NXT Nextcoin official portal
NXT General Discussion => General (non-client) NXT Talk => Topic started by: ahhabox on December 08, 2013, 12:06:14 AM
- Was Hacked within two hours, 14527793117125736279 got away with 3,900NXT
I like this coin's idea, but the its too easy to Hack accounts, my password was not too hard, and was waiting for the deposit from exchange to change it to a new account due to the fact that anyone can access an account. If you took it, I hope you have the hart to put it back into my new account: 16854109484716954214
Just hoping, but for this coin to do well the security of accounts need to be worked on. I was able to get into another user buy just typing random passwords with under a minute. Also, since my new accounts password is over 30 digits, their is the issue of getting into or depositing into the wrong account. Also is their a way for developers to retrieve coins hacked?
Saturday, December 7, 2013 12:36:41 PM Hackers account 14527793117125736279 3'896 4 10+
Saturday, December 7, 2013 10:34:09 AM Deposit form exchange 6635869272840226493 3'900 1 10+
-
Was Hacked within two hours, 14527793117125736279 got away with 3,900NXT
I like this coin's idea, but the its too easy to Hack accounts, my password was not too hard, and was waiting for the deposit from exchange to change it to a new account due to the fact that anyone can access an account. If you took it, I hope you have the hart to put it back into my new account: 16854109484716954214
Just hoping, but for this coin to do well the security of accounts need to be worked on. I was able to get into another user buy just typing random passwords with under a minute. Also, since my new accounts password is over 30 digits, their is the issue of getting into or depositing into the wrong account. Also is their a way for developers to retrieve coins hacked?
Saturday, December 7, 2013 12:36:41 PM Hackers account 14527793117125736279 3'896 4 10+
Saturday, December 7, 2013 10:34:09 AM Deposit form exchange 6635869272840226493 3'900 1 10+
NRS devs implemented pass phrase security: https://nextcoin.org/index.php/topic,100.msg1271.html#msg1271
- How long was your password ahhabox?
- not long 4 dig was my fault setup too quick and exchange took 24 hours to deposit, so did not have time to correct it. might want to limit number of digits for new accounts, but really think the coin need a was to insure that someone can only access their own account for it to work. the more secure accounts are the better the coin will do.
-
not long 4 dig was my fault setup too quick and exchange took 24 hours to deposit, so did not have time to correct it. might want to limit number of digits for new accounts, but really think the coin need a was to insure that someone can only access their own account for it to work. the more secure accounts are the better the coin will do.
Yeah a 4 digit account is bound to get hacked. Also, like I said, steps for security have already been implemented.
- Would also, like to see a way to change your password. I set it up too quick to test out and then realized i had to open a new account for a new password.
-
Would also, like to see a way to change your password. I set it up too quick to test out and then realized i had to open a new account for a new password.
Impossible to change your passphrase as it is already in the blockchain
-
Would also, like to see a way to change your password. I set it up too quick to test out and then realized i had to open a new account for a new password.
Impossible to change your passphrase as it is already in the blockchain
Actually you can change your password with small fee: 1 NXT.
Just create new account with strong passphrase and move coins from old to new account.
- Just checked block Explorer and they may have hacked another account for 98 NXT, is their a way to block this user or get my NXT back?
07.12.2013 23:21:56 9259186357415547850 98 1 12279995323957850233 7239830715184953154
07.12.2013 21:34:47 6750411832347957775 3896 4 16532294490324082085 16761464659218292610
-
Just checked block Explorer and they may have hacked another account for 98 NXT, is their a way to block this user or get my NXT back?
07.12.2013 23:21:56 9259186357415547850 98 1 12279995323957850233 7239830715184953154
07.12.2013 21:34:47 6750411832347957775 3896 4 16532294490324082085 16761464659218292610
No there is no way to get your NXT back. Just make a new account with a better pass phrase and learn from your mistakes.
- Already did it, but is their a way of dealing with hackers on the Developers end?
-
Already did it, but is their a way of dealing with hackers on the Developers end?
You should know by now that NXT is a decentralized cryptocorrency meaning no one person/group backs up the money.
The only thing developers can do is prevent theses hackers from stealing money.
- As the blockchain is public, there could theoretically possible measures in the future to implement a blacklist of wallets where stolen money is traced to, thus preventing their usage on most sites and perhaps making theft efforts more unattractive. But this speculation unfortunately does not help your case.
-
As the blockchain is public, there could theoretically possible measures in the future to implement a blacklist of wallets where stolen money is traced to, thus preventing their usage on most sites and perhaps making theft efforts more unattractive. But this speculation unfortunately does not help your case.
I think it's allow DOS attack by transferring to it NXT from some stolen wallet.
I mean:
1) Eve hates Alice
2) Eve steal Bob's wallet
3) Eve transfer some coins to Alice's wallet and some random wallets
4) Alice's wallet goes to blacklist
-
As the blockchain is public, there could theoretically possible measures in the future to implement a blacklist of wallets where stolen money is traced to, thus preventing their usage on most sites and perhaps making theft efforts more unattractive. But this speculation unfortunately does not help your case.
I think it's allow DOS attack by transferring to it NXT from some stolen wallet.
I mean:
1) Eve hates Alice
2) Eve steal Bob's wallet
3) Eve transfer some coins to Alice's wallet and some random wallets
4) Alice's wallet goes to blacklist
That's true, I wasn't thinking through. We need earmarked cryptocurrency! :o
- I watched one hacker's money and he donated something to the lottery and something also to the Genesis block :D
- here are hacker's accounts:
But if I follow money from 222816499517535106, I get to this chain of transactions:
http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=222816499517535106
http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=17716754118323415513
http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=4024502032626639504
http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=10073307918468481679
http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=3037417148332301448
http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=3791936988034107349
http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=2119227607764707387
http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=9142102975367944096
http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=6962315662697070407
http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=17716754118323415513
http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=1084248667600428894
http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=13730205250232571510
http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=3937699229213236762
http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=15825363546145396108
http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=5023257426183395799
http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=7098332376750340259
http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=14838485484929949365
http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=12916008064048837079 - donated to Genesis Cheesy (http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=1739068987193023818)
http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=2401730748874927467 - donated to Genesis Cheesy
last owners of Nxt or diversions:
http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=4427320429393039971 (not main account, just a slot machine, where were lost some money)
http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=14107066005962297320
http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=12898636000396314855 (cunicula's account, he received 500 Nxt from hacker's account: 2401730748874927467)
http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=8271073041682744103
- My concern even before the Hack was that the security and fact that anyone can hack or access any account will hurt this coins chances. If access is over the web, would like to see ISP lock's as a method of attaching accounts to ISP address or even the computer it was created on. Users would have to approve another ISP if they would like access to accounts on another computer/location.
-
My concern even before the Hack was that the security and fact that anyone can hack or access any account will hurt this coins chances. If access is over the web, would like to see ISP lock's as a method of attaching accounts to ISP address or even the computer it was created on. Users would have to approve another ISP if they would like access to accounts on another computer/location.
Personally, I don't think I trust my ISP enough to give over control of my actions. Think about the abuse they could throw our way...In the same way they're trying to wring extra money out of streamers like netflix or hulu plus, imagine if they threatened to throttle any activity like mining or forging unless you the customer or the mining/forging operation of your choice pays extra for it. No thanks.
- I understand your concern, I just meant that that a your ISP has to be the same as the account, but if it changes you could be locked out also. How a bout a file with a key that can be transferred to another machine?
- Another thread posted the idea of a password to send NXT
-
I understand your concern, I just meant that that a your ISP has to be the same as the account, but if it changes you could be locked out also. How a bout a file with a key that can be transferred to another machine?
I'd much rather have some sort of 2-factor authorization like a dongle or a mobile app. that way, you get the extra security while keeping your anonymity. Besides, the more people who know your secret, the more people you'll have to kill to keep it. If your ISP or any other 3rd party gets involved, now they're an additional risk. What if they're compromised? What if they're not altruistic and betray your trust?
-
I understand your concern, I just meant that that a your ISP has to be the same as the account, but if it changes you could be locked out also. How a bout a file with a key that can be transferred to another machine?
I'd much rather have some sort of 2-factor authorization like a dongle or a mobile app. that way, you get the extra security while keeping your anonymity. Besides, the more people who know your secret, the more people you'll have to kill to keep it. If your ISP or any other 3rd party gets involved, now they're an additional risk. What if they're compromised? What if they're not altruistic and betray your trust?
I agree with EightAndaHalfTails. I don't like to think about the fact that if someone somehow gets access (or guesses) my passphrase (or someone's) then its over for me (or someone else). Extra security like 2-factor auth would be something great to have.
password is more then 18 characters and still getting the message password is to short.
now how long must it be to be not "to short" message doesnt popup?
thank you-
password is more then 18 characters and still getting the message password is to short.
now how long must it be to be not "to short" message doesnt popup?
thank you
The wiki http://nxtcoin.wikia.com/wiki/The_Nxt_Wiki says:
Your passphrase is more secure if it is long and complex. Use a string that is at least 30 characters long. If possible, do not base your passphrase on any complete words in any language.
In other words.. something >= 30 should be fine.
IMO, the longer and more secure the better, because it someone guesses your passphrase then you are done. What I don't know is if there is a length limit or if there are any kind of special characters that cant be used.
- This seems to be happening a lot lately. Make sure you have a strong pass with this:
http://strongpasswordgenerator.com/ (http://strongpasswordgenerator.com/)
- Good tip on the Password Generator.. As for picking a password - consider this: http://xkcd.com/936/
I think it would be nice to have a 'Welcome to NXT' page for first-GUI launches that helps guide first timers through picking a good 'password'... Let's keep in mind that this isn't REALLY a password, it's both the Username and Password merged into one. Making something unique is much more challenging than your typical password, and requires most people to reconsider how they use passwords today.
The risk should be right up-front and centre here; not in a forum or readme.txt...
- Actually I think a popup warning should come on for entering the passphrase in the client.
As it sits now, if the java detects a short password it just gives a warning that its not really a safe password. Id like that warning to also state the risk of any funds in that account being permanently stolen if it is used, and to recommend closing and entering a new passphrase.
Also wouldnt hurt to put a message next to the box used to enter the password that gives tips on a good password.
-
Actually I think a popup warning should come on for entering the passphrase in the client.
As it sits now, if the java detects a short password it just gives a warning that its not really a safe password. Id like that warning to also state the risk of any funds in that account being permanently stolen if it is used, and to recommend closing and entering a new passphrase.
Also wouldnt hurt to put a message next to the box used to enter the password that gives tips on a good password.
This - the 'pick a better password' doesn't cut it. The degree of complexity required for your passphrase for genuine security is much greater than what the layman is accoustomed to.. Giving them some direction (i.e. a link to a wiki post?) on how to choose a good password would be much better.. Or you could use the comic in my signature :P
- sorry to hear this