Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Announcements (Altcoins)
Re: [ANN][XCP] Counterparty Protocol, Client and Coin (built on Bitcoin) - Official
by
lonsharim
on 10/02/2014, 19:06:03 UTC
Quote from: BiggestFish on February 10, 2014, 06:30:53 PM
Quote from: techo051 on February 10, 2014, 06:20:41 PM
Quote from: BiggestFish on February 10, 2014, 06:14:05 PM
Quote from: jl777 on February 10, 2014, 05:31:42 PM
Quote from: SyRenity on February 10, 2014, 05:17:39 PM
Quote from: xnova on February 10, 2014, 04:31:17 PM
With regards to your GUI question... that is the whole point of a web wallet, there *is* no installation. No counterpartyd to set up and install. You simply go to a webpage, generate a passphrase, paste it into a text box, and click login. Takes all of 5 seconds. Nothing to save or worry about beyond your pass phrase (which *is* your wallet)

This kinda reminds me of NXT - any chance we run into same security problems with that, as they did?
Just need to have the (brain)wallet refuse or complain a LOT about low entropy passwords

Whoa back up now. You guys are going to implement the online wallet as a brain wallet???

This is incredibly insecure.

What is wrong with generating random public address / private key pairs like all other online wallets?

Isn’t blockchain.info essentially a brain wallet anyway, since all you need to generate the key is the original passphrase?

Personally I like the brain wallet idea, but why not just implement James' suggestion and refuse any passwords that are shorter than, say, 30 characters? And have a big warning about choosing a secure password. 

Could also consider adding an optional two factor login with Google authenticator or something similar.


I could be wrong, but I don't think blockchain.info or any other reputable online wallets use your passphrase to generate a private key / public address pair. My reasoning is you can generate multiple addresses in your blockchain.info wallet. If it were a true brain wallet your passphrase would map 1-to-1 to one address and you wouldn't be able to have more than one address.

It's possible they use your password as additional entropy when generating their addresses, but I think that's unlikely as well.

With a standard username/password combo you can feel safe knowing that even if you chose a crappy password the attacker still has to attack the site itself which lowers password cracking bandwidth by several orders of magnitude. If you choose a crappy brainwallet password the attacker can use his GPU/FPGA/ASIC farm to pwn you at mega-speed.

I don't know how blockchain implements their online wallet but a basic minimum requirement is the identifier which combined with the password give you access. Sure you don't need to know your identifier if you set up an alias but having an identifier increases security as compared to solo passwords access into your wallet.

Secondly if an identifier is implemented then it can be disabled if someone is making multiple guesses.

Bots have been written to continuously guess passwords on the nxt wallet, if someone has been foolish enough to set a weak password and the bot gains access the balances are transferred out. I remember someone created a wallet with 10 nxt coins as an experiment with a basic password, the balance was transferred with the hour.

I would hate to see us repeat the same mistakes as nxt. Hopefully not.