Bitcoin Forum

---

What's the difference betewen this website and the old brainwallet.org that shutdown lately andhow this is safe from being cracked like the other one aswell ? using real informations may makei t easier to crack and not harder if you ask me  , because if someone know you well then you are screwed

So then the user could only reclaim their brainwallet funds as long as your service is operational or unless they saved the site files locally. This can be a downside to many people if they want to hold their coins for a long time in a brainwallet.

Wow I just tested it and I have to say it takes very much time.
I think that time is not necessary though.
A good passphrase hashed about 1000 times could withstand most if not all types of attacks...

Is there any chance you could also include the other tools the old brainwallet had, such as secret exponent <-> WIF, converter, sign and verify? Having those in one place, even though I never used the brainwallet feature itself, was very useful to me.

Such an ASIC can only hash 80 byte block headers by incrementing a nonce. However, I'd reasonably agree that 500k is necessary for security in the context of Bitcoin.

Thanks for replying. Ahh, this is very cool.  Tested it out and it works. In fact I can just input the scrypt hash directly into "wallet details" section on bitaddress and it's done.

Bitcoin “Brainwallets” and why they are a bad idea

http://insecurety.net/?p=866

considering using a website app for making a brainwallet is as dumb as increasing blocksize.

people are just stupid. its amazing.

Yes, but you are missing a key aspect of this new site. The algorithm involves 524288 rounds of hashing, which is impractical to bruteforce. Instead of copy pasting that link, you should discuss what technical weaknesses are still applicable for this specific brainwallet site.

yea alrite, just go for it then.

No, seriously. You're not addressing any of the points I'm giving (I personally don't use brainwallets as I don't have a reason to. Others might). You pasted a link to article whose points don't all apply and when discourse begins you dismissively disregard it. Granted, it does apply to those who pick passwords like "Mittens is a cute cat" and "password123", but it doesn't undermine the security any more than someone that allows malware on their computer and has no wallet passphrase. Like any tool, it's useless or dangerous when given to an idiot.

Also, I'd be very interested if you come up with a way to bruteforce 2^18 rounds of Scrypt KDF over a space of passwords combined with names, emails, and other info accepted by the fields of the site. And more so, I'd be very interested if you came up with a program that managed to find a passphrase like "NiSiLLy71622--Green/Loss\\5114. Ugly goblins eat pound cake gladly 724287!" that someone actually used in a reasonable amount of time.

Having options is never a bad thing. Maybe this service can restore some of the faith in brain wallets, even though there will always be people opposing the idea [and perhaps rightfully so].

https://rya.nc/defcon-brainwallets.html

Can you please go somewhere else posting offtopic?
It's clear that you don't understand the difference between this (and Warp Wallet) and the common brainwallet as it was brainwallet.org.

No FUDs here please!

LOL

Please read this: http://blog.codinghorror.com/speed-hashing/ (http://blog.codinghorror.com/speed-hashing/)

I think this is not a bad idea and for those who still seem to think it is impossible to create a good brainwallet please note that this one: https://blockchain.info/address/1Au4v6dZacFVsWXeKUMJd99AtyBZeqti2L still has its 1 BTC (that has been there for three years).

Of course if you are going to use a stupid pass phrase then you are going to lose your coins but with a decent enough pass phrase and especially with decent key hardening (500K rounds seems actually over the top but will provide "future proofing") you will be safe from brute forcing.

We are not responsible for any losses in bitcoin that you may incur for any reason.
I kinda feel cautious with this sentence, especially with the underlined words.

Congratz unchi for this awesome project, i tried it with a passphrase and salt just one digit and it take some time to generate. And we mostly care about security, good luck in next updates.

This is an update, thank you unchi, you are very kind. It's really hard to remember 12 different words of this kind.
What about to release an update for print :) a good design of the printed page?

Is brainwallet.io using the same word list as Electrum, or do you have a public copy of the wordlist you're using if you're using a different list?

@unchi

Suggestion: show the generated private key also in compressed format.

You can get the code from bitaddress.org

Brainwallets are just another form of storing your bitcoin. Humans are known to be notoriously bad randomness generators, but if you can find a good random phrase that you can remember, that hopefully you didn't come up with yourself, that's not out of a book or anything, it can be a novelty way to keep your coins without needing to save a file with your private keys.

They can confiscate your computer but they can't confiscate your thoughts.

I like that you like my suggestion, finger crossed for the next update. The activity of visitors will increase definitely. 

The difference with bitaddress/org is that here it uses less printer ink. Keep it up

Awesome, one more suggestion i was thinking something like this:
https://i.imgur.com/kdKsny2.png

He could probably add an option for a fancier image like that. I like how it is now, because like prodigy8 said, it uses very little ink when being printed compared to your suggested design.

Ok then I think adding 2 buttons: 1st let be as it is now "Simple print" with a description that it uses little ink and the 2nd button with a design which use lots of ink inc. color. The design should be good even if the printer is black and white. This is just an idea so the OP can implement it.

I can see the difference it is much faster than it was before. And try to keep the website simple and let us use less printer ink :)

If you're going to print it, just use BIP38 paper wallets. If you're worried about it getting lost, make multiple copies.

I think a great design something unique only for bitcoin addresses, yes avoiding images is good too, it can be sometimes not printed in the right way. I wish you good luck.

The documentation on the website as to what algorithm brainwallet.io uses is inaccurate.

It says:


It's actually:


Why are you using uncompressed keys?

I guess it would be more like an add-on to your project.

Not an issue at all...

Some discussions about that: https://bitcointalk.org/index.php?topic=129652.0 (https://bitcointalk.org/index.php?topic=129652.0)

With what? It seems like pretty much all tools have been supporting compressed keys for quite some time.

I seriously never pid attention to brainwallet and never knew what it is ..
but why would someone use the wallet, any significance ?

For those of you complaining to people linking to my slides/blog posts about brainwallets - I'm currently testing support for brainwallet.io in brainflayer. My limited benchmarking gives an estimate of about 75k 750k passphrases guessed per dollar on Amazon EC2 spot instances.

Edit: I am bad at math.

I have read all of your slides and i was surprised,
We are thrilled to know the results at the end, i think it will be harder than brainwallet.org since brainwallet.io use salt???

"Better" as in you expected it to be more or less expensive? Cracking benchmarks are typically understood to imply the numbers are for a single salt, if salts are used.

Congratulations for also researching and testing this tool.

That's a positive effort and all community should benefit from it.

It would be interesting to change these settings to see which are enough to get near 1 passphrase per 1 dollar :) (or even lower)
N=218, r=8, p=1, dkLen=32

The issue is that a legitimate user has to spend the same amount of work as the cracker per passphrase, so there is a practical limit on how much work the KDF can do. With scrypt specifically, scrypt(N=2¹⁸, r=8, p=1) uses 256MiB of memory - scrypt(N=2²⁰, r=8, p=1) would be 1GiB. If you wanted scrypt to take longer than that, I'd probably suggest something like PBKDF2(iter=64, prf=scrypt(N=2²⁰, r=8, p=1)) which would take several minutes to run and is probably close to the upper bound of what anyone is willing to put up with.

You could also force some extra randomness into this by generating say, four hex digits as part of the salt and telling the user to write it down. Lose the digits and you have to brute force them - time consuming but possible. The cracker, though, doesn't have them and has to try them all in addition to whatever other salt there is... 

It could be even more interesting to have an always updated website with the stats about the current costs of some/many configurations, so the user can choose which one he prefers.

The user should still not be coming up with a password or passphrase themselves. If they use an actually random passphrase they can ensure it has enough actual entropy to not be cracked.

Tools like brainwallet.io and warpwallet are like giving clean needles to heroin addicts. Harm reduction. Heroin (brainwallet-like tools with user-generated passwords/passphrases) is bad, but we can at least make it slightly less bad...

@unchi

Is that "test_scrypt_browser" (js_scrypt_async) your project?

That's an interesting (in-browser) implementation!

Very extreme indeed.

I see brainwallets with weak passwords/passphrases like a newcomer pilot that only had piloted tiny cessnas (https://en.wikipedia.org/wiki/Cessna_172) in his life and is gonna fly an airbus 380 for the first time without prior specific training. i.e. he doesn't know nothing about all the complexity surrounding that machine's operation.

I don't think most people - even people who think they're experts - really appreciate how good password cracking has gotten. I really didn't fully grasp what constitutes a good passphrase until I started attacking them. There is also a ton of bad advice in this space all over the internet, so we have lots of people who think they know what a good password/passphrase is, but don't really. I'm an expert and I don't even trust myself to come up with passwords or passphases any more. I use a password manager to randomly generate individual passwords, and diceware passphrases - generated with casino dice - for full disk encryption, master passwords, gpg, etc. Real entropy is way better than imaginary entropy. It just takes a little effort to memorize.

As to motorcycles - I have several friends who have gotten pretty badly hurt. One lost part of his small intestine, another had his hip destroyed and the last ended up with brain damage and was in intensive care for weeks, then in recovery for a few more months. This is all despite good motorcycle armor (a helmet is nowhere near sufficient protection). Being in the wrong place at the wrong time can still destroy you.

Anyway, the reason for the heroin analogy (which seems to have come across as a little more extreme than I had intended) is because the advice on heroin should always be "Don't do it.". Needle exchanges exist because some people will do it anyway, and there is value in making it somewhat safer.

I'm glad brainwallet.org is dead. Tools like WarpWallet and brainwallet.io are a lot better. Using them with randomly generated passphrases is safe against all plausible attacks, so long as they are sufficiently long. Some organically chosen passphrases may be safe against most attacks, but it is far more difficult to predict the effectiveness of attacks against those, so it's best to assume they are dangerously weak.

There are 3 kinds of salt right? Which one did you choose?
login info - personal info - generic
I tried some but it's just impossible for me, too much room to guess the salt

Duh - that is the entire point.

Your post reminds me of when I used the algo for CIYAM Safe to safely lock away 10 BTC with a small password (was only 5 or 6 characters from memory).

I had a bunch of young idiots asking "how to work out the salt" not understanding that the "salt" was the very point of the exercise (i.e. you ain't going to get the coins by guessing).

Funnily enough with all their hashing power they were unable to crack such a small password without my help (I basically had to give them all but one of the password characters before they could crack it and that was after around a week of them trying having been given the first three characters of the small password).

Also - strictly speaking it is not "salt" as that would be known to you in plain text (the more correct term is perhaps "pepper").

Yes, it's all about the idea what could the OP think what kind of words.
I tried some programming words as he was developing but none worked lol
unchi maybe should tell us more :P

i have tried many brain wallet puzzles and have had no luck :(

good luck to the competitors this one should be interesting to watch it get decoded

For the value of the prize, one should be able to make about eight to nine million guesses (~23 bits) using a bunch of spot instances (https://aws.amazon.com/ec2/purchasing-options/spot-instances/). If I want to use all the CPU on my computers at home for the rest of the month I can probably manage about a hundred million guesses (~27 bits) for about $50 worth of electricity (my marginal cost of electricity is about $0.35/kWh  :'().

I am not going to attempt this challenge - seems like a waste of electricity/money. If you want people play, increase the bounty substantially and/or offer more information about the salt.

Unchi Which one did you choose? login info or personal info or generic salt?
If it is the last one at least tell us how many words are in total.
Still unbreakable, do you have any statistic in your server if anyone is bruteforcing it?

I was thinking if the server cpu is loading to the maximum responding to the mass requests (if any)
Yes, i understand the point, maybe after a time you can help as i said before to find the salt
For me it is just impossible, good luck to others. Will keep time to time to check the address.

Not really possible to estimate that until we see what the salt was.


Very few people pick two random words out of the entire 171,476 word dictionary. An adult native English speaker with average vocabulary probably knows only 10% of those words. If they actually picked them at random (with dice or a computerized random number generator) as you suggest, out of 100 times (on average), in 81 instance they would not know either word, in 18 instance they would only know one word, and only in one instance would they know both. Tools for picking random words tend to have a list of only around 2,000 words, with the exception of diceware which has nearly 8,000 but is often criticized for having too many obscure words.

Crackers know this, and they will optimize by trying more likely (less complicated) things first.


Probably true, see my previous comment.


The thing is, if your tool became popular, it'd be unlikely for any particular person's wallet to be drained by thieves. What a thief will do is pre-build tables of salt and password/passphrase combinations and watch the network for transactions to the matching addresses. If they suspect someone in particular of having used brainwallet.io (which is different from classic brainwallets which are egregiously insecure - brainwallet.io is only kinda risky in comparsion) they'll gather as much information as they can about that person and spend some time running a targeted attack based on what they know about them.

If you choose to use this tool, and do not generate a passphrase randomly, you are gambling against unknown odds. There will be an unknown number of attackers with an unknown amount of computing power at their disposal, and they'd love to take your money.

Congratulations for this bounty challenge initiative!

It's an important tool for future security improvements and a good way to get more code auditing.

I'd suggest that you put half the prize in the brainwallet and expect contact from the winner. After that you can show and publish the cracker's brute-force technique and then the other half should be sent to him privately.

*edited

BTW here goes an interesting experiment: https://1209k.com/brainv2/ (https://1209k.com/brainv2/)

Wow, the construction that uses is convoluted. Also, a challenge is mentioned - it was spent after about 10 days.

Edit: Ah, I see why it got taken so fast. This algorithm is very GPU friendly - computing the meaty part of it can be done in parallel with up to GPU 16384 cores with 8MiB of memory each, and the first and last pass can go up to 64 cores with 2MiB memory each.

@unchi

How many characters are allowed at passphrase field? Is there a specific length limit?

I couldn't find that info while reading your code.

I tried with 1,755,952 characters and it worked fine.
I think it is just enough for a passphrase ~2million characters.
It just freeze my browser copying and pasting these characters lol :)

Let's search for a music lyrics (Eminem :P) in youtube and paste it in the salt :) Isn't that a good idea :P, well protected.

That was a real challenge...

I guess you need to take it easy next time...

Already taken.

Doesn't this introduce incompatibility problems due to the different Windows and UNIX/OSX end of line character(s) standards?
It looks like users are going to want an option to set the EOL standard used.

I want a version that spits out compressed keys. The private keys that begin with the letter K or L instead of the number 5.

^^ That's a good request. +1

I made the same request from the WarpWallet guys in 2014 but they said they were too busy. Maybe someone else can follow them up. Compressed keys. (They don't have a thread here on bitcointalk.)

Dabs, you're such a lucky guy!  ;D

When I last contacted those guys last year, they were supposed to be so busy that they didn't even bother replying my msg...  :-\

Oh, I emailed them twice. About a month apart. They replied to my second email. (I may have sent the first email to a wrong address or encrypted to wrong GPG.)

Forked with that 1 change: https://github.com/TheButterZone/brainwallet.io

Since someone bumped this thread, I just thought to mention, that if I can memorize 1 million characters, I might as well memorize the raw private key. Really, anything over a hundred characters is overkill. I'ma just randomly generate 40+ alpha numeric characters and memorize that. 60+ chars if case insensitive (or all one case).

Just don't use the first 60 digits of pi because everyone already has that memorized. I only memorize the first 17 digits because that's all any NASA scientist ever needs. (They use 15~16 for GPS calculations and everything within this solar system.)

Good idea.

Government Agent: "Please tell me your brain wallet password!!!"
Me: "I'm sorry, I forgot! It was 64 characters."

Actually, my use case for stuff like this is to have the characters printed out on paper. It's not a "brain" wallet anymore though.

What happened to the OP and thread's subject?

Seems he killed it around last month.... Actually, it seems he deleted all his posts, like he "banned" himself or something. And his email changed recently.

A very strange fact.

In fact his projects rock and they're still online.