|
Title: Researchers describe a way of hacking Brain Wallet Post by: honeysyd on February 14, 2016, 09:30:57 AM I am not an expert of encryption, so I do not fully understand the following article. However, it seems very interesting that some researchers demonstrated a way of hacking BTC private keys in a security conference in Las Vegas, US.
https://www.cryptocoinsnews.com/researchers-describe-easy-way-crack-bitcoin-wallet-passwords/ Any opinion on this? If it is true, the bitcoin price would plummet soon. Title: Researchers describes a way of hacking brain wallets with weak pass phrases Post by: Lauda on February 14, 2016, 09:43:49 AM Please change the thread title as this is FUD and misleading. Researcher have found a way to crack brain wallets with weak pass phrases. What an amazing revelation. ::) You can compare this to the people who are using "123456" as a password for their accounts. Bitcoin private keys are not hackable at this date. The article is misleading, such a shame.
Keep in mind that the main Bitcoin implementation, Bitcoin Core does not have these kinds of wallets. Title: Re: Is it true? Researchers describes a way of hacking BTC private key Post by: watashi-kokoto on February 14, 2016, 09:44:59 AM The subject of this article is so called Brain Wallet. The use of Brain Wallet has never been recommended by Bitcoin project.
The users of Brain Wallet do it at their own risk and the security of the scheme inherently suffers because it is difficult for people to remember long enough passwords to guarantee same level security as a long password written on a piece of paper or stored in a computer memory. The cryptography technologies that need to be broken in order to Bitcoin to be broken are the following: RIPEMD160 SHA256 ECDSA / KOBLITZ As of today they are all unbroken and there is no vulnerability in the Bitcoin Core software. Title: Re: Is it true? Researchers describes a way of hacking BTC private key Post by: franky1 on February 14, 2016, 09:52:32 AM quote from similar topic due to relevance
I don't see how it's possible to crack such a sophisticated password as what you say you used. You are talking about a 256 bit + password. This password cannot be cracked in any practical amount of time. a brain wallet is where you choose the words(password).. and most of the time brain wallet users choose between 1-6 common words that are part of a known phrase.. a seed wallet is where 12-20 RANDOM and UNCOMMON words are used. the article stated Quote checked a trillion passwords and recovered 18,000 brain wallets that is a 0.0000018% success rate.now although there are 171,000 words in the dictionary. its estimated that only 3500 words are used commonly. so imagine the password is 1 common word. thats a 1 in 3500 chance of a hit. so imagine the password is 2 common words. thats a 1 in 12,250,000 chance of a hit.(3500 x 3500) so imagine the password is 3 common words. thats a 1 in 42,875,000,000 chance of a hit.(12,250,000 x 3500) som brute forcers know that even in the 3500 common words, some are not used, so they could get the odds down. they also know that when using more than 3 words its more likely that a sentance structure was used (phrase or quote) so they know what words naturally follow grammatical structure and what words dont naturally follow each other in a sentance. so although the odds of having 12 common words can be upto: 1 in 3379220508056640000000000000000000000000000 chance. brute forcers can reduce that down to: 1 in 1000000000000000000000000000000000000 chance. just by employing some grammatical rules to cut down on the variations possible. which is still extreme for 12 word sentence.. but. its highly important to not use sentances/quotes that follow grammatical rules. it is also important to not use the 3500 common words. that way 12 random non common words can be: 1 in 3138428376721000000000000000000000000000000000000000000000000 chance. so in short a brain wallet of 3 common words is: 1 in 42875000000 chance so a seed of 12 random and uncommon words is: 1 in 3138428376721000000000000000000000000000000000000000000000000 chance. Title: Re: Is it true? Researchers describes a way of hacking BTC private key Post by: bitbaby on February 14, 2016, 09:54:07 AM Cracking brain wallets with weak pass phrases is same as cracking online accounts such as email/social-media/etc, which is why brain wallets are not recommended. Who ever tells you that bitcoin private keys can be cracked, tell them to go ahead and do it, instead of telling you.
Title: Re: Is it true? Researchers describes a way of hacking BTC private key Post by: mirana12345 on February 14, 2016, 09:55:13 AM This is a very poor journalism at the best. I would not bother myself with trusting how it will have any affect on the price, or anything else for that matter.
If bitcoin private keys would to be easily crackable - don't you think someone would take satoshi's coins already ? It's just created to spread FUD , ignore it. Title: Re: Is it true? Researchers describes a way of hacking BTC private key Post by: n691309 on February 14, 2016, 09:55:59 AM There are many ways to hack maybe the private keys but it will take tons of years until a result will come (bruteforcing)
Title: Re: Is it true? Researchers describes a way of hacking BTC private key Post by: franky1 on February 14, 2016, 10:04:22 AM This is a very poor journalism at the best. I would not bother myself with trusting how it will have any affect on the price, or anything else for that matter. If bitcoin private keys would to be easily crackable - don't you think someone would take satoshi's coins already ? It's just created to spread FUD , ignore it. the article was titled: Quote Researchers Describe an Easy Way to Crack Bitcoin Brain Wallet Passwords NOT: cracking ECDSA based private keys derived from random data. but geeks know the difference. yet laymen / common folk that are just bitcoin users not computer geeks dont know the difference and will think bitcoin is broken Title: Re: Is it true? Researchers describes a way of hacking BTC private key Post by: ATguy on February 14, 2016, 10:36:39 AM This is a very poor journalism at the best. I would not bother myself with trusting how it will have any affect on the price, or anything else for that matter. If bitcoin private keys would to be easily crackable - don't you think someone would take satoshi's coins already ? It's just created to spread FUD , ignore it. I think it is standard practice to use eye catching sentences in journalism so people get initial interest in reading further. So its not created to spread FUD, but to get as much reads as possible. Pretty standard. But it surprises me they were able to obtain 18 000 wallet access, seems brain wallets are popular even though everywhere not recommended to use with weak phrasses. Title: Re: Is it true? Researchers describes a way of hacking BTC private key Post by: Denker on February 14, 2016, 10:58:37 AM I am not an expert of encryption, so I do not fully understand the following article. However, it seems very interesting that some researchers demonstrated a way of hacking BTC private keys in a security conference in Las Vegas, US. https://www.cryptocoinsnews.com/researchers-describe-easy-way-crack-bitcoin-wallet-passwords/ Any opinion on this? If it is true, the bitcoin price would plummet soon. No no.Hacking a brain wallet with a weak password and trying to hack a private key are completely different things!! Bitcoin is very secure.It's up to you what kind of wallets you use and how strong the password is. Please don't mix these things up!! Title: Re: Is it true? Researchers describes a way of hacking BTC private key Post by: franky1 on February 14, 2016, 11:02:52 AM This is a very poor journalism at the best. I would not bother myself with trusting how it will have any affect on the price, or anything else for that matter. If bitcoin private keys would to be easily crackable - don't you think someone would take satoshi's coins already ? It's just created to spread FUD , ignore it. I think it is standard practice to use eye catching sentences in journalism so people get initial interest in reading further. So its not created to spread FUD, but to get as much reads as possible. Pretty standard. But it surprises me they were able to obtain 18 000 wallet access, seems brain wallets are popular even though everywhere not recommended to use with weak phrasses. its because once there are millions of people using bitcoin and not everyone is a computer expert, alot of people want something as easy to use or understand as things like paypal. wrong i know. but thats how the real world works. some of the novices believe that if there is such thing as a brain wallet it must has some basic security otherwise its useless and not worth offering. so they overly trust that its secure because its available and popular. its important to learn the fundementals using the most basic small word sentences of 6 words EG "using this and you will lose" 1 in 15625000000000000 using the most basic small word sentences of 12 words "if you are using these words you will be hacked i promise" 1 in 244140625000000000000000000000000 using the standard common longer word sentences of 12 words "suddenly increasing entropy should multiply security protection against bruteforce related hacking attempts" 1 in 1000000000000000000000000000000000000 using random and uncommon words with no sentence structure of 12 words "amphibology prosopagnosia umbriferous doryphore breatharian criticaster martlet paludal labarum illywhacker gasconade etui" 1 in 3138428376721000000000000000000000000000000000000000000000000 chance though the 18000 wallets were using far less than 12 words. and not as random and uncommon as they would think.. so 12-20 random/uncommon words is stronger. its important that its not small common words and important that its not a sentence structure/quote. Title: Re: Is it true? Researchers describes a way of hacking BTC private key Post by: odolvlobo on February 14, 2016, 11:27:25 AM One of the reasons it is so easy to crack brain wallets is that everyone uses SHA-256 to hash the phrase. SHA-256 is designed to be fast. You could make it a million times more difficult by using a more appropriate hash function such as bcrypt, which is designed for hashing passwords.
Title: Re: Is it true? Researchers describes a way of hacking BTC private key Post by: bob123 on February 14, 2016, 11:29:24 AM Private keys cant be "hacked" yet.
Weak passwords could always (and always be) easily hackable. Title: Re: Is it true? Researchers describes a way of hacking BTC private key Post by: Redrose on February 14, 2016, 11:32:14 AM This is a common practice to use misleading titles in articles if this is particularly "attractive", like this one in the press world.
Title: Re: Is it true? Researchers describes a way of hacking BTC private key Post by: gkv9 on February 14, 2016, 11:37:33 AM There was even a website that was called to be a directory where you can find a private key for any address and hack it...
Do you really think those addresses were real, or were ever put any coins in them??? Also, it would take a lot of computational power to even find a specific address if you go through a website analyzing process... Title: Re: Is it true? Researchers describes a way of hacking BTC private key Post by: Mickeyb on February 14, 2016, 11:42:08 AM There was even a website that was called to be a directory where you can find a private key for any address and hack it... The directory was real, along with the addresses the private keys were connected to, but did you view the number of those rows and pages? Now consider finding your address in one of those ::)Do you really think those addresses were real, or were ever put any coins in them??? Also, it would take a lot of computational power to even find a specific address if you go through a website analyzing process... OP is either a ignorant fool, or someone who thinks he just discovered a new thing, that passwords can be hacked and they are somehow what private keys are made of ;D Seriously, even the link shows its brain wallet passwords Title: Re: Is it true? Researchers describes a way of hacking BTC private key Post by: BitcSeo on February 14, 2016, 12:00:22 PM I also believe is impossible to crack or hack Private Key but, for the sake of curiosity how do most hacker's manage to break into most btc exchange site to steal coins?
Thanks Title: Re: Is it true? Researchers describes a way of hacking BTC private key Post by: AliceWonderMiscreations on February 14, 2016, 12:04:28 PM This is why I use qwerty123 instead of just qwerty - the latter is too easy to guess.
For my brain wallets of high value I just add a 4 or maybe also a 5. Title: Re: Is it true? Researchers describes a way of hacking BTC private key Post by: Lauda on February 14, 2016, 12:12:08 PM I also believe is impossible to crack or hack Private Key but, for the sake of curiosity how do most hacker's manage to break into most btc exchange site to steal coins? It is not possible to do so, stop posting nonsense. They break into the exchange itself via various methods (e.g. social engineering) and others are just operations from the inside. Thanks For my brain wallets of high value I just add a 4 or maybe also a 5. The best solution is to not use brain wallet at all if not necessary.OP is either a ignorant fool, or someone who thinks he just discovered a new thing, that passwords can be hacked and they are somehow what private keys are made of ;D Seriously, even the link shows its brain wallet passwords The article itself is misleading. I'm not even surprised though.This is a common practice to use misleading titles in articles if this is particularly "attractive", like this one in the press world. Title: Re: Is it true? Researchers describes a way of hacking BTC private key Post by: franky1 on February 14, 2016, 12:15:29 PM I also believe is impossible to crack or hack Private Key but, for the sake of curiosity how do most hacker's manage to break into most btc exchange site to steal coins? Thanks they dont.. ... often the admin of the website is usually the culprit who then shifts the blame to someone else to hide his own ill intentions. that said hackers do hack websites. but sometimes (especially in btc exchanges) its an inside job. once your inside by either owning the service or hacking. its as simple as 'send to' to move the funds.. its not like you have to brute force the login and then brute force encryption and then brute force private keys.. some sites just need to get passed the login and then the world is your oyster Title: Re: Is it true? Researchers describes a way of hacking BTC private key Post by: tobacco123 on February 14, 2016, 12:16:40 PM If private key can be hacked, then that will be the end of bitcoin.
Come, hack this address : 1FeexV6bAHb8ybZjqQMjJrcCrHGW9sb6uF Title: Re: Is it true? Researchers describes a way of hacking BTC private key Post by: lister storm on February 14, 2016, 12:16:50 PM it is impossible to hack a wallet with a good password, i dont think that they found out something new
Title: Re: Is it true? Researchers describes a way of hacking BTC private key Post by: Mickeyb on February 14, 2016, 12:22:46 PM it is impossible to hack a wallet with a good password, i dont think that they found out something new This guy from yobit knows everything, and we were all thinking addresses are made with random private keys, nope we use "good passwords"Title: Re: Is it true? Researchers describes a way of hacking BTC private key Post by: Anddos on February 14, 2016, 12:52:20 PM Such threads are pointless and only create panic and discomfort.
Title: Re: Is it true? Researchers describes a way of hacking BTC private key Post by: AliceWonderMiscreations on February 14, 2016, 12:57:07 PM Private keys can be hacked if you pRNG is flawed.
In fact I believed it happened with the Android bitcoin client where actual value was stolen as a result. Flawed pRNG is analogous to a brain wallet but you are not likely to know your pRNG is flawed until it is disclosed by a security researcher. Title: Re: Is it true? Researchers describes a way of hacking BTC private key Post by: AliceWonderMiscreations on February 14, 2016, 12:58:34 PM Such threads are pointless and only create panic and discomfort. The bliss of ignorance is much better. Title: Re: Is it true? Researchers describes a way of hacking BTC private key Post by: franky1 on February 14, 2016, 12:58:54 PM If private key can be hacked, then that will be the end of bitcoin. Come, hack this address : 1FeexV6bAHb8ybZjqQMjJrcCrHGW9sb6uF vanity addresses are easier to hack compared to totally random addresses.. imagine it. if it only took you half an hour for the owner to gen that address.. it wont take long for someone else to follow the same steps. some of the flaws of vanity address is that some coders base it from the same starting nonce(not random initially).. so others can follow the same steps. vanity addresses have more entropy than a brain wallet. but not as much as totally random Title: Re: Is it true? Researchers describes a way of hacking BTC private key Post by: NorrisK on February 14, 2016, 01:02:18 PM This type of news is just spreading fear to people who are not familiar with the technology. Although it may make them think twice about the type of seed they use (not made up yourself), it is still confusing for most.
It is an idditional reason I like the system of a trezor for instance. 20 random words you have no control over to pick and in addition you can add a password or as many passwords to it which act like a salt at the end of your seed for every private key derived from the seed. If you spread your coins around multiple added salts it is basically impossible to crack. (they'd have to guess the 20 words correctly and than a completely unrelated and random salt, good luck). Title: Re: Is it true? Researchers describes a way of hacking BTC private key Post by: xqus on February 14, 2016, 01:07:47 PM If private key can be hacked, then that will be the end of bitcoin. Come, hack this address : 1FeexV6bAHb8ybZjqQMjJrcCrHGW9sb6uF vanity addresses are easier to hack compared to totally random addresses.. imagine it. if it only took you half an hour for the owner to gen that address.. it wont take long for someone else to follow the same steps. some of the flaws of vanity address is that some coders base it from the same starting nonce(not random initially).. so others can follow the same steps. vanity addresses have more entropy than a brain wallet. but not as much as totally random That is true, but not that easy. It's not like since it took half an hour to generate an address with for example the first 4 characters predefined, it will take a looooooooooot longer to generate they key for one specific address. Title: Re: Is it true? Researchers describes a way of hacking BTC private key Post by: Pursuer on February 14, 2016, 01:13:14 PM for the love of god some mod change this topic's topic!
OP is spreading FUD (with or without purpose) with only removing a simple word of "Brainwallet" from the news. there is a lot of new users that are going to panic by reading this stuff and the article on cryptocoinsnews itself does not help either, they don't care as long as they receive traffic to their news site. Title: Re: Is it true? Researchers describes a way of hacking BTC private key Post by: franky1 on February 14, 2016, 01:24:14 PM If private key can be hacked, then that will be the end of bitcoin. Come, hack this address : 1FeexV6bAHb8ybZjqQMjJrcCrHGW9sb6uF vanity addresses are easier to hack compared to totally random addresses.. imagine it. if it only took you half an hour for the owner to gen that address.. it wont take long for someone else to follow the same steps. some of the flaws of vanity address is that some coders base it from the same starting nonce(not random initially).. so others can follow the same steps. vanity addresses have more entropy than a brain wallet. but not as much as totally random That is true, but not that easy. It's not like since it took half an hour to generate an address with for example the first 4 characters predefined, it will take a looooooooooot longer to generate they key for one specific address. if the original owner of 1FeexV6bAHb8ybZjqQMjJrcCrHGW9sb6uF used a dodgy vanitygen that had a nonce that started at 0 then for someone else, they too can use that same program and generate it in the same time. however if the original owner of 1FeexV6bAHb8ybZjqQMjJrcCrHGW9sb6uF used a good vanitygen that had a nonce that started at RANDOM+X then for someone else, just to find 1Feex would give for examlple 1FeexGFqW9sb6uQMjJrcV6bAHb8ybZjCrH 1FeexqW9sb6uQMbZjCrHG6bAHbFjJrcV8y 1FeexQMbZjCqW6urH9sbAH8ybFjJrcVG6b over an hour and a half period. and it would take YEARS (even grand children would be pensioners) by the time they happen upon 1FeexV6bAHb8ybZjqQMjJrcCrHGW9sb6uF depending ofcourse on how much entropy RANDOM was Title: Re: Researchers describe a way of hacking Brain Wallet Post by: AliceWonderMiscreations on February 14, 2016, 01:57:07 PM When I generated vanity addresses, I just read from /dev/urandom until private key resulting from hashing the data gave me the address I wanted.
Actually what I did is put every address into a database and then looked through the database containing millions of addresses until I found ones that looked neat. I doubt they can be cracked any easier than non vanity addresses. The 25 byte hex address has nothing about it that is vanity, and that's what has to be cracked. Well, the ripemd160 part of it. Title: Re: Is it true? Researchers describes a way of hacking BTC private key Post by: jonald_fyookball on February 14, 2016, 03:41:51 PM Cracking brain wallets with weak pass phrases is same as cracking online accounts such as email/social-media/etc, which is why brain wallets are not recommended. Who ever tells you that bitcoin private keys can be cracked, tell them to go ahead and do it, instead of telling you. actually its worse. With online accounts, you can slow down the number of attempts with captchas, IP blocking, etc. But with private keys, you are free to throw as much computing power at it as you want. That is one reason that extra care should be taken with Bitcoin. Title: Re: Is it true? Researchers describes a way of hacking BTC private key Post by: jonald_fyookball on February 14, 2016, 03:45:56 PM Private keys can be hacked if you pRNG is flawed. In fact I believed it happened with the Android bitcoin client where actual value was stolen as a result. Flawed pRNG is analogous to a brain wallet but you are not likely to know your pRNG is flawed until it is disclosed by a security researcher. Thats why the ultimate form of cold storage involves generating physical entropy to eliminate this attack vector. Title: Re: Is it true? Researchers describes a way of hacking BTC private key Post by: AliceWonderMiscreations on February 14, 2016, 04:08:35 PM Private keys can be hacked if you pRNG is flawed. In fact I believed it happened with the Android bitcoin client where actual value was stolen as a result. Flawed pRNG is analogous to a brain wallet but you are not likely to know your pRNG is flawed until it is disclosed by a security researcher. Thats why the ultimate form of cold storage involves generating physical entropy to eliminate this attack vector. Physical entropy is also sometimes not very random. I have no clue about windows, but /dev/random on Linux is a blocking entropy pool and the problems in Linux usually come from /dev/urandom being used fresh after install without enough of a seed because the install is fresh. The distributions often use /dev/urandom because they don't want users to have to be forced to wait - waiting can be a problem for example when generating the ssh keys on first boot. /dev/urandom is probably good enough for short term one use keys but long term like ssh keys, TLS keys for x509 certs, and bitcoin private keys really should be using /dev/random even if it means the user has to wait because there's not enough entropy. Bigger problem on servers where there isn't keyboard / mouse / sound card. Title: Re: Researchers describe a way of hacking Brain Wallet Post by: European Central Bank on February 14, 2016, 04:11:13 PM They're hacking human dumbness. That's way more predictable and less secure than anything genuinely randomly generated.
Title: Re: Researchers describe a way of hacking Brain Wallet Post by: AliceWonderMiscreations on February 14, 2016, 04:20:04 PM It wastes entropy but since I run haveged not really a problem - this is what I actually do when generating a private key outside my wallet
Code: def randomHexAlphabet(): I can generate any hex string a byte at a time and since there is activity between generation of each byte (the shuffling of the hex alphabet), the read from /dev/random is not sequential. EDIT The %256 isn't needed, it will always be the last byte of the two bytes read from the md5sum. Things you don't see until you read it outside of a text editor... Title: Re: Researchers describe a way of hacking Brain Wallet Post by: Kakmakr on February 15, 2016, 06:05:23 AM We all know this is BS, but the average Joe do not know this and we need to stop this kind of reporting. We should have a army of people spreading the truth about Bitcoin and creating articles to counter this FUD. We can complain in forums like this, but it will not reach the average Joe.
Our strategy should be to create more positive content than negative content to a ratio of 5 : 1 Title: Re: Is it true? Researchers describes a way of hacking BTC private key Post by: Amph on February 15, 2016, 08:23:14 AM Private keys can be hacked if you pRNG is flawed. In fact I believed it happened with the Android bitcoin client where actual value was stolen as a result. Flawed pRNG is analogous to a brain wallet but you are not likely to know your pRNG is flawed until it is disclosed by a security researcher. they should use a hardware random number generator instead, since it much more akin to a real casual generation than anything else Title: Re: Is it true? Researchers describes a way of hacking BTC private key Post by: AliceWonderMiscreations on February 15, 2016, 08:41:40 PM Private keys can be hacked if you pRNG is flawed. In fact I believed it happened with the Android bitcoin client where actual value was stolen as a result. Flawed pRNG is analogous to a brain wallet but you are not likely to know your pRNG is flawed until it is disclosed by a security researcher. they should use a hardware random number generator instead, since it much more akin to a real casual generation than anything else The android problem I believe was caused by using non blocking entropy source instead of blocking entropy source. Long term keys should always use /dev/random and /dev/urandom should be used for short term session keys. Android does some java wrapper to access the kernel entropy pool and if I remember it wasn't obvious how to make it use the blocking instead of non-blocking. With Linux anyway, you can have a hardware entropy source feed /dev/random so that's what programmers should read entropy from, it is up to the hardware admin whether or not an external entropy source helps to feed it. Smart phones obviously don't have that. PCs I believe there are some that use USB that easily connect but I've never used them. And with Linux it saves unused entropy as a seed so using /dev/urandom is usually safe if the system install is not fresh but I believe the java layer thing in Android did not do that. I don't do mobile apps but I believe what happened with Android is the java layer always uses /dev/urandom but Android doesn't save the seed from unused entropy so you had to specifically seed it before using it and the android bitcoin client (and browsers for tls connections) didn't. Title: Re: Researchers describe a way of hacking Brain Wallet Post by: honeysyd on February 17, 2016, 11:05:19 AM What I understand from threads, a brain wallet is not safe and can be hacked. What about a seed wallet (e.g., Trezor)? Is it safe?
Title: Re: Researchers describe a way of hacking Brain Wallet Post by: AliceWonderMiscreations on February 17, 2016, 12:58:52 PM What I understand from threads, a brain wallet is not safe and can be hacked. What about a seed wallet (e.g., Trezor)? Is it safe? brain wallet can only be hacked because many people choose pass phrases that are easy to brute force. If it is easy for you to remember then it likely can be brute forced, and brain wallets are about being easy to remember. With respect to "seed wallet" if the seed is secure then the addresses generated from the seed are secure. I believe the way Trezor generates the seed is probably secure if it has enough entropy. I suspect it does, but it is a low power device and sometimes low power devices don't. I believe though the Trezor has a way to add external entropy to it. Trezor really should only be used for long term storage, it really is a pain in the ass to use for day to day spending. |