The safety and security of your Nxt account is very important. It is crucial that you understand these principles BEFORE you create a Nxt account.
Getting a safe download
When new clients are released by the development team, they also publish an "SHA256 hash" of the file. This is a string of text that serves as a "digital signature" for the download. It is different for each new version of the software, and it is calculated by the developers who are working on the core Nxt software. If even one byte of the software is altered or tampered with, the hash value will completely change. Because Nxt is open-source, it is easy for malicious attackers to create "fake" downloads of the software that include backdoors and other exploits.
When you download the software, you should run the downloaded file through an SHA256 utility to generate an SHA256 hash, and verify that it matches the one that was posted by the development team. The current version of the client and it's current SHA256 hash can be found near the end of this Bitcointalk.org forum post.
If you've never calculated an SHA256 hash before, here's how:
- On Windows, an online calculator is easiest: http://hash.online-convert.com/sha256-generator
- On Mac OS X, a SHA-256 can be calculated using the openssl command in an open Terminal (the terminal is located in /Applications/Utilities). The openssl command would look something like this:
openssl sha256 [FILE_NAME]
- On GNU/Linux, the program sha256sum is standard on most versions of the OS. Using the sha256sum command in a terminal would look something like this:
Since all Nxt accounts are stored on the network, it is theoretically possible for someone to access your Nxt account by "brute-force". Hackers have tools that systematically test different passwords, hoping to find one that works and gives them instant access to your money. The job of a hacker is made even easier because of the existence of rainbow tables, which are basically lists of pre-cracked passwords that people commonly use.
Humans are creatures of habit. We use the same kinds of passwords and the same mechanisms for generating passwords. The vast majority of people do not pick good passwords, and an alarming number of us use the same passwords. If you use a password that appears in this list of the 10,000 most common passwords, you will be robbed.
A password can't be hacked if there is no method for accessing the thing that the password unlocks: if you kept your computer inside a safe, with no connection to the Internet, your Windows account password could be quite simple because unless someone can get into that safe, they can't even attempt to to get into your Windows account.
Nxt is different because it can be accessed from anywhere. It uses a brain wallet, which means that all accounts are stored on the network. Anyone running the Nxt software from anywhere can type in any password and potentially get access to an account. So you'd better have a very good password, or you will get robbed.
We recommend never logging into your Nxt account on a "public node" (any Nxt server that is accessible on the Internet).
The Internet is full of "malware" that will infect your computer, read files on your hard drive, log your keystrokes, and more. If you have a very strong password but keep it in a text file on your desktop or in a email that you keep sending to yourself, you will be robbed. If you do not have up-to-date anti-virus and anti-malware software on your computer, and are at least occasionally checking for the presence of keylogging software, you will be robbed.
We keep repeating ourselves, but we hope you get the point. Security is the most important thing you must think about when you think about creating a Nxt account.
Strong passwords meet the following criteria:
- they are truly random. They do not contain any actual words in any language. And "tricks" like replacing an i with 1, replacing an e with 3, or adding a ! to the end don't count, since everyone uses those tricks. If your password is not truly random, you will be robbed.
- they are long. The SANS Institute publishes a spreadsheet that calculates how hard it would be to "brute-force" passwords of various lengths, based on a number of assumptions. Some analysis will show that passphrases become more safe when they are 15 characters or longer. The Nxt software will warn you if your passphrase is less than 30 characters long. And we recommend a passphrase of 50-70 TRULY RANDOM characters. If your passphrase is less than 30 characters long, you will be robbed.
Creating good passwords
Computers are far better at creating randomness than humans are, but since computers are all based on "logic", they're not terrific at it either. Thankfully, there are some tools that can help:
- Defuse.ca's offline password generator is a downloadable tool for Windows and Linux that can generate cryptographically-strong, very-random passwords.
- Mac OS has a built-in password generator that can create strong passwords of up to 30 characters. If you use it, be sure to set the type to "random"
Having the best passphrase in the world is terrific, but it's useless if you can't use it or store it. Thankfully there are tools you can use to help.
- Free password storage tools like KeePass let you create an encrypted file on your computer that serves as a "vault" for passwords. The KeePass file, itself, is protected with a password, but the extra layer of security makes hacking very difficult. You can store your Nxt passphrase in KeePass, and when you need it, unlock KeePass and then copy and paste your passphrase into your Nxt software. KeePass also includes a password generator (use 50 characters, from all available character sets!)
- Other commercial password managers exist, such as 1Password. Do some research and find one you like. Many packages also include password generators. It's a worthwhile investment.
- Cold storage. You can always write your passphrase on a piece of paper, and then keep it in a safety deposit box. This makes sense for accounts you do not plan on using for day-to-day transactions... but if you want to keep your passphrase safe, this is a great way to do it.