Signum is a blockchain-based cryptocurrency. A single passphrase (private key) protects each account. If you cannot produce the passphrase, you cannot access the account, and the coins associated with it will have no value. There is no central organization to contact in this circumstance, so care must be taken to preserve a record of each account’s passphrase. It is best to keep a record of passphrases in more than one secure location such as encrypted on a hard drive, in a password manager, or printed. As any of these can fail, it is essential to have a backup.
The same care should also be taken when making transactions, as they are not reversible. If a transfer is made to an account without a known passphrase, there is no way to retrieve it. When transferring Signum among several accounts, ensure that each passphrase is known.
Passphrases will eventually need to be entered on a local device to sign transactions. The device should be secure from intrusion and uncompromised by malicious software or keystroke recorders. It is possible to sign transactions using a device not connected to the internet (air-gapped) using Signum’s offline transaction signing feature for enhanced security.
Following are a few best practices:
- Do not enter passphrases into online forms or use online wallets for high-value accounts or accounts that will ever hold a significant balance.
- Do not change the 12-word passphrase generated during account setup (adding to it is not problematic but is unnecessary). The 12-word passphrase protects against Brute Force and Rainbow Table attacks.
- Do not use special characters, particularly Unicode characters. ASCII codes can be used but are unnecessary. Note: Microsoft Word uses Unicode characters and therefore should not be used for storing passphrases that contain special characters.
- Do not share passphrases with anyone that you cannot trust.
- Do not store unencrypted passphrases on remote nodes or local workstations.
- Use special care when connecting to remote nodes.
- Use accounts with smaller balances for daily operations and accounts with higher balances with particular attention to security.
- Use discretion when considering password management software.
Signum’s Automatically Generated Passphrase
Centralized organizations limit login attempts for online accounts. Otherwise, the short passphrases they allow would quickly be compromised.
Signum’s open-source nature allows unlimited login attempts. For this reason, the account reservation process automatically generates long, complex passphrases (twelve words drawn randomly from a list of 1,626 words for the classic wallet, and 2,048 words for Phoenix and BTDEX.
341,543,870,028,173,427,817,970,975,906,355,941,376 or 341 billion billion billion billion passphrases can be generated from a list of 1,626 words in 12-word combinations. Attempting to compromise an account by attempting all combinations would be an exercise in futility as it would take billions of billions of years on average with optimized equipment. It is a common practice to add a few extra words, letters, or numbers to the passphrases generated by Signum’s software, but this is unnecessary.
In 2017, twelve accounts containing 1,000 Signa were created with automatically generated passphrases. The 1st account was limited to a single word passphrase, the 2nd, two words, etc. The 12th account used the entire 12 words. A public challenge was made to discover the passphrases.
After six months, the first three passphrases were discovered, but even after being tested by a highly-optimized password cracking tool trying 160,000 combinations per second, the remaining accounts could not be compromised. It would take an estimated 515 days to break the 4th and more than 2,000 years to break the 5th. With each additional word increasing the difficulty by 1,626, cracking the 12th passphrase would not be possible.
|Number of Words||Possible Combinations||Bits of Entropy|
Signum’s Vision for Security
Signum security entails more than just passphrase and wallet security. From its inception, Signum sought to enhance the faster adoption of blockchain technology while guaranteeing maximum security in all aspects of its operation. It was created in 2014 when attacks on cryptocurrency networks were already commonplace. To keep the network safe, the development team implemented several strategies.
- To prevent collusive node attacks where 51% of nodes conspire to harm the network, Byzantine fault-tolerance technology is employed to build dependable protocols. The focus is on identifying honest nodes by setting an upper boundary for maximum tolerance.
- To prevent denial of service attacks (DDOS), all nodes are required to perform proof-of-capacity validation. Regular vetting identifies and blacklists problematic nodes.
- To keep details private and funds secure from third-party entities and attacks, advanced encryption is employed. Even when sending funds on the network, details are not easily revealed.
The nature of threats to cryptocurrency networks changes rapidly. The development team has adopted a system of progressive improvement that involves constant checks to identify and address even theoretical avenues of attack.
Technical: Anatomy of a Passphrase
Account ID and address are derived from a permanent and immutable cryptographic hash of an account’s passphrase.
Elliptic-curve cryptography (ECC) is used to generate a public key, a private key (for signing transactions), and a so-called agreement key (for message encryption) from an account’s passphrase. It is not necessary to understand these keys precisely as they are only used programmatically. It is an account’s passphrase that allows interaction with the blockchain for making transactions.
- A passphrase can be any string of characters. Signum uses 12 random selections from a collection of English words.
- A private key is a cryptographic hash of an account’s passphrase.
- A public key is a cryptographic hash with the private key as a seed. It decodes as two interchangeable public addresses; an almost unique number ( account id ) and the more commonly used Reed-Solomon formatted address.
- Although the public key, numeric account id, and RS address are all derived from the cryptographic hash of an account’s passphrase, the passphrase is not derivable from any of these.