Security Question

[DSoft]

Hi,

the account security is only based on the passphrase you are using. Is this correct?
Can somebody tell me how the account is generated? Is it a hash ([un]salted)?
Is it possible to brute force accounts? How much time does it take to generate an account from a passphrase?`

I'm looking forward to getting an answer

[aan]

Hi,

the account security is only based on the passphrase you are using. Is this correct?
Can somebody tell me how the account is generated? Is it a hash ([un]salted)?
Is it possible to brute force accounts? How much time does it take to generate an account from a passphrase?`

I'm looking forward to getting an answer

I don't know how the account is generated, but it is certainly possible to brute force accounts. It is the same thing as with Bitcoin brain wallets, some of which have been stolen. It should be something totally random, maybe the Nxt client could create it automatically.

Here is something somebody on Reddit once recommended: take 6 RANDOM words and combine them. This can be done on Linux as follows:

$ shuf -n6 --random-source=/dev/random /usr/share/dict/american-english

--> "Huber's sulking pillar Carmella Cheviot Hudson's"

This should have about 100 bits of entropy (http://www.wolframalpha.com/input/?i=2+%5E+x+%3D+99171+%5E+6)

[Come-from-Beyond]

Hi,

the account security is only based on the passphrase you are using. Is this correct?
Can somebody tell me how the account is generated? Is it a hash ([un]salted)?
Is it possible to brute force accounts? How much time does it take to generate an account from a passphrase?`

I'm looking forward to getting an answer

Ur passphrase is hashed with SHA256. The result is ur private key. Account id is derived from it using Curve25519 algo.

[Jean-Luc]

Can somebody tell me how the account is generated? Is it a hash ([un]salted)?
Is it possible to brute force accounts?

If you want to look at some source code, there is a vanity account number generator, which I also contributed to:
https://bitcointalk.org/index.php?topic=345619.msg3759147#msg3759147
You can see exactly how the account number is derived from the password there.
Yes, it can be also used to brute force passwords.

[arisgi]

there is a remote possibility that my twin brother who thinks like me to open up a client and input a passphrase that is the same as mine and be presented with my money right?

[aan]

there is a remote possibility that my twin brother who thinks like me to open up a client and input a passphrase that is the same as mine and be presented with my money right?

Yes, except it will be somebody scanning the blockchain trying to steal accounts with weak passwords.

[Duskin]

there is a remote possibility that my twin brother who thinks like me to open up a client and input a passphrase that is the same as mine and be presented with my money right?

Yes, except it will be somebody scanning the blockchain trying to steal accounts with weak passwords.

Would they be able to access an account created on a different computer? For example: If I use a crappy password when making my account, then someone on a computer in a different location types that same passphrase in, would they have access to my account?

[aan]

there is a remote possibility that my twin brother who thinks like me to open up a client and input a passphrase that is the same as mine and be presented with my money right?

Yes, except it will be somebody scanning the blockchain trying to steal accounts with weak passwords.

Would they be able to access an account created on a different computer? For example: If I use a crappy password when making my account, then someone on a computer in a different location types that same passphrase in, would they have access to my account?

Yes.

[Duskin]

I can't decide if it's a bad thing (easily access other people's accounts) or a good thing (never lose a wallet as long as you remember the passphrase.)

I did a small test by going on google and finding a list of common passwords. 10 minutes and 25 passwords later, I successfully found 3 accounts that were previously used, one of which had a single NXT in it. A suggestion I would make would be to change the client to give a very clear warning that an easily hackable passphrase can be accessed from any computer running an NXT wallet and that access to a computer is not needed to take control of an account. I'm already worried about the passphrase I used, and even that was twenty characters long.

[Drexme]

I can't decide if it's a bad thing (easily access other people's accounts) or a good thing (never lose a wallet as long as you remember the passphrase.)

I did a small test by going on google and finding a list of common passwords. 10 minutes and 25 passwords later, I successfully found 3 accounts that were previously used, one of which had a single NXT in it. A suggestion I would make would be to change the client to give a very clear warning that an easily hackable passphrase can be accessed from any computer running an NXT wallet and that access to a computer is not needed to take control of an account. I'm already worried about the passphrase I used, and even that was twenty characters long.

Already done.

[krisjoseph]

I'm already worried about the passphrase I used, and even that was twenty characters long.

Create a new account, with a better passphrase.... then send your coins from your old account to your new one.  You'll only lose 1 coin (transaction fee).