowly and gradually deplete the number of free accounts.

In theory there are only 20 digits of numbers and accounts available; which means 10^77 account numbers in theory (looks like almost infinite, but for a targeted attack like this in combination with enough processing power, this should maybe be doable.) 
Even so, the most common passphrases (in the most notorious bruteforcer wordlists) can be counted in to account for a lot of positive hits here...  but the purpose of such an attack would be not to gain access to accounts (that's a surplus maybe), but to drain the account numbers.

The computer starts with 000000000000000000001 by giving in a random 72 characters password, then moves on to account 000000000000000000002 ... 

After x-time... some users and new accounts would have problems using the network, even if they type in a totally new passphrase (one that no user or computer ever used)... the new user would have no account number over to be distributed.  Kinda like having a DHCP request but the full range of IP addresses is already taken by other users and computers.
Since there is one big difference with the DHCP and NXT network: the computers don't need to be online or cross any lease-time to have the account or ip redistributed.  A computer can just take one account number, and never go back in that account again.

Maybe there should be some way to clear unused accounts after a certain amount of time? (Let's say the time that 100.000 new accounts were made is the "lease" time for unused accounts with no transactions in or out (even with funds!) - This would prevent such an attack and free up some account numbers over time.  If you build in a warning system of some kind, to prevent real humans to hold their inactive account, this would be great.

Just my two cents (tip me some NXT if you think this helps, otherwise just ignore me

grts
Strimbello, a NXT enthusiast (without real processing power).

I'm not an expert but such an attack would not affect the NXT network itself.
If you enter a passphrase you get an address. That address is then NOT marked as used or something so anyone could use the same passphrase without a problem.
What your attack would do is not deplete the network of open accounts but it would pretty much bruteforce passphrases that are already in use.

[strimbello]

Thx for your answer,... yeas, a bruteforce on the passwords would be the first and main thing to be noticed,... but do this a billion times (which is not that much for a good bruteforce network these days) and you'll run out of free account numbers on the NXT system itself, no?

[lucky88888]

This is how i understand it. i could think 2 ways how account assignment works

(1)There isn't actually any account creation or any free accounts.
With nxt all accounts are all already fully assigned to its corresponding passwords using a complex algorithm.

For example is with the password "1" even before anyone used this, the corresponding account number will always be "123".
There is no point in mass creating account as this simply means mass logging on to accounts. But you can, if you find a account with some balance and transfer out, it has been done, as there are lots of people who can't create a long random password. EDIT:you can login to account "null" the account with no password and look at the transaction history, same goes with all other account with simple passwords. simple password also means hellothisismyreallysuperduperlongpasswordandnoonecanguessitbecauseitissolong

(2)Each account created only assigns a 64bit public key, until a transaction is made inside the account to finalize the account assignment of 256bit public key. Maybe this can protect itself from something like you mention.
You can search in on btt forum about this public key thing, it was discussed but i think no one know why its assigned this way and this is my guess, i'm not the technical type. do a search in here https://bitcointalk.org/index.php?topic=345619.0

Also you might want to take note that if you are able to brute-force all nxt accounts, i'm pretty sure you can bruteforce all bank accounts in the world too. That's the kind of brute-force power you need to crack the algorithm protecting nxt.

I might just be spewing out crap but what ever.. 

[strimbello]

Thx that made sense.