Brute Force

[foobar]

The possibility of dictionary attacks has previously been discussed. We
wondered how hard such an attack would be and found that a few lines of
Java code are sufficient.

With the attached code, little time and basic password lists, we were
able to get access to more than ten accounts with funds. Some of these
accounts had gotten money straight from the genesis block and some at
the time still contained >10,000 NXT.

We want to raise awareness how easy such an attack is, especially
because it can be performed offline. The code is entirely unoptimized
and achieves roughly 3000 tries/sec on a laptop computer. We realise
that the developers have added a warning in 0.3.13.

[milkmans]

How long were the passwords?

[foobar]

Number of characters per password:

1x4
1x5
3x6
1x7
3x8
1x9
4x10
1x11
1x13
1x18

[Come-from-Beyond]

What's happened to 14 chars long password? I'm still using it and it was created in the genesis block.

[LiQio]

What's happened to 14 chars long password? I'm still using it and it was created in the genesis block.

Didn't they use a list, so a "complicated" password will hardly be found that fast...

or am I wrong foobar?

[opticalc]

What's happened to 14 chars long password? I'm still using it and it was created in the genesis block.

Didn't they use a list, so a "complicated" password will hardly be found that fast...

or am I wrong foobar?

yes, if you examine the code you will see the file opens a .txt file that is expected to contain a standard dictionary attack list of potential passwords to crack on.

[foobar]

Right, we used a wordlist with common "words". Improving performance could however affect any shorter password, so try using long ones.

[miztaziggy]

How did you compile this without decompiling nxt.class file and recompiling with package declaration?

[achim]

How did you compile this without decompiling nxt.class file and recompiling with package declaration?

I have excatly the same question. Trying to play around with it, no bad intentions!

[miztaziggy]

How did you compile this without decompiling nxt.class file and recompiling with package declaration?

I have excatly the same question. Trying to play around with it, no bad intentions!

Yeah it's not easy.

[Come-from-Beyond]

Have u tried Project Properties -> Java Build Path -> Libraries -> Add Class Folder in Eclipse?

[miztaziggy]

Have u tried Project Properties -> Java Build Path -> Libraries -> Add Class Folder in Eclipse?

It doesn't work even if you do link nxt.class. Not sure this source code is actually possible to compile in fact.

[Come-from-Beyond]

Then just decompile and copy-paste all the code into ur password cracker.

[miztaziggy]

Then just decompile and copy-paste all the code into ur password cracker.

Decompiling it all and trying to recompile with the nxt.class included just produces a ton of errors

Have you actually tried this?

[Come-from-Beyond]

Then just decompile and copy-paste all the code into ur password cracker.

Decompiling it all and trying to recompile with the nxt.class included just produces a ton of errors

Have you actually tried this?

I have not tried to compile it back, used to decomple just to read the code.