Serious changes what Burst really needed! (IMO)



  • @vaxman That test is on 1 burst adress. what about just trying passphrases that fulfill the 32 charater phrase and se if it logs you into to aburst?

    If I was to try and bruteforce a random account, I would randomly pick from the 1600 words to fulfill the 32 charaters and test again my local wallet API interface. (true or false) so in this case you have over a 100.000 accounts of a chance to get into and it will only get bigger.

    With that said I guess I have to try it out :D


  • admin

    @Zohtar From the testing I did the passphrase was never sent on the wire.



  • This post is deleted!


  • @haitch what did you test with? Javascript or combined langues?


  • admin

    @Zohtar Wireshark traces of the browser and curl calls to the API.



  • @haitch

    i literally just Pm'd you about this...

    what is safest way to send the passhrase in the CURL request? or is it safe?



  • @falconCoin safest is to never send it :) use code to generate transaction hash and send transaction :)



  • @Zohtar said in Serious changes what Burst really needed! (IMO):

    @vaxman That test is on 1 burst adress. what about just trying passphrases that fulfill the 32 charater phrase and se if it logs you into to aburst?

    If I was to try and bruteforce a random account, I would randomly pick from the 1600 words to fulfill the 32 charaters and test again my local wallet API interface. (true or false) so in this case you have over a 100.000 accounts of a chance to get into and it will only get bigger.

    @Zohtar
    Calculus geeks, please ignore the gross shortcuts taken in this napkin calc. If you must insist, explain binomial coefficient for the layman. Sorry.

    Anyways, let's play with numbers.

    using the supplied word list:

    With a 12 word passphrase, you have 1626^12 combinations.
    The number of combinations is ~ 3.4 * 10^38

    Let's assume there are 10k accounts with enough funds to care.
    Still ~ 3.4 * 10^34 combinations.

    OK..100k accounts, we take anything above 1 burst;
    Still ~ 3.4 * 10^33 combinations.

    Let's assume we are lucky and after checking 1% hit a jackpot.
    To fit this into a 10 year timeframe, you'd need to generate

    3.4 * 10^33 / 100 / (10 * 365.2425 * 86,400 ) ~= 10^23

    combinations PER SECOND.

    The JavaScript example reaches 10^3, handcoded assembler may reach 10^6 combinations/second.

    6 << 23

    (orders of magnitude: 10^6 is smaller than 10^23 by a factor of 10^17. Our 10 year plan is off by a FACTOR OF 10^17 ! Funny research indicates our planet earth is ~4.6 * 10^9 years old. We need 100,000,000 times that.)

    Just 32 characters from [a-z][0-9], a simplistic 36-character-set.

    36^32 ~= 6.3 * 10^49

    Same lucky jackpot hit in 100k accounts after scanning 1% of the keyspace, within 10 years. Needs only this many checks per second:

    36^32 / 100,000 / 100 / (10 * 365.2425 * 86,400 ) == 2 * 10^34

    Still,

    6 << 34

    (orders of magnitude as above, out by 10^19 earth lifespans, 10,000,000,000,000,000,000x)

    <irony>
    I'd guess many of the whales use their own schema for passphrases, not the supplied list.But that may be balanced by collisions that will inevitably happen even with SHA256.

    We'd need to have a precomposed list of funded account's public keys and check our computed list against this funded-list. (lots of work plowing through the blockchain, but eliminates a 2nd sha256 call for every check -> massive 1.5x speed gain). Coding this in cuda or opencl still has the "problem" of walking a binary tree that only fits into global memory (the funded-list; 10k entries >300KiB, 100k entries >3 MiB), which is not exactly fast. Oops, did I just push someone into brushing up their opencl skills..
    </irony>

    But all this has been discussed before and references 'been mentioned in this topic.


  • admin

    @falconCoin in a Curl request make sure you use an https wallet - http did show the passphrase unencrypted. No wallet actions transmitted the the passphrase.



  • @haitch as i said only thing sending passphrase outside was crowdfunding code.
    (And my dividends script, but that one is coded to be outside and supposed to be used on local machines only).