Security question - how safe is our password/account?



  • @luxe said:

    @Propagandalf Very important point!
    Choose a very secure passphrase, the passphrase is the only protection of your account.
    Your passphrase is your account.
    You can access it from anywhere with that passphrase ... local or online.
    All you have to backup is your passphrase!
    It is not possible to recover that passphrase if you loose it!

    This sounds convenient and, if you create an advanced password, quite secure. However, is it not slightly less secure than other "standard" login types where you have both a login and a password?

    My point is that in theory someone could be really lucky and press random characters, and suddenly find themselves within someone's account, something which would not be as easy if there was both a login and a password. Can this be a vulnerability for brute force attacks?


  • admin

    Do you think e.g.

    User: jondoe
    Password: 12345

    Is more secure against brute force than:

    Password: jondoe12345

    Can not be much of a difference ... just choose a 40+ digit password and you should be save from brute force.
    Bigger risk is that someone grabs it from a manipulated online wallet.
    If you need to use online-wallet, make sure you trust the people hosting it.
    Always think twice before entering your passphrase somewhere.
    Same problem on solo-mining, where you have to commit your passphrase on mining, you have to trust the one who wrote/compiled the miner. Crypto is wild west 🙂 But until now i never heard of something like that with current Burst software/services.



  • @luxe OK, thanks again for the answer!



  • @luxe

    Hello Luxe, yeah it's me again.

    I was playing a bit with the security of the Burst code. Please note that my real job is related to software security so I was really interested to see how secure this BURST network is)

    So, I will not tell anyone how I did and will not replicate with any address people will provide here, but will tell you an example and will prove it.

    I picked up randomly a BURST address: (Hi owner of this address. What I will demonstrate below is only to show how easy I can access as an example your account. Nothing else. No one will get your passcode)

    As we can see, this account possibly related to a person in Russia (Based on the set name) and first transaction was 9 months ago and last transaction 5 months ago. ( I discovered BURST approx 3 months ago)

    So, my BURST address is BURST-YFW8-EJLM-U9HB-EDVZ3

    I will deposit 1000 BURST into that address. I know, that does not prove anything.

    However, I will also get back the coins to my own address (minus the fees)

    This is how secure is 🙂



  • @Jumper said in Security question - how safe is our password/account?:

    @luxe

    Hello Luxe, yeah it's me again.

    I was playing a bit with the security of the Burst code. Please note that my real job is related to software security so I was really interested to see how secure this BURST network is)

    So, I will not tell anyone how I did and will not replicate with any address people will provide here, but will tell you an example and will prove it.

    I picked up randomly a BURST address: (Hi owner of this address. What I will demonstrate below is only to show how easy I can access as an example your account. Nothing else. No one will get your passcode)

    As we can see, this account possibly related to a person in Russia (Based on the set name) and first transaction was 9 months ago and last transaction 5 months ago. ( I discovered BURST approx 3 months ago)

    So, my BURST address is BURST-YFW8-EJLM-U9HB-EDVZ3

    I will deposit 1000 BURST into that address. I know, that does not prove anything.

    However, I will also get back the coins to my own address (minus the fees)

    This is how secure is 🙂

    Interesting...
    you used brute force ? find randomly a Burst address by trying random characters ?
    Any proof that the other address is not one of yours ?

    Ben



  • @BenBurst

    Hehe, you believe in what you want. If you read my post, I said I will not tell anyone how I did.

    But yes. It is possible.



  • If these address are not yours and you get access to it, you do something illegal, there not a lot of ways to get in.
    I'm pretty sure we speack about brute forcing low secure passphrases address.

    Ben



  • @BenBurst The only possible way.



  • However if you solo mine and leave logs on then it isn't secure. Can we change that?



  • @BenBurst

    Well, it is illegal if I use it in malicious way.

    However, as I have previously written, I wanted to see how secure is. Result is not secure.

    Everyone interpet this the way they want. As for me, I will convert BURST to BTC, which is way more secure.

    That was my last post here. Sorry.



  • @Zeus said in Security question - how safe is our password/account?:

    @BenBurst The only possible way.
    Hay there,
    Not exactly, as Luxe say, get details from a fake online wallet is possible, but that mean, the error come from the user...

    Ben



  • i made a test wallet BURST-6VMU-X4YC-523C-H4PTE i dont plan on using it crack it if you can ... named it test wallet funded with 5 burst from faucet



  • @Jumper said in Security question - how safe is our password/account?:

    @BenBurst

    Well, it is illegal if I use it in malicious way.

    However, as I have previously written, I wanted to see how secure is. Result is not secure.

    Everyone interpet this the way they want. As for me, I will convert BURST to BTC, which is way more secure.

    That was my last post here. Sorry.

    You brute force 2 addresses with almost nothing on it , and Im pretty sure with auto-generated passwords and you say that Burst is not secure ?

    eheh, you're a good one.



  • If he worked in security as I do, he should know that every password, email, service, can be hacked in a way or another, he says BTC is far more secure, yet BTC had far more money stolen than any other cryptocurrency. And many many times, it's only the fault of the user for using passwords like the ones @luxe said.

    Using only a passphrase is far more secure than using an username/password while the username is already known and the password is only a couple of brute force minutes/hours away (like a 5 or less length password, very often used).

    Happy to see you leave. Good Bye! ^_^



  • This is a real problem. If you let the wallet generate your password, it can be easily guessed. Try making your own password, like "HelloThisIsMy_passWORDandNOONE_should__guess____it12345". The example above is very secure because it has 55 character length and contains numbers and _. It's almost bruteforce-proof.



  • @Miky yes, I was just talking to @gpedro about this. I would not recommend using the generated words, why? Because anyone can download the wordlist from the GitHub page, and that way the brute force can take less time than a completely random generated passphrase, me I use a password generator and have something like this for my string:

    [email protected]@G3%L%[email protected]?z$Hy.wz1MrVj$bFoFGWk-V.X]%[m[h5BzlBG4D!)uf[!cfVP-!?i2c^BdEG6YM3iYtqJuqyRH%4qZw}4pJ0iH!ibuPSQC%9^F^[email protected]^[email protected]#jJXZ{mtpRXXw[email protected]%wKrHYtB}^[)MR2x(JGwk5J[[email protected]%8FcmImb4DcMkZ*KtmE}#[email protected]*JmWALppyrYJ{e)r

    Imagine trying to find that with brute force oufff many years lost just trying without success. And no, that's not the length I use either. So never discuss the length of your passphrase, like for example for a brute force here, people can already own the wordlist and even know how many words are used (12) so you only need to do is try all the possible combinations of words with a phrase of 12 words each.

    Still, this can take a very long time to accomplish, but not as secured as when the "hacker" doesn't know anything about your passphrase.

    I still have some autogenerated wallets, and I'm not very concern about the "safety" of them even if I hold more than 200k on those, but I know that the risk is extremely low.


  • admin

    @Zeus said in Security question - how safe is our password/account?:

    [email protected]@G3%L%[email protected]?z$Hy.wz1MrVj$bFoFGWk-V.X]%[m[h5BzlBG4D!)uf[!cfVP-!?i2c^BdEG6YM3iYtqJuqyRH%4qZw}4pJ0iH!ibuPSQC%9^F^[email protected]^[email protected]#jJXZ{[email protected]%wKrHYtB}^[)MR2x(JGwk5J[[email protected]%8FcmImb4DcMkZ*KtmE}#[email protected]*JmWALppyrYJ{e)r

    Yep however generated, thats how a password for secure account should look like 🙂



  • IF you go to the plethora of email accounts you will find many with passwords that are easily hacked because people use their pet names etc. This can be the case here or am I mistaken?


  • admin

    @MikeMike I had a test account with a weak password - only 16 characters - it got hacked.Brute forcing is possible, but if you use the wallet generated passwords, you're pretty safe. You can always append to the recommended one to make it even harder.


  • admin

    @Jumper tell me, and just me how you did it, or your post is just FUD and I'll delete this thread. If there is a reproducible way to compromise an account, tell me what it is.