Burstcoin Security

Burstcoin’s Automatically Generated Passphrase

Centralized organizations usually limit the number of login attempts made for the online accounts they provide.  If they did not do so, the short passphrases that they allow would quickly be compromised.  They also do not usually disclose their authentication algorithm publicly.

The open-source nature of the Burstcoin client allows unlimited login attempts.  Programs can test combinations as quickly as billions per second, attempting all possible combinations.  For this reason, the Burstcoin account reservation process automatically generates long, complex passphrases–12 words drawn randomly from a list of 1,626 English words.

At first, a passphrase generated by selecting 12 words randomly from a publicly available collection may seem counter-intuitive.  However, upon further analysis, the strength of this system is apparent.

The number of passphrases that can be generated from Burstcoin’s list of 1,626 words in 12-word combinations, is as follows:

341,543,870,028,173,427,817,970,975,906,355,941,376.

This is more than 341undecillion, or 341 billion billion billion billion.  In mathematics, this is euphemistically referred to as a “large number.”  It is so large that it is difficult to imagine.  Attempting all possible combinations, a process that is known as brute-forcing, would take billions of billions of years on average.

Attempting to compromise an account protected by one of Burstcoin’s automatically generated passphrases is an exercise in futility.  There is also no way of knowing that other words have not been added to an account’s passphrase.

Number of Words Possible Passphrase Combinations Bits of Entropy
1 1,626 10.66
2 2,643,876 21.33
3 4,298,942,376 32
4 6,990,080,303,376 42.67
5 11,365,870,573,289,400 53.34
6 18,480,905,552,168,500,000 64
7 30,049,952,427,826,000,000,000 74.67
8 48,861,222,647,645,100,000,000,000 85.34
9 79,448,348,025,071,000,000,000,000,000 96
10 129,183,013,888,765,000,000,000,000,000,000 106.67
11 210,051,580,583,132,000,000,000,000,000,000,000 117.34
12 341,543,870,028,173,000,000,000,000,000,000,000,000 128

Your account is safe with the 12-word passphrase generated by Burstcoin software.  It could be made exponentially more complex by adding additional words, letters, or numbers, but it is already more than sufficient.

In 2017, a public experiment demonstrated the security of Burstcoin’s passphrases.  The experiment involved 12 accounts, each containing 1,000 Burstcoin.  The passphrase for each account was automatically generated, but the organizer limited the number of words to 1 for the 1st account, 2 for the 2nd, etc.  The passphrase for the 12th account had 12 words.  A public announcement was made challenging anyone who wished to participate in attempting to crack the passphrases.

After 6 months, only the first 3 accounts had their passphrases discovered. The remaining accounts could not be compromised even after being tested by a highly optimized password cracking tool that tried combinations at a rate of 160,000 per second.  It would take an estimated 515 days to crack the 4th and more than 2,000 years to crack the 5th.  With each additional word increasing the difficulty by 1,626, cracking the 12th passphrase would not be possible, even though the list of 1626 words is publicly available.

Security Implications of Blockchain-Based Cryptocurrency

Burstcoin is a blockchain-based cryptocurrency. A single passphrase (private key) protects each account. If you cannot produce the passphrase for your account, you cannot access the account, and the coins associated with it will have no value. There is no central organization to contact in this circumstance, so care must be taken when creating an account to preserve a record of its passphrase.

Accounts secured by a single passphrase are colloquially known as brain wallets because the passphrase could conceivably be stored only in the account holder’s memory.  For most people, preserving a record of a critical account’s passphrase in this manner is not recommended.

The best way to preserve a record of passphrases is to store it securely in more than one location.  Saving it to a computer hard drive, entering it into a password manager file, or printing it on paper are all good options, but any of these can fail.  It is essential to have a backup.

The same care given to passphrases should also be taken when making transactions.  Burstcoin transactions are not reversible.  If a transfer is made to an account without a known passphrase, there is no way to retrieve it.  When transferring Burstcoin among several accounts, ensure that the passphrase is known for each.

Associating the value of an account with its passphrase is a helpful way to determine the appropriate level of security for protecting the passphrase.  For accounts with higher values, take more extensive security measures.

All passphrases will eventually need to be entered on a local device to sign transactions.  The device should be secure from intrusion and uncompromised by malicious software that could record keystrokes.  It is possible to sign transactions using a device that is not connected to the internet (air-gapped) using Burstcoin’s offline transaction signing feature for enhanced security.

Following are a few best practices:

  • Do not enter your passphrase into any online form.
  • Do not use online wallets for accounts with a significant balance or that will ever hold a significant balance.
  • Do not change the 12-word passphrase generated during account setup (adding to it is not problematic but is unnecessary).  The 12-word passphrase protects against Brute Force and Rainbow Table attacks.
  • Do not use special characters.  ASCII code representations can be used but are entirely unnecessary.  Unicode characters are not always consistent between programs.  Note:  Microsoft Word uses Unicode characters.  Therefore, it is not ideal for composing or storing passphrases that contain special characters.
  • Do not share passphrases with anyone that you cannot trust.
  • Do not store unencrypted passphrases on remote nodes or local workstations.
  • Do not leave a printed passphrase next to a computer.
  • Use special care when connecting to remote nodes.
  • Use accounts with smaller balances for daily operations.  Access accounts with higher balances only when necessary and with particular attention to security.
  • Use discretion when considering password management software.

BURSTCOIN’s Vision for Security

Burstcoin security entails more than just passphrase and wallet security.  From its inception, Burstcoin has sought to enhance faster adoption of blockchain technology while guaranteeing maximum security in all aspects of its operation.  It was created in 2014 when attacks on cryptocurrency networks were already commonplace.  To keep the network safe, the development team implemented several strategies.

To prevent collusive node attacks, attacks where 51% of the nodes conspire to harm the network, Byzantine fault-tolerance technology was employed to build dependable protocols.  The focus was on identifying honest nodes by setting an upper boundary for maximum tolerance.

To prevent denial of service attacks (DDOS), all nodes were required to perform proof-of-capacity validation.  Regular vetting identifies and blacklists problematic nodes.

To keep details private and funds free from third-party entities and attacks, the Burstcoin network employs advanced encryption. Even when sending funds on the network, details are not easily revealed.

The nature of threats to cryptocurrency networks changes rapidly.  The development team has adopted a system of progressive improvement that involves constant checks to identify and fix even theoretical gaps.

Passphrases

12 words drawn randomly from a list of 1,626 English words. In another word – uncrackable.

Best Practice

Do not enter your passphrase into an online form or disclose it to anyone you cannot trust.

Online Wallets

Always use the official wallet software.  Online wallets are not official wallets and are centralized by nature.

To contact the development team or request assistance with anything related to this project, please contact us on the Burstcoin Discord channel.