Hi there NXT coin community,
I wanted to launch an idea, more of a concept of an attack actually, just to know whether this is something we would have to worry about or not.
What if an attacker (or a group) would launch a so-called scorched earth attack on a cryptocurrency, NXT in this case - but I assume others would be vulnerable too in the future...
Such an attack would be launched by having a botnet or supercomputer-network make tens of thousands of random passwords with as many 'new' NXT accounts. This would require a big amount of planning and would also be some sort of DDOS attack, but at the same time it would slowly and gradually deplete the number of free accounts.
In theory there are only 20 digits of numbers and accounts available; which means 10^77 account numbers in theory (looks like almost infinite, but for a targeted attack like this in combination with enough processing power, this should maybe be doable.)
Even so, the most common passphrases (in the most notorious bruteforcer wordlists) can be counted in to account for a lot of positive hits here... but the purpose of such an attack would be not to gain access to accounts (that's a surplus maybe), but to drain the account numbers.
The computer starts with 000000000000000000001 by giving in a random 72 characters password, then moves on to account 000000000000000000002 ...
After x-time... some users and new accounts would have problems using the network, even if they type in a totally new passphrase (one that no user or computer ever used)... the new user would have no account number over to be distributed. Kinda like having a DHCP request but the full range of IP addresses is already taken by other users and computers.
Since there is one big difference with the DHCP and NXT network: the computers don't need to be online or cross any lease-time to have the account or ip redistributed. A computer can just take one account number, and never go back in that account again.
Maybe there should be some way to clear unused accounts after a certain amount of time? (Let's say the time that 100.000 new accounts were made is the "lease" time for unused accounts with no transactions in or out (even with funds!) - This would prevent such an attack and free up some account numbers over time. If you build in a warning system of some kind, to prevent real humans to hold their inactive account, this would be great.
Just my two cents (tip me some NXT if you think this helps, otherwise just ignore me
grts
Strimbello, a NXT enthusiast (without real processing power).