Regarding the recent theft of Burst accounts



  • In light of the recent theft of @lexicon 's account and possibly @ZapBuzZ , many people are throwing around solutions like 2FA, Google Authenicator etc. Others are asking about hardware options, which from what I gather do not exist. Other claim Burst security is flawed because people without any permission can drop asset and/or coin into their accounts.

    The underlying question for me is that unlike, the Bitcoin protocol, I have no idea how a Burst account public address is generated from a random passphrase.

    Hold that thought while we look at Bitcoin. Ether is a similar situation.

    A private key of a Bitcoin address is one of 2^256, 256 bit numbers. If you have this key you have access to the address. If the address has coin associated with it, you can get it.

    The recognizable private key is some sort of hashing of the 256 bit number, but is a one to one mapping. So given any 256 bit number, I can generate the bitcoin private key and the bitcoin address.

    So to steal all the bitcoin in every address, I can generate a random 256 bit number, find the address associated with it. Look at that address on a blockchain explorer, and if there is coin at the address, use the private key to remove it.

    The reason that is not viable is that there are ~10^77 unique 256 bit numbers. This number is larger than all the atoms in the universe, etc. etc.

    Point being, you will never randomly stumble onto an active bitcoin address.

    If you did have supercomputing power to even try, it would be more viable to just devote that power to mining and obtain coin legally.

    Can we say the same about Burstcoin account numbers?
    How is a Burstcoin account number generated from a random passphrase?

    How many unique account numbers are there?

    What if there are 10 million. I can write a program to just generate a random passphrase, look to see if there is any Burst in the associated account and clean them out. 10 million might take a day to check all possible addresses. OK, maybe there are 100 million, it will take longer. 1 billion, longer. But are there more addresses than grains of sand in the universe and are all private keys mapped one to one to a public address? Point is how many are there? Also, where is the algorithm documentation to show that two different passphrases won't generate the same account. As far as I know there is no transparency in this space.

    So, maybe it IS possible for a brute force attack. Maybe a 7 digit passphrase generates the same account number as @lexicon 's 222 digit passphrase?

    If there was full documentation of the Burstcoin protocol relating to address generation, it would satisfy the cry for hardware storage, and paper style wallets.

    Right now, the only way I know how to generate a Burstwallet address is to use the AIO wallet software.

    If the algorithm for address generation was public knowledge, then I could write a program to generate that address on an air gapped computer and either store that passphrase on that air gapped machine (hardware wallet) or a piece of paper (paper wallet).

    I wrote a 30 line python program to do just that. To generate Bitcoin and Ether paper wallet addresses. I use them exclusively to store the bulk of my BTC and ETH. I use online wallets for small amounts, shopping money etc., but the bulk amounts are stored in addresses that have never touched the internet.

    Additionally, I see no security issue with anyone dropping anything in my Burst account. This is no different than any other blockchain currency AFAIK.

    Food for thought.



  • @rds i think i can shed light on burst account generation
    i researched after reading this thread
    https://forums.burst-team.us/topic/142/security-question-how-safe-is-our-password-account/4

    • passphrase (of whatever length) is hashed sha2 256 (same private key address space as bitcoin 256 bits)
    • hash output is used as private key in curve25519 to generate (32 byte) public key
    • public key is hashed sha2 256
    • first 8 bytes are order reversed (little endian) by bytes and used as long id
    • long id is displayed using nxt reed solomon (see https://nxtwiki.org/wiki/RS_Address_Format) for human readablity and error correction in entry

    wallet source outlining the steps:
    https://github.com/burst-team/burstcoin/blob/master/src/java/nxt/crypto/Crypto.java#L53
    https://github.com/burst-team/burstcoin/blob/master/src/java/nxt/Account.java#L338
    https://github.com/burst-team/burstcoin/blob/master/src/java/nxt/util/Convert.java#L99

    as far as collisions, the 8 byte long id presents a problem, but if the public key is on the block chain (after first out going transaction) it is checked for outgoing transaction verification. so the account is protected by full 256 bit private key, same space as bitcoin.

    hope this is clear and helps.

    additional there is analysis of the strength currve25519 implementation of nxt
    http://crypto.stackexchange.com/questions/12743/is-curve25519-java-secure



  • @damncourier,

    Thanks, that helps a lot. So I think that Burst was built on NXT in some respect as I see files in the wallet folders with nxt prefixes. No sure if you determined this from reading code (thanks, I couldn't do that) or there is some kind of white paper on the process you outlined. But it does answer the ?? about resistance to brute force attack, including the private key check. (so that's why the wallet says to send an outgoing from a new wallet) Who knew.

    Knowing the steps outlined above would allow anyone to generate account numbers that would be considered hard/paper storage. Whether it was a developer who would provide a piece of software for the code clueless masses, or someone who wanted to make their own standalone program like I did for BTC/ETH.

    Thanks for the good info,



  • @rds yes burst is nxt based coin so all of this is from their code.
    i haven't dug too far into background of nxt security features to have found a whitepaper. only the curve25519 post, and some references to reasons implementation of 12 word passphrases. prior user provided passphrases were getting brute forced.
    https://nxtforum.org/general/nxt-client-passphrase-rng-number-of-bits-etc/

    to generate accounts outside of the wallet all you need is sha2 and currve25519 libraries which are easy to find. you could look at luxe's vanity gen (i haven't) and an implementation probably already there in java.



  • @rds perhaps when more light is shed on this issue you may consider providing a solution for the community in order to store burst on a hardware-wise wallet? You could even maybe create an asset and who know what else may arise... Just a random thought that came to mind 🙂
    I remember when I first create a Burst account I used the random generated passphrase and log out and in several times (without having sent an outgoing transaction) just to test the thing, and in one of those trialsed I happen to log into an account that had been active, with user name, transaction history and everything... It happened to have 0 balance btw. I perhaps copy-paste wrongly the passphrase, but that was anyhow quite a shock to me.



  • @damncourier said in Regarding the recent theft of Burst accounts:

    @rds yes burst is nxt based coin so all of this is from their code.
    i haven't dug too far into background of nxt security features to have found a whitepaper. only the curve25519 post, and some references to reasons implementation of 12 word passphrases. prior user provided passphrases were getting brute forced.
    https://nxtforum.org/general/nxt-client-passphrase-rng-number-of-bits-etc/

    to generate accounts outside of the wallet all you need is sha2 and currve25519 libraries which are easy to find. you could look at luxe's vanity gen (i haven't) and an implementation probably already there in java.

    Yes, when I made my little Python program for BTC/ETH I looked at the open source from bitaddress.org and myetherwallet.com to get a general template. Python had a lot of library modules for cryptograpy like the elliptic curves, hashing algorithms etc.

    To me the key to generating private keys for any wallet is randomness. The feedstock to the hashing machine has to be truly random to resist brute force attack.



  • @rds said in Regarding the recent theft of Burst accounts:

    To me the key to generating private keys for any wallet is randomness. The feedstock to the hashing machine has to be truly random to resist brute force attack.

    hence the problem with user provided input to the hash. the default is 1626 word list, with 12 word phrase. the word choice is fed by 128 bits from javascript crypto module (or 512 mouse samples for older IE which don't support crypto)
    https://github.com/burst-team/burstcoin/blob/master/html/ui/js/crypto/passphrasegenerator.js#L45

    1626^12 is a lot but additional (or different) random might be better. comes to the differences between 1626^12 and the full 2^256 (which i think are pretty close)

    anyway i am sure python has sha2 and curve25519 modules.
    https://pypi.python.org/pypi/curve25519-donna

    as the wallet tells you safer with the public key on the block chain. i believe that you can use burst api to sign a transaction on non-networked hardware and take the result to be broadcast with out providing the passphrase.



  • @rds So to put in perspective how many passwords can be generated by a list of 1626 words in a 12 word combination, the number would be
    341,543,870,028,173,427,817,970,975,906,355,941,376
    or
    341 undecillion
    which can be broken down into
    341 billion billion billion billion

    Now for a look at the account address:
    with a combination of 16 of 36 chars (numbers and alpha) the equation would look like this 36^16
    which looks like this in integer from
    7,958,661,109,946,400,884,391,936
    or
    7 septillion
    which can be broken down into
    7 million billion billion

    At first glance you may notice the first equation has much higher output which also may lead you to believe that their must be an over lap somewhere or not enough addresses for passphrases, but you'd be wrong.
    You see there are only 7,483,400,959 people in the world. http://www.worldometers.info/world-population/

    This means that each person on the planet today gets ~1,063,565,563,269,597 Accounts to them selves.
    or
    This means that each person on the planet today gets ~45,642,639,319,547,431,219,827,739,664 Passphrases to them selves.

    This also showcases that the chance for replication is less than the chance of a new generated key by a factor of billions. This doesn't mean that it's impossible but more likely than not a simple check to make sure the account isn't in use is made.

    Big Thanks to http://www.wolframalpha.com/ for crunching this numbers as normal computer programs can't handle the task due to insufficient numeric memory allocation



  • Can someone give me a link with this wordlist?



  • @Miky You can find it in the Burst program folder it's a .js file

    Edit: I pulled them out for you;

    String[] words = { "like", "just", "love", "know", "never", "want", "time", "out", "there", "make", "look", "eye", "down", "only", "think", "heart", "back", "then", "into", "about", "more", "away", "still", "them", "take", "thing", "even", "through", "long", "always", "world", "too", "friend", "tell", "try", "hand", "thought", "over", "here", "other", "need", "smile", "again", "much", "cry", "been", "night", "ever", "little", "said", "end", "some", "those", "around", "mind", "people", "girl", "leave", "dream", "left", "turn", "myself", "give", "nothing", "really", "off", "before", "something", "find", "walk", "wish", "good", "once", "place", "ask", "stop", "keep", "watch", "seem", "everything", "wait", "got", "yet", "made", "remember", "start", "alone", "run", "hope", "maybe", "believe", "body", "hate", "after", "close", "talk", "stand", "own", "each", "hurt", "help", "home", "god", "soul", "new", "many", "two", "inside", "should", "true", "first", "fear", "mean", "better", "play", "another", "gone", "change", "use", "wonder", "someone", "hair", "cold", "open", "best", "any", "behind", "happen", "water", "dark", "laugh", "stay", "forever", "name", "work", "show", "sky", "break", "came", "deep", "door", "put", "black", "together", "upon", "happy", "such", "great", "white", "matter", "fill", "past", "please", "burn", "cause", "enough", "touch", "moment", "soon", "voice", "scream", "anything", "stare", "sound", "red", "everyone", "hide", "kiss", "truth", "death", "beautiful", "mine", "blood", "broken", "very", "pass", "next", "forget", "tree", "wrong", "air", "mother", "understand", "lip", "hit", "wall", "memory", "sleep", "free", "high", "realize", "school", "might", "skin", "sweet", "perfect", "blue", "kill", "breath", "dance", "against", "fly", "between", "grow", "strong", "under", "listen", "bring", "sometimes", "speak", "pull", "person", "become", "family", "begin", "ground", "real", "small", "father", "sure", "feet", "rest", "young", "finally", "land", "across", "today", "different", "guy", "line", "fire", "reason", "reach", "second", "slowly", "write", "eat", "smell", "mouth", "step", "learn", "three", "floor", "promise", "breathe", "darkness", "push", "earth", "guess", "save", "song", "above", "along", "both", "color", "house", "almost", "sorry", "anymore", "brother", "okay", "dear", "game", "fade", "already", "apart", "warm", "beauty", "heard", "notice", "question", "shine", "began", "piece", "whole", "shadow", "secret", "street", "within", "finger", "point", "morning", "whisper", "child", "moon", "green", "story", "glass", "kid", "silence", "since", "soft", "yourself", "empty", "shall", "angel", "answer", "baby", "bright", "dad", "path", "worry", "hour", "drop", "follow", "power", "war", "half", "flow", "heaven", "act", "chance", "fact", "least", "tired", "children", "near", "quite", "afraid", "rise", "sea", "taste", "window", "cover", "nice", "trust", "lot", "sad", "cool", "force", "peace", "return", "blind", "easy", "ready", "roll", "rose", "drive", "held", "music", "beneath", "hang", "mom", "paint", "emotion", "quiet", "clear", "cloud", "few", "pretty", "bird", "outside", "paper", "picture", "front", "rock", "simple", "anyone", "meant", "reality", "road", "sense", "waste", "bit", "leaf", "thank", "happiness", "meet", "men", "smoke", "truly", "decide", "self", "age", "book", "form", "alive", "carry", "escape", "damn", "instead", "able", "ice", "minute", "throw", "catch", "leg", "ring", "course", "goodbye", "lead", "poem", "sick", "corner", "desire", "known", "problem", "remind", "shoulder", "suppose", "toward", "wave", "drink", "jump", "woman", "pretend", "sister", "week", "human", "joy", "crack", "grey", "pray", "surprise", "dry", "knee", "less", "search", "bleed", "caught", "clean", "embrace", "future", "king", "son", "sorrow", "chest", "hug", "remain", "sat", "worth", "blow", "daddy", "final", "parent", "tight", "also", "create", "lonely", "safe", "cross", "dress", "evil", "silent", "bone", "fate", "perhaps", "anger", "class", "scar", "snow", "tiny", "tonight", "continue", "control", "dog", "edge", "mirror", "month", "suddenly", "comfort", "given", "loud", "quickly", "gaze", "plan", "rush", "stone", "town", "battle", "ignore", "spirit", "stood", "stupid", "yours", "brown", "build", "dust", "hey", "kept", "pay", "phone", "twist", "although", "ball", "beyond", "hidden", "nose", "taken", "fail", "float", "pure", "somehow", "wash", "wrap", "angry", "cheek", "creature", "forgotten", "heat", "rip", "single", "space", "special", "weak", "whatever", "yell", "anyway", "blame", "job", "choose", "country", "curse", "drift", "echo", "figure", "grew", "laughter", "neck", "suffer", "worse", "yeah", "disappear", "foot", "forward", "knife", "mess", "somewhere", "stomach", "storm", "beg", "idea", "lift", "offer", "breeze", "field", "five", "often", "simply", "stuck", "win", "allow", "confuse", "enjoy", "except", "flower", "seek", "strength", "calm", "grin", "gun", "heavy", "hill", "large", "ocean", "shoe", "sigh", "straight", "summer", "tongue", "accept", "crazy", "everyday", "exist", "grass", "mistake", "sent", "shut", "surround", "table", "ache", "brain", "destroy", "heal", "nature", "shout", "sign", "stain", "choice", "doubt", "glance", "glow", "mountain", "queen", "stranger", "throat", "tomorrow", "city", "either", "fish", "flame", "rather", "shape", "spin", "spread", "ash", "distance", "finish", "image", "imagine", "important", "nobody", "shatter", "warmth", "became", "feed", "flesh", "funny", "lust", "shirt", "trouble", "yellow", "attention", "bare", "bite", "money", "protect", "amaze", "appear", "born", "choke", "completely", "daughter", "fresh", "friendship", "gentle", "probably", "six", "deserve", "expect", "grab", "middle", "nightmare", "river", "thousand", "weight", "worst", "wound", "barely", "bottle", "cream", "regret", "relationship", "stick", "test", "crush", "endless", "fault", "itself", "rule", "spill", "art", "circle", "join", "kick", "mask", "master", "passion", "quick", "raise", "smooth", "unless", "wander", "actually", "broke", "chair", "deal", "favorite", "gift", "note", "number", "sweat", "box", "chill", "clothes", "lady", "mark", "park", "poor", "sadness", "tie", "animal", "belong", "brush", "consume", "dawn", "forest", "innocent", "pen", "pride", "stream", "thick", "clay", "complete", "count", "draw", "faith", "press", "silver", "struggle", "surface", "taught", "teach", "wet", "bless", "chase", "climb", "enter", "letter", "melt", "metal", "movie", "stretch", "swing", "vision", "wife", "beside", "crash", "forgot", "guide", "haunt", "joke", "knock", "plant", "pour", "prove", "reveal", "steal", "stuff", "trip", "wood", "wrist", "bother", "bottom", "crawl", "crowd", "fix", "forgive", "frown", "grace", "loose", "lucky", "party", "release", "surely", "survive", "teacher", "gently", "grip", "speed", "suicide", "travel", "treat", "vein", "written", "cage", "chain", "conversation", "date", "enemy", "however", "interest", "million", "page", "pink", "proud", "sway", "themselves", "winter", "church", "cruel", "cup", "demon", "experience", "freedom", "pair", "pop", "purpose", "respect", "shoot", "softly", "state", "strange", "bar", "birth", "curl", "dirt", "excuse", "lord", "lovely", "monster", "order", "pack", "pants", "pool", "scene", "seven", "shame", "slide", "ugly", "among", "blade", "blonde", "closet", "creek", "deny", "drug", "eternity", "gain", "grade", "handle", "key", "linger", "pale", "prepare", "swallow", "swim", "tremble", "wheel", "won", "cast", "cigarette", "claim", "college", "direction", "dirty", "gather", "ghost", "hundred", "loss", "lung", "orange", "present", "swear", "swirl", "twice", "wild", "bitter", "blanket", "doctor", "everywhere", "flash", "grown", "knowledge", "numb", "pressure", "radio", "repeat", "ruin", "spend", "unknown", "buy", "clock", "devil", "early", "false", "fantasy", "pound", "precious", "refuse", "sheet", "teeth", "welcome", "add", "ahead", "block", "bury", "caress", "content", "depth", "despite", "distant", "marry", "purple", "threw", "whenever", "bomb", "dull", "easily", "grasp", "hospital", "innocence", "normal", "receive", "reply", "rhyme", "shade", "someday", "sword", "toe", "visit", "asleep", "bought", "center", "consider", "flat", "hero", "history", "ink", "insane", "muscle", "mystery", "pocket", "reflection", "shove", "silently", "smart", "soldier", "spot", "stress", "train", "type", "view", "whether", "bus", "energy", "explain", "holy", "hunger", "inch", "magic", "mix", "noise", "nowhere", "prayer", "presence", "shock", "snap", "spider", "study", "thunder", "trail", "admit", "agree", "bag", "bang", "bound", "butterfly", "cute", "exactly", "explode", "familiar", "fold", "further", "pierce", "reflect", "scent", "selfish", "sharp", "sink", "spring", "stumble", "universe", "weep", "women", "wonderful", "action", "ancient", "attempt", "avoid", "birthday", "branch", "chocolate", "core", "depress", "drunk", "especially", "focus", "fruit", "honest", "match", "palm", "perfectly", "pillow", "pity", "poison", "roar", "shift", "slightly", "thump", "truck", "tune", "twenty", "unable", "wipe", "wrote", "coat", "constant", "dinner", "drove", "egg", "eternal", "flight", "flood", "frame", "freak", "gasp", "glad", "hollow", "motion", "peer", "plastic", "root", "screen", "season", "sting", "strike", "team", "unlike", "victim", "volume", "warn", "weird", "attack", "await", "awake", "built", "charm", "crave", "despair", "fought", "grant", "grief", "horse", "limit", "message", "ripple", "sanity", "scatter", "serve", "split", "string", "trick", "annoy", "blur", "boat", "brave", "clearly", "cling", "connect", "fist", "forth", "imagination", "iron", "jock", "judge", "lesson", "milk", "misery", "nail", "naked", "ourselves", "poet", "possible", "princess", "sail", "size", "snake", "society", "stroke", "torture", "toss", "trace", "wise", "bloom", "bullet", "cell", "check", "cost", "darling", "during", "footstep", "fragile", "hallway", "hardly", "horizon", "invisible", "journey", "midnight", "mud", "nod", "pause", "relax", "shiver", "sudden", "value", "youth", "abuse", "admire", "blink", "breast", "bruise", "constantly", "couple", "creep", "curve", "difference", "dumb", "emptiness", "gotta", "honor", "plain", "planet", "recall", "rub", "ship", "slam", "soar", "somebody", "tightly", "weather", "adore", "approach", "bond", "bread", "burst", "candle", "coffee", "cousin", "crime", "desert", "flutter", "frozen", "grand", "heel", "hello", "language", "level", "movement", "pleasure", "powerful", "random", "rhythm", "settle", "silly", "slap", "sort", "spoken", "steel", "threaten", "tumble", "upset", "aside", "awkward", "bee", "blank", "board", "button", "card", "carefully", "complain", "crap", "deeply", "discover", "drag", "dread", "effort", "entire", "fairy", "giant", "gotten", "greet", "illusion", "jeans", "leap", "liquid", "march", "mend", "nervous", "nine", "replace", "rope", "spine", "stole", "terror", "accident", "apple", "balance", "boom", "childhood", "collect", "demand", "depression", "eventually", "faint", "glare", "goal", "group", "honey", "kitchen", "laid", "limb", "machine", "mere", "mold", "murder", "nerve", "painful", "poetry", "prince", "rabbit", "shelter", "shore", "shower", "soothe", "stair", "steady", "sunlight", "tangle", "tease", "treasure", "uncle", "begun", "bliss", "canvas", "cheer", "claw", "clutch", "commit", "crimson", "crystal", "delight", "doll", "existence", "express", "fog", "football", "gay", "goose", "guard", "hatred", "illuminate", "mass", "math", "mourn", "rich", "rough", "skip", "stir", "student", "style", "support", "thorn", "tough", "yard", "yearn", "yesterday", "advice", "appreciate", "autumn", "bank", "beam", "bowl", "capture", "carve", "collapse", "confusion", "creation", "dove", "feather", "girlfriend", "glory", "government", "harsh", "hop", "inner", "loser", "moonlight", "neighbor", "neither", "peach", "pig", "praise", "screw", "shield", "shimmer", "sneak", "stab", "subject", "throughout", "thrown", "tower", "twirl", "wow", "army", "arrive", "bathroom", "bump", "cease", "cookie", "couch", "courage", "dim", "guilt", "howl", "hum", "husband", "insult", "led", "lunch", "mock", "mostly", "natural", "nearly", "needle", "nerd", "peaceful", "perfection", "pile", "price", "remove", "roam", "sanctuary", "serious", "shiny", "shook", "sob", "stolen", "tap", "vain", "void", "warrior", "wrinkle", "affection", "apologize", "blossom", "bounce", "bridge", "cheap", "crumble", "decision", "descend", "desperately", "dig", "dot", "flip", "frighten", "heartbeat", "huge", "lazy", "lick", "odd", "opinion", "process", "puzzle", "quietly", "retreat", "score", "sentence", "separate", "situation", "skill", "soak", "square", "stray", "taint", "task", "tide", "underneath", "veil", "whistle", "anywhere", "bedroom", "bid", "bloody", "burden", "careful", "compare", "concern", "curtain", "decay", "defeat", "describe", "double", "dreamer", "driver", "dwell", "evening", "flare", "flicker", "grandma", "guitar", "harm", "horrible", "hungry", "indeed", "lace", "melody", "monkey", "nation", "object", "obviously", "rainbow", "salt", "scratch", "shown", "shy", "stage", "stun", "third", "tickle", "useless", "weakness", "worship", "worthless", "afternoon", "beard", "boyfriend", "bubble", "busy", "certain", "chin", "concrete", "desk", "diamond", "doom", "drawn", "due", "felicity", "freeze", "frost", "garden", "glide", "harmony", "hopefully", "hunt", "jealous", "lightning", "mama", "mercy", "peel", "physical", "position", "pulse", "punch", "quit", "rant", "respond", "salty", "sane", "satisfy", "savior", "sheep", "slept", "social", "sport", "tuck", "utter", "valley", "wolf", "aim", "alas", "alter", "arrow", "awaken", "beaten", "belief", "brand", "ceiling", "cheese", "clue", "confidence", "connection", "daily", "disguise", "eager", "erase", "essence", "everytime", "expression", "fan", "flag", "flirt", "foul", "fur", "giggle", "glorious", "ignorance", "law", "lifeless", "measure", "mighty", "muse", "north", "opposite", "paradise", "patience", "patient", "pencil", "petal", "plate", "ponder", "possibly", "practice", "slice", "spell", "stock", "strife", "strip", "suffocate", "suit", "tender", "tool", "trade", "velvet", "verse", "waist", "witch", "aunt", "bench", "bold", "cap", "certainly", "click", "companion", "creator", "dart", "delicate", "determine", "dish", "dragon", "drama", "drum", "dude", "everybody", "feast", "forehead", "former", "fright", "fully", "gas", "hook", "hurl", "invite", "juice", "manage", "moral", "possess", "raw", "rebel", "royal", "scale", "scary", "several", "slight", "stubborn", "swell", "talent", "tea", "terrible", "thread", "torment", "trickle", "usually", "vast", "violence", "weave", "acid", "agony", "ashamed", "awe", "belly", "blend", "blush", "character", "cheat", "common", "company", "coward", "creak", "danger", "deadly", "defense", "define", "depend", "desperate", "destination", "dew", "duck", "dusty", "embarrass", "engine", "example", "explore", "foe", "freely", "frustrate", "generation", "glove", "guilty", "health", "hurry", "idiot", "impossible", "inhale", "jaw", "kingdom", "mention", "mist", "moan", "mumble", "mutter", "observe", "ode", "pathetic", "pattern", "pie", "prefer", "puff", "rape", "rare", "revenge", "rude", "scrape", "spiral", "squeeze", "strain", "sunset", "suspend", "sympathy", "thigh", "throne", "total", "unseen", "weapon", "weary" };



  • @AngryChicken Thanks



  • The word that stuck out to me when scrolling through that list was cigarette...
    It's like one of those psychological tests and my brain just showed weakness for passed addictions - sorry for the random but I thought that was funny. What word sticks out to you? 😛



  • as I am reading this thread I am on one hand appalled that within our own programming the words used to Generate a random password are right there all the words are all one case, they are all dictionary words but with that said it wouldn't matter they have all the info to right there that they need to do with what they want. The person most likely persons that did this are very smart this info would be ran thru several bot computers to figure out passphrases in probably less than a week. So when I was talking earlier about back doors not closed well here is a huge gapping hole you can drive a truck thru. hell go to 4chan and start poking around and ask around if someone had all the words needed to create random passphrases how long would it take to get in they would tell you the same thing. There are people out there for hire that do this stuff for fun got the TOR network you will be cringing at the amount of info you can get. I not trying to say this to be funny this is all fact. there is money here and a lot of it. The more people look at us the more unsavory types will too. And while on the subject of this site generates actual money so I wonder who in their right mind would use Java to base this on. 2K games is here in vegas they make almost all the espn sports games and some other very popular games They wont use Java on any of there primary coding why because it is not secure. oh and lets look at the "rich" list it has every single burst account listed so now you have the persons burst account then if you look thru just a few of the asset accounts some give even more info like account id numeric number ( i probably spelled numeric wrong ) again just a little bit more info. We are ripe with info personally I don't like the fact that peeps can see how much I have that is like opening my bank account and saying here have a look oh buy the way here is a snippet of my account number but dont worry about that just get your own account then look here in this file which is the same for everyone and with a little effort you can figure out my passphrase and anyone else's. If you really want to put things into reallity here is this tidbit of info everyday just here in the U.S. every branch of the service every 3 letter agency to the Pentagon to every useless celebrity is getting probed and hacked. First get rid of the words used they should not be visible at all. second get a real could generator with upper and lower case letters no and i cant stress this enough no dictionary words there needs to be numbers and random ( the word escapes me ) but stuff like !`~$%^&*()_-+= I would not be the one to make the generator you all would be waiting till next Christmas LOL. the faucet is off so that little hole is plugged. Secure your computers and stop using that K9 what ever it is that figures out captcha for you again it is another way in that company is not going to reimburse you they have 0 liability if you lose your money.

    Croydan



  • hi guys. ive just set up a new account. the address is in my signature.

    i strongly doubt ill ever get my funds back.

    as for the word list. theirs 1626 words in that data-set. so to dictionary brute-force would yield the following amount of guesses to crack

    • 1 word 1626
    • 2 word 2,643,876
    • 3 word 4,298,942,376
    • 4 word 6,990,080,303,376
    • 5 word 11,365,870,573,289,376
    • 6 word 18,480,905,552,168,525,376
    • 7 word 30,049,952,427,826,022,261,376
    • 8 word 48,861,222,647,645,112,196,997,376
    • 9 word 79,448,348,025,070,952,432,317,733,376
    • 10 word 1.2918301388876536865494863446938e+32


  • @Lexicon will send you some goodies tomorrow


  • admin

    @ZapbuzZ The guys that run my co-location site are Court Data Technologies. Their company provides a database of searchable data on Wisconsin, US, court cases. They have no access to my servers, they just own the public IP's associated with my servers.



  • Above all, how safe are we? After all the stress, sleepless nights and all? Only to lose it all just like that isn't palatable.


  • admin

    @delords Using a 12 word passphrase out of 1600+ possible words would require more time than the universe has existed to crack. Throw in some uppercase letters, numbers, symbols and the task become exponentially harder. If you use a secure passphrase you're safe. I had a test account with an unsecure passphrase, and it got hacked - lesson learned. I take the system generated passphrase and tweak it a little - it's basically uncrackable.



  • @haitch Is it possible to somehow change the passphrase of an account? Or do I have to make a new one and transfer all the assets and all my burstcoin to a new one?



  • @theoneandonely It's not possible to change your passphrase, because your address is generated from your passphrase. You'd need to create a new account and transfer your Burst and assets to it.