Bitcoin Forum

...
The 250BTC Brainwallet passphrase was "how much wood could a woodchuck chuck if a woodchuck could chuck wood"
https://twitter.com/ryancdotorg/status/629862282831511552
...

people whove used brainwallet should sha256 their passphrase immediately and move the coins to something more secure.

The 250BTC Brainwallet passphrase was "how much wood could a woodchuck chuck if a woodchuck could chuck wood"

I have a LOT of bitcoins stored in brainwallets, and I feel perfectly safe about it.

I think brainwallets are very secure, provided that you REALLY understand what makes strong input for a brainwallet, and what doesn't.

For example, I use Sha256²(master key + passphrase) where "master key" is a long, complex, impossible to guess password that I also use for e.g. Keepass. And the passphrase (it's actually a phrase, not a word) is something I can remember easily, but is still kinda hard to guess. Together, I feel very confident that nobody on earth is ever going to guess or brute force it.

With Sha256² I mean something similar to Sha256d (double Sha256) which Bitcoin uses, but instead of Sha256(Sha256(x)), I use Sha256(x+Sha256(x)).

people whove used brainwallet should sha256 their passphrase immediately and move the coins to something more secure.

The 250BTC Brainwallet passphrase was "how much wood could a woodchuck chuck if a woodchuck could chuck wood"
https://twitter.com/ryancdotorg/status/629862282831511552

The 250BTC Brainwallet passphrase was "how much wood could a woodchuck chuck if a woodchuck could chuck wood"

It is surprising to me that people who are knowledgeable enough about Bitcoin/bitcoin to know what a brainwallet is,
don't choose more complex phrases, especially when their bitcoins are at higher risk of theft, compared to a standard privatekey.
The "how much wood could a woodchuck..." saying or whatever it is considered could be chosen by tens of people, in theory.
With millions of users in the future, that one would pop up hundredths of times.

Good luck with your presentation.

i don't mean to be harsh but honestly if the passphrase of the brain wallet was "how much wood..." the owner deserves to lose 250BTC and more.
the first thing that the brainwallet itself in the password field suggests is not to use popular phrases.
https://www.google.com/search?q=how+much+wood+could+a+woodchuck+chuck+if+a+woodchuck+could+chuck+wood

there is even a film with the same name for gods sake!
https://en.wikipedia.org/wiki/How_Much_Wood_Would_a_Woodchuck_Chuck_(film)

Come on man, people who know how to choose good passwords and store them correctly while using brainwallets are as safe as using other "normal" wallets. I have seen so many stupid missuses with the wallet.dat files so far that are as bad as bad brainwallet passwords.

This means nothing, if people are using brainwallets, they are not less safe automatically.

Next we'll hear about some moron using as a passphrase "peter piper picked a peck of picked peppers".

Yes, they absolutely are less safe automatically.  A person who wants to break your wallet.dat password must have your wallet.dat file.  Brainwallets have no file.

Brainwallet cracking tools can run extremely fast - the cracking can be run offline against an indexed version of the blockchain, and can be distributed among many bots.   A password of "m2wAHUnF91z" for instance (created from LastPass, and bearing approximately 51-57 bits of entropy, depending on how it's calculated) is absolutely reasonable for a wallet.dat password.  It is absolutely NOT fine as a brainwallet key.  Brainwallets should have no less than 128 bits of true entropy.

Creating a safe brainwallet is possible, but it is very difficult to do correctly.  You have to forget everything you've learned about how to pick a good password.  

That would be secure, since Peter piper picked a peck of pickled peppers, not picked peppers. 

Yes, they absolutely are less safe automatically.  A person who wants to break your wallet.dat password must have your wallet.dat file.  Brainwallets have no file.

Brainwallet cracking tools can run extremely fast - the cracking can be run offline against an indexed version of the blockchain, and can be distributed among many bots.   A password of "m2wAHUnF91z" for instance (created from LastPass, and bearing approximately 51-57 bits of entropy, depending on how it's calculated) is absolutely reasonable for a wallet.dat password.  It is absolutely NOT fine as a brainwallet key.  Brainwallets should have no less than 128 bits of true entropy.

Creating a safe brainwallet is possible, but it is very difficult to do correctly.  You have to forget everything you've learned about how to pick a good password.  

Wait, you take a dictionary, even an English one (even better if you are a foreigner so you use a foreign dictionary, but lets assume you use and English one) and you choose 12 random words of 6+ letters (even 5 letter words are OK but just to make sure) and you will have a random password with 128 bit+ entropy which is very safe. Of course, you write it down on a piece of paper.

The problem is that average people don't know that's done like this correctly and they use famous phrases and other crap instead.

As shown by this thread, people aren't very good with random-ness.
You should let the computer do this for you.

That is interesting. But i don't understand yet why there is such a big difference in safety for having that passkey as a password for the wallet.dat or having it as the seed for a private key. Where does the difference come from? I mean bruteforcing should work at the same speed for both isn't it? Or are there iterations of the pass for the wallet.dat so that the time to bruteforce gets extended?

As shown by this thread, people aren't very good with random-ness.
You should let the computer do this for you.

There are two functional differences:

1) For wallet.dat encryption, they need your wallet file, and can't attack your account without it.
2) Even if they have the wallet file, they have to expend their effort attacking your file.  In stark contrast, attacks against brainwallets attack ALL brainwallets simultaneously.  

People are terrible in choosing passwords for themselves, I know that. But I kind of got from this thread that all brainwallets are doomed since they can be cracked with this software which is just not true if you have a strong and random password.

Concept of brainwallets works for NXT pretty well, OK they did have some hacks in the beginning, just because the users used famous phrases which you can look for with these kind of softwares very quickly and successfully. Now, when the users know what the strong password is and when they have option for client to choose it for them, brainwallets work well.

I almost forgot that NXT is a brainwallet per se.

I did some research some time ago but couldn't find how NXT hashes the passphrase which locks/unlocks the account.

Does anyone here know about it?

Is it just sha256(passphrase)? It can't be that easy...

As it seems, the Github source code of the brainwallet.org has also been taken down. Does anyone know about a copy of that repository ?

I almost forgot that NXT is a brainwallet per se.

I did some research some time ago but couldn't find how NXT hashes the passphrase which locks/unlocks the account.

Does anyone here know about it?

Is it just sha256(passphrase)? It can't be that easy...

I am sure it's not that easy, otherwise all people's NXT would just be gone. I have forwarded this thread to my good friend who's deeper with NXT, I am sure somebody will reply and let us know.

Cheers!

2.4.2 Accounts
Nxt implements a brain wallet as part of its design: all accounts are stored on
the network, with private keys for each possible account address directly derived
from each account’s passphrase using a combination of SHA256 and Curve25519
operations.
Each account is represented by a 64-bit number, and this number is expressed
as an account address using a Reed-Solomon14 error-correcting notation that
allows for detection of up to four errors in an account address, or correction of
up to two errors. This format was implemented in response to concerns that
a mistyped account address could result in tokens, aliases, or assets being irreversibly
transferred to erroneous destination accounts. Account addresses are
always prefaced by “NXT-”, making Nxt account addresses easily recognizable
and distinguishable from address formats used by other cryptocurrencies.
The Reed-Solomon-encoded account address associated with a secret passphrase
is generated as follows:

1. The secret passphrase is hashed with SHA256 to derive the account’s
private key.
2. The private key is encrypted with Curve25519 to derive the account’s
public key.
3. The public key is hashed with SHA256 to derive the account ID.
4. The first 64 bits of the account ID are the visible account number.
5. Reed-Solomon encoding of the visible account number, prefixed with “NXT-
”, generates the account address.

When an account is accessed by a secret passphrase for the very first time, it
is not secured by a public key. When the first outgoing transaction from an
account is made, the 256-bit public key derived from the passphrase is stored
on the blockchain, and this secures the account. The address space for public
keys (2256) is larger than the address space for account numbers (264), so there
is no one-to-one mapping of passphrases to account numbers and collisions are
possible. These collisions are detected and prevented in the following way: once
a specific passphrase is used to access an account, and that account is secured
by a 256-bit public key, no other public-private key pair is permitted to access
that account number.

But my dog's name is still safe right?

Only if called 123abc

30 characters??!? Isn't that too much?

For most applications, yeah. But Nxt works differently.

In most other applications, an attacker can only try to break into one account at a time. A smart attacker will not try passwords randomly. They will run through a prepared list of passwords and resulting hashes (that list is called a rainbow table), hoping to find the one password that can access your account.

As technology improves and processing power increases, attackers can prepare larger and larger rainbow tables. The key to creating a safe password is to stay ahead of the processing curve, to avoid being simple enough to be included in rainbow tables and so escape easy discovery.

Most applications are such that an attacker can go after only one account at a time. Your bank, e-mail, and online shopping accounts are like this. For such applications, a password of 15 varied characters that don't form readable words or patterns is currently very safe, well beyond what attackers can feasibly include in their rainbow tables.

Nxt works differently. In order to have the convenience of accessing your account through just a single passphrase, without a login name or wallet file, it also allows an attacker to try ALL accounts at the same time and greatly increases their chances of success. With everyone's account balance in the prize pot, the rewards become much higher, so there's compelling reason for them to focus a lot more resources on extending rainbow tables.

it seems the best way to create a nxt brain wallet is by using a combination of data only you know. say phone numbers,  addresses, and chinese/japanese characters. Then mix it up with your own password. good luck trying to guess that and no way in hell would you forget it nor the need to write it down.

right now nxt has the ability to host bitcoin addresses via the multigateway, in effect giving nxt the ability to host your other coins with just one passphrase.

www.jnxt.org/nxt -- login with account to test it out: NXT-MRCC-2YLS-8M54-3CMAJ

Yeah indeed, it's also best to use some words that can't be found in dictionaries and add special characters in front of and in between words.
Plus you'd need to use a passphrase of at least 64 characters.

Passphrase length does not matter. Passphrase language does not matter. All that matters is predictability. There is no way to measure the predictability of human-generated passphrases, but we can measure the predictability of random passphrases. So use random passphrases.