Friday, January 24, 2014

NxtMyths 5: Unsafe Password

Since all Nxt accounts are stored on the network, isn't it possible for someone to guess my "secret phrase" and get easy access to my coins?

This is a very important question. See our Account Security page for an in-depth answer. In brief: This question emphasizes the importance of using a strong, secure password to create your Nxt account.

If you enter a passphrase less than 30 characters long in the Nxt client, you will be warned that you are creating a security risk.  A truly random string of 50 to 60 characters is a far better choice for a passphrase, and will significantly reduce the risk of someone "brute-forcing" your account or accidentally using the same passphrase.  

Nxt supports 10^77 different account numbers (that's 100 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 accounts), so the range of possible passphrases is significant. You can use a site like https://howsecureismypassword.net/ to test the strength of your passphrase, and get an estimate of how long it would take a standard computer to crack it.

To be safe, use a 30-characters long password that looks like this: a6f-5g46§s5g16s5dg16s5df1g6s,51gů§6a54ůfv6\,96d76E5D4.

Brainwallet

Come-from-Beyond: “Aye, we r going to follow the same way as Bitcoin 5 years ago. I still think that brainwallet is much more secure than files on a disk.”

A brainwallet refers to the concept of storing Bitcoins in one's own mind by memorization of a passphrase. As long as the passphrase is not recorded anywhere, the Nxts can be thought of as existing nowhere except in the mind of the holder. If a brainwallet is forgotten or the person dies or is permanently incapacitated, the Nxts are lost forever.

A brainwallet is created simply by starting with a unique phrase. The phrase must be sufficiently long to prevent brute-force guessing - a short password, a simple phrase, or a phrase taken from published literature is likely to be stolen by hackers who use computers to quickly try combinations. A suggestion is to take a memorable phrase and change it in a silly way that is difficult to predict.

The phrase is turned into a 256-bit private key with a hashing or key derivation algorithm (example: SHA256). That private key is then used to compute a Nxt address, or a deterministic sequence of addresses.

Nxts are sent to the address. In order to recover the Nxts, one must recompute the private key with the same phrase. The private key is imported into a wallet. It is very important when creating a brainwallet to use a passphrase that has a very high level of entropy. If this is not done, theft of the brainwallet is an eventual certainty.

This is not a simple suggestion. This is a requirement. Most people when asked to create a secure password, with everything they've heard about creating a password, will still create a password that if used for a brainwallet, will result in the eventual theft of their funds. The simple fact of the matter is that hacking a brainwallet password is a mathematical exercise that requires no internet access, no communication, and leaves no trace, so hackers can collectively try multiple trillions of passwords every second in the privacy of their own homes. 

Your bank might tell you that a 10 character password with uppercase, lowercase, numbers and symbols is a strong password, but it is not strong enough to secure a brainwallet. 

A password that might be strong enough for traditional banking or a social website is typically unacceptable for a brainwallet.

A brainwallet passphrase, at a minimum, needs to be an entire original sentence that does not appear in any song or literature. Security is enhanced simply by including some sort of memorable personal information, which doesn't necessarily even have to be secret (e.g. an e-mail address, or phone number). A good brainwallet passphrase will have dozens of characters.

2 comments:

  1. YoBit enables you to claim FREE CRYPTO-COINS from over 100 different crypto-currencies, you complete a captcha once and claim as much as coins you can from the available offers.

    After you make about 20-30 claims, you complete the captcha and resume claiming.

    You can click claim as many times as 30 times per one captcha.

    The coins will safe in your account, and you can exchange them to Bitcoins or USD.

    ReplyDelete
  2. BIT KONG Test your courageousness and earn bitcoins from the big bad monkey.

    DON'T Forget: Claim free bitcoins every 10 mins from the free btc faucet.

    ReplyDelete