Bitcoin Forum

I decided to mess around and make a brain wallet.  I used the website www.brainwallet.org.  Supposively, this javascript is client side only.  Anyway, I made a brain wallet and decided to test it.  I moved my spare change (I keep most of my BTC in cold storage) about 0.178 BTC to the new brain wallet I made "15WjmFwpZ1mp3fG55JGoGv3p5y9jtehEB2".  Literally within seconds, it was moved to a new bitcoin address not owned by me "1Lp3S4PajwhuFCyrAXSFdVGxLuqTsXtVQC" https://blockchain.info/address/15WjmFwpZ1mp3fG55JGoGv3p5y9jtehEB2

I am very security conscience and am certain my wallet file was not compromised.  My only thought is the brainwallet website has been compromised instead and some bot is stealing the private keys generated there and then instantly transfering any funds deposited to these compromised wallets to their own bitcoin addresses.  DO NOT USE www.brainwallet.org and if you have used it, then immediately move your funds to a new location ASAP.

I am not complaining though, I only lost 0.178BTC - it could have been much worse.

I don't think you can download the script from the site.  Regardless, whether it is the website author or a hacker, the site is compromised.  I don't think it had anything to do with my wallet.dat password being compromised - it is a very long, secure password and I do not believe there are any trojans on my system.

Is your passphrase just too simple?

You can save the website for offline usage or better yet get it from github.

I use from a computer with no internet access - and it works fine for generating the key pairs this way.

/sub

I used Brainwallet for a friend half a year ago on an offline pc with the code from github. The money is still there. I wouldn't trust the version that happens to be on any website but for now I do trust github to not mess with repos. I wish there was some signing involved though. If reputable dev would confirm to have seen nothing fishy about version [hash], I would pick up the changelog (if any) from there and decide if I use the signed version or the updated version. I picked the most recent version as it was old already, so I assumed it was reviewed by quite some people but I guess git's feature to mess with the history would allow to forge an old-looking head easily.

Any passphrase you can memorize is almost too simple by definition.

What passphrase did you use?

ireallylikecookies -> not ok
poweroutletsmmaybeeshockyuoifyuotuochit -> a lot better.

How could be compromised a brainwallet ?
Breaking known algorithms should we exclude because that would affect all kind of wallets.

You have a javascript brainwallet like brainwallet.org or bitaddress.org or namecoinia.org.
1. It has a connection to the internet and transmitting your private keys.
You can avoid this if you save the page on your computer and switch off the internet connection when you are generating the keypairs.
Alternatively you can do it in a virtualbox container which has no internet connection.
2. You are generating a random keypair however it isn't random in the reality, but follows a deterministic or stored pattern known to the brainwallet creator.
The source is known (javascript) but it is obfuscated and difficult to check it. In this case it doesn't matter if you are offline or online.

Best if you generate deterministic wallet with a passphrase which is random and long enough but you choose it and your computer is offline.
In this case I cannot imagine how could the brainwallet creator know the private keys.

Of  course they are other attack possibilities also but they are not brainwallet specific.
If you downloaded from a pishing site, you have some trojans on your computer or you have written the passphrase on a paper and let on the table on your bureau.

The owner of that site needs to shut it down. This kind of thing was inevitable and we warned about it from the start. Someone has calculated a rainbow table and the passphrase you chose is in it.

Which wallet software did you import the key into? Do we need to put a warning about this site into wallet apps? We need to find some way to kill this stupid and dangerous site asap.

Brainwallet just uses this python code ...

privkey_hex = hashlib.sha256(keyphrase).hexdigest()

(Not that actual code since its from one of my scripts, but something similar). Its trivial to do your own version and avoid the web site entirely (then import the private key into the wallet of your choice). The slightly more tricky part is obtaining the WIF key and addresses, I posted a simple script here https://bitcointalk.org/index.php?topic=247178.msg2642261#msg2642261 but there are probably more professional versions elsewhere on this forum.

But as has been said earlier, if you don't understand what a script is doing, then don't use it.

Since the coins are already gone, please post what password you used for your brain wallet.    We can then confirm to you that it was a bad and easily hackable password.

Don't try to be funny and drop the wrong password, everyone will know immediately.

Sounds like a weak passphrase to me.  We already know that people have created huge 'rainbow tables' of bitcoin addresses generated from SHA256 of weak passphrases, and they just sit watching the blockchain for any of them to come up and then siphon off the funds.  This is yet another reason why a 'brain wallet' is such a terribly bad idea for anyone to do.

Will

+1, and its not like he can use the address again...

A brain wallet when done right is perfectly fine. A deterministic wallet like electrum is like a brain wallet. 12 words that are the seed to all your bitcoin keys. Of course the entropy is greater than your typical brain wallet. 128 bits for electrum.

Electrum users are advised not to type their seed in brainwallet.org (or any other website).

I did a small investigation some time ago to see how widespread the problem was, and these were the results:

 - Sent 0.001 BTC to an address generated with a password you will find in any top 10 common password list. Taken immediately.
 - Sent 0.001 BTC to an address generated with a six digit password. Taken immediately.
 - Sent 0.001 BTC to an address generated with the same six digit password as above, but with Point Conversion set to "Compressed". Untouched.
 - Sent 0.001 BTC to an address generated with an upper/lower/digit six character randomly generated password, normal Point Conversion. Untouched.

Someone is definitely out there grabbing things from weak-passworded wallets, but even a six-character random password thwarts them.


Edit:
Mechs, tell us which password you used. It's already compromised, so there should be no harm in revealing it.
If you can't reveal it because you use that password in multiple places then guess what - that's how they got your password in the first place - by stealing it from some other place you used it.

indeed, it would make sense for an attacker to find as many compromised password lists as possible (hint: there was one for mtgox a while back) and use those as seeds as well.


Anything, done well, is perfectly fine!  The problem is that there are so many bad ways to do a brain wallet, for example:

 - picking a weak passphrase
 - forgetting your passphrase
 - not understanding Change addresses, and losing bitcoins

and it's so trivially easy to compromise a brain wallet with a bad passphrase, that it's probably better, for most users, to use an alternative form of key generation and storage.   I would never recommend a brain wallet to a new user, but I would recommend blockchain.info with OTP and a strong passphrase to a new user.

Will

Tell us what pass phrase you used already!! :)

The owner of that site should at least warn that "correct horse battery staple" is a particularly bad password. The fact that barely any bitcoins flow through this one tells me that there is no significant amount of noobs using the site. With mass adoption I bet at least 1% of all users would be thankful for this "random" suggestion and go with it. Brainwallet instead should give the user feedback on how secure his key is, although this might make them feel safe where they shouldn't, it can tell them when they are not safe where they feel safe.
Else it should suggest to actually use it to use the github version and verify that the signature of these 4 persons confirms the version to not be tampered with.


If the minimized/obfuscated code reduces the entropy by doing something like changing this
privkey_hex = sha256(keyphrase).hexdigest() to this:
privkey_hex = sha256("evilhackersalt" + sha256(keyphrase)[:3]).hexdigest()
you would get "totally random" keys with every change to your input, but the attacker would actually be the only one to know your private key in a trivial list of a million keys.

You would only notice this once you try to use your password on a non-poisoned brainwallet. Good luck finding your money if you didn't also backup your priv key, just in case this attacker needs time to swipe your money.

No. You just used a weak passphrase. They have *huge* lists of keys already calculated in advance from all kinds of weak passphrases, they knew your passphrase (and with it the key) already long before you even had the idea to use a brain wallet. They are sitting somewhere with a huge list of such weak keys, permanently scanning the network for new transactions and waiting for your coins to arrive at one of their addresses.

Next time you should use a long computer generated random passphrase. Use a tool like pwgen that creates pronounceable random nonsense (not in any dictionary) words, so its easy to remember but still completely random.

hey guys,
   Sorry I just logged back on.  As I said, I was just fooling around so I did use a very short passphrase "stfu!" just to see how it works and I imported in into Bitcoin-qt using the importprivkey command.  I actually made two keys from this - one with Point Compression and one without Point Compression - only the uncompressed address was compromised.
    Anyway, newbie mistake - glad I learned it on  .178BTC as opposed to much more.  Though this experience has taught me a brain wallet not for me - any phrase I could remember would not be secure and if I added enough misspellings and character substitutions I would likely forget it eventually.  Will just stick to my paper wallets I generated offline using Ninja's script at bitcoinaddress.org
    I feel better actually, since even though all my trojan scans came back negative, I was still worried maybe somehow my computer was compromised.  The only compromise was my noobness! Hope others learn from me error.
mechs

I think we shouldn't make such of assertions without any evidence.
If someone calculated a rainbow table (and almost sure that have done more people) then it has nothing to do with the site owner.
It was the negligence of the user to use a simple password and the opportunism of a dishonest hacker which caused.
Is the Bank guilty if somebody take over your online account because you used 123456 as password ?
You shouldn't use something what you don't understand.

stfu! looks correct ...


I feel for your loss, but its a useful wakeup call for the rest of us. I think I'll stick with bitcoin_qt for now.

As I said, it was a small loss - the equivalent of $12.  Could have been worse and hopefully others will learn from my errors.  Still, a warning on the website about the need to use a strong passphrase would be a good idea.  Ninja's bitaddress generator will not even create codes for such short passphrases I see to protect newbs from themselves.

Btw, can someone expalin to me the difference between the compressed and uncompressed keys?  Seems both are accepted by Bitcoin-QT (though uncompressed priv key cannot be used to access compress public or vice-versa).  Is one type more secure than the other?  In my example, the stfu! compressed version was not compromised, only the uncompressed version was (I channeled the BTC through both bitcoin addresses).  The speed (seconds) with which the funds were redirected make it clear it was a bot.

I don't think you understand what a rainbow table is.

Somebody generated the exact same brainwallet you did, long before you ever thought of using that passphrase.

They've actually generated millions of brainwallets, and they're just waiting for someone naive enough to use the same weak passprases and deposit money into one of their addresses.

Anything less than 16 random words (https://bitcointalk.org/index.php?topic=139390.35) is too short as a passphrase. Not a 16 word phrase from your favourite work of literature, not some TV character's 16 word catchphrase with a few simple letter substitutions and random punctuation characters thrown in.

16 words that have never before been grouped together into the same context by any human that has ever lived.

If you can't generate and remember a random passphrase this long you shouldn't use brainwallets.

Since I'm here, I'll take a punt, but I'm no expert (and I expect a cross post will happen by the time I finish).

The public key is a 64 byte (512 bit) number derived by ECC algorithm from the private key. It consists of the X and Y coordinates of a point on the curve. However one of these coordinates is redundant, so the compressed key just uses the X coordinate which shortens the public key length by half. In practice both versions are hashed to 160bit hash value in the block chain. If you take a look at the script I linked above, you can see the procedure for generating both the uncompressed and compressed keys/addresses.

I assume they are equally secure (others may correct me). The reason that only the uncompressed stfu! was compromised is (I guess) that most people just use this one and the hacker did not bother to build the rainbow table for the compressed one (lazy hacker as the ECC is the expensive part, so the only cost of having both is storage space).

Hope this helps. (Yup, crosspost, but not on this topic so I'll post anyway)

Somebody told me that he generated a keypair with the passphrase 'dog' one year ago when the bitcoin had a value of 10$ and deposited 0.01 BTC.
The amount was taken in a half an hour.
No human would make such an effort for 10 cents.
So it seems to be sure that some bots are scanning the network for  brainwallets.
But that doesn't mean that brainwallets are not secure if used correctly.

Thanks, it seems to me then compressed is more secure simply since less people use it so hackers less likely to include it in a rainbow table.  Clearly, though, that is not a replacement for a strong passphrase.

OP: mind changing the topic? I find it quite offensive to the guy who runs brainwallet.org despite the above mentioned reservations.
You only make a fool of yourself if you use a weak password like you did and then blame the service of stealing your money.

I still think this thread is very useful - I know you feel people who are new and not tech savvy deserve to lose their bitcoins, but that is not an attitude that will lead to widespread adoption.  I would be okay changing it to:  "If you use Brainwallet.org - MUST READ! - Security Risk!" if you think that is more accurate.  My post was not meant to be libel in anyway, it seemed like a security breach to me at the time and it is a vulnerability with brain wallets more people need to be made aware.

If you have no problem lying to people, implicitly calling others that set up services like brainwallet fraudsters, leave it as is. If honesty counts in your value system, maybe change it to the truth. This is not about saying that you didn't deserve better.

+1
Keep your private keys private

Which is great if you know what you are doing, but people in life are not prepared to lose money if their hard drive crashes or such. It doesn't matter how loud you yell at users for them to back up their private keys - they usually don't.

Clearly a new solution for the security issues it required for mass adoption for laypeople - the hardware wallets, if they can be made very affordable, will certainly be a move in that direction.

Compressed or uncompressed only applies to public keys, not private keys.  All private keys are the same, there is no compressed form.  For every private key there is only one public key but the public key can be expressed in two different forms.  Each form maps to a different public key address.  So, every private key maps to two different public key addresses.

Not a bot, it was just that the address you generated was already set up to sweep to another address long before you generated it - as explained in other posts.

Almost.  For completeness:
Since every X coordinate in the finite prime field corresponds to exactly two Y coordinates in the finite prime field, one positive and one negative, it is possible to define the exact X,Y coordinate of the public key by using the X coordinate and a sign indicator to tell you which of the two possible Y coordinates to use.

Both forms of the public key are equally secure in that a) they both describe exactly the same information and b) given the X,Y coordinates of a point in either form it is equally difficult to calculate the private key used to generate the public key point.

Yes the ECC is the "hard part" of the calculation but going from uncompressed to compressed public key form is trivial and then the extra hashes to calculate the two different public key addresses is also trivial.  I expect "lazy hacker" if the compressed form was not compromised.

Whether you use the compressed or uncompressed public key to generate the public key address does not matter at all since the issue here is the passphrase used to create the private key.

Given a very large numer of private keys generated from a very large number of common/simple pass phrases they will simply set up sweeps of both versions of the public key address generated from each private key.


Yes, I think that you should (please) change the title to "If you use any brain wallet - MUST READ! - Security Risk!"  as this issue of losing your BTC when using a common/simple pass phrase applies to any brain wallet, not just those from brainwallet.org.

The issue here was that the passphrase for a brain wallet was too simple.  Not that the private key was not kept private.

He's just saying SHA256 brain private keys are a bad idea, and sites like Brainwallet.org should be taken down so that is not easy for misinformed people to create weak private keys.  How hard we should try to protect people from themselves, I guess that's a philosophical/ideological debate that is OT.

As for the evidence of a rainbow table, how about this:


The only thing slightly surprising to me is that mechs's password "stfu!" has punctuation, but I just checked and that verbatim string is in the Rockyou password dump, and anyway it's not much more creative than just "stfu" alone.


Agreed.  More accurate, less alarming, more applicable.

What kind of idiot would write a bot like that?
You wait until it has at least half a coin in it before transfering it out.

Well I guess for really common words it has to be fast or someone else gets it.

-=-

I have two problems with brain wallets -

A) If I die, my survivors have no way to access it.

B) No matter how clever I think I am, if the pass phrase is something I can remember, it has a higher liklihood of being brute forced than a key that is high entropy random generated.

Paper wallets for me.

Another thing you can do is repeat hash hundreds and hundred of times. And use a salt - with the original phrase and added to each hash. You can even have a simple formula that changes the salt each hash.

57899@##$% as me salt.
"I like big butts" as my passphrase.

Each hash I change the salt according to the number performed and add it to the previous hash, changing the salt so it grows each time, resulting in a huge salt by last hash.

Reapeat, say, 722 times.

All I have to remember is the salt (write it down), the pass phrase, and the algorythm I used to alter the salt each iteration.

Try cracking that from a rainbow table.

But I still don't like brain wallets. Paper for me. Stored in a secure place.

KISS

Why is it then that under the details tab on bitaddress.org is there an option of "Private Key WIF (compressed, 52 characters base58, starts with a 'K' or 'L')?"

Burt,
  I am not sure this is correct - when you go to http://brainwallet.org/ and toggle between compressed and uncompressed both the public and private key changes.  You cannot use the compressed private key to access the uncompressed public key or vice-verse without changing between the two. 

Its just so the wallet that you are importing it into knows whether to use the compressed or uncompressed public key. It you convert the WIF key back to hex, the compressed private key is identical to the uncompressed one, with the addition of a '01' flag character at the end. I guess its done this way to make it foolproof (the user does not need to specify to the wallet whether to use the compressed or uncompressed public key to generate the address as it is already flagged in the WIF private key string).

Take a look at my script at https://bitcointalk.org/index.php?topic=247178.msg2642261#msg2642261 as it shows the procedure to generate both of the WIF keys from the hex private key quite clearly (just search for WIF). Its simply an 80 prefix. followed by the key value, followed by an 01 suffix (for the compressed key only). To this is appended a double sha256 checksum (just the leading 4 bytes, ie 8 characters in hex), then the whole hex string is base 58 encoded.

The private key (Wallet Import Format) changes because it is encoded with the flag character to indicate compressed/uncompressed form (see my post above). That 01 suffix changes the base58 value completely.

If you look ate the public key, the uncompressed version starts 04 followed by 128 characters (64 bytes) which are the X and Y coordinates.
Look at the compressed public key and its starts 02 or 03 (which is a flag to indicate the sign of the Y coordainate) followed by the same X coordinate value as the uncompressed public key.

There is a terrifying amount of misunderstanding of cryptography on this thread.

Brainwallet.org needs to be shut down, yesterday. The title of the thread is correct because the very fact that the site exists is a security breach.

Justus is telling the truth here. You cannot invent or memorise a private key, it isn't possible unless you are the kind of person who competes in international memorisation competitions for fun. And maybe not even then. This isn't about stupid users or smart users, there is absolutely nothing stopping someone from just generating a larger and larger rainbow table every day and that is quite obviously what is happening.

Please tell us which wallet app you imported the key into do we can ask the developers to put a warning in the ui about it. The community clearly needs to sound the alarm about this stupid concept much louder than we have done.

Users are almost always the weak point. This is the case here.

It is possible to generate a "secure enough" brainwallet.

I imported the private key into Bitcoin-QT using the importprivkey command in the console.

Indeed - I have a brainwallet and although it doesn't have much BTC (it was an experiment) it is still intact after nearly 1 year (and I have memorised the pass phrase).


As was pointed out - the poor choice of password meant your private key was easily hacked.

If you are going to use a "password" (rather than a pass phrase) then the advice "if you can remember your password then it is not good enough" should be heeded.

Yeah, that would be great.
You don't even need it to be a full featured wallet: as long as it's a "hardware containing private keys", that are used by a software, that would be a great first step.

+1

Simply put the pass phrase and instructions on a piece of paper in your safe, just like you would your paper wallets.  This is not an issue.

Having said that I agree that the entire concept:

SHA256(<pass phrase>) -> private key

is very dangerous and should not be attempted by just about everyone (including myself here), hence the name of this thread should be changed to warn everyone about all brain wallets, not just those produced by brainwallet.org, this is not a brainwallet.org issue, it is a brain wallet issue.

brainwallet.org and bitaddress.org and any other sites that allow/help users to produce these things should at the very least warn their customers to only do it if they know what they are doing and outline the risks.

I totally agree that more noobs like the OP will lose their money which would be evitable if brainwallets were known only as a concept on well documented blogs and not easily accessible to noobs through sites like brainwallet.org. Still I can't see why it shouldn't be possible to memorize secure passwords. What is your estimate how long it would take for a sentence long, yet memorizable like this one to end up in a rainbowtable? With a mutation like every second word later? Without ever mentioning the sentence on the internet?

I ever only made one Brainwallet for a friend with one Bitcoin. She is of the non-smartphone-and-better-non-computer type, so I promised her to give her the bitcoin to "this piece of paper". I made her think up five long words that are mutually unrelated. She wrote them down and I consider this a safe password until I hear of more serious brain wallets being breached than stfu! (five closely related symbols)

Whatyourhowittakealong,memorizablethistoupaisestimatelongwouldforsentenceyetlikeoneendinrainbowtable <- memorizable password as of above

Wait until a competing bot decides to take the money? It would be an idiotic bot if it did not secure any available balance immediately.

But if it is going to be written down I might as well generate a completely random private key and be safer.

If it is taking small amounts it is missing out on the larger amounts that will be deposited when the user thinks it is secure.

I guess for me the risk of being arrested for wire fraud and computer crimes for a small fraction of a bitcoin just seems moronic.

This won't happen because if you don't take it immediately then someone else's bot will certainly do it. You have to be faster than all other bots or you won't get anything.

<mode type="advocatus_diaboli">"Fraud? What fraud? Its my own brain wallet, I can do with it whatever I want."</mode>

Looks like one of my comments made to this thread was deleted.

looks like a valuable contribution to the topic.

Actually a valid point. You never asked anyone to deposit into your account nor did you steal a private key.

Connection Not Encrypted
The website brainwallet.org does not support encryption for the page you are viewing.
Information sent over the internet without encryption can be seen by other people while it is in transit.

srsly?

None of the information is transmitted out of your browser.  In fact once the javascript is downloaded you can disconnect your computer from the Internet while you make your keys, etc.  So SSL is not as big of a deal as far as your keys are concerned.  The main concern is the javascript itself.

Also, the security or lack there of in regards to the javascript delivery is not the topic of this thread.  We know how the coins were stolen and it had nothing to do with the lack of SSL delivery and everything to do with the strength of the passphrase used.

That's crap for a start.....
"Mary had a little 公羊 it's prick was red as blood and every time that Mary bled the Ram surly understood"

Very colorful, here is the private key: 5KTJj2XjQiFCXMwNEhoJCpz9exodNBC9PMeQF5hhnABa4SVj2HL
I think the point is that it still does not have as much entropy as a randomly generated key since it uses real words which are finite.

That's very hard to say because we don't know the kind of resources that might be invested into calculating rainbow tables. It depends a lot on things we can't know,  like the cost of hardware and the future price of Bitcoins (that could be stolen). Also, over what time period? If someone extends their rainbow table every day and after 3 years is able to compromise your brainwallet, you're still going to be upset, even though it was secure for 3 years.

Also, to be super clear here when I say "brainwallet" I'm talking about the form where you turn a password like "stfu!" into a private key. It probably is possible to memorize a randomly generated private key, but it would certainly require some training in memory techniques that most people have never used, and assistance from software (e.g. to turn your private key into a series of words that you then convert into an imaginative story that you repeat to yourself every day).

So, the way Electrum does it can at least theoretically work, though I don't know if anyone has studied how memorizable the generated word lists really are, even with training. The way brainwallet.org does it cannot work because you just aren't going to randomly select words from your entire vocabulary, at best you'll come up with a long password that's just a grammatical sentence, and that significantly reduces the entropy because it'll be much more biased towards words like "the" and small sentence fragments that can reduce the search space.


If they were really random words then that's probably fine, the average adult has a vocab size of around 20,000 words so that's 20,000^5 combinations which is certainly not as good as a real private key but is likely good enough for now (it's about 71 bits of security instead of 128). But people are very bad at thinking up truly random things, so I'd question whether they were really unrelated or not.

Regardless if you're going to write something down, then it's not really a brainwallet is it? It's then a paper wallet and you may as well let the computer choose the random words for you, it will do a much better job.

One simple thing you can do that will avoid rainbow tables -

pass phrase + drivers license / ID number

Your drivers license number will act as a fairly effective salt.

What's happening with this address during the las couple of days?

https://blockchain.info/address/1JwSSubhmg6iPtRjtyqhUYYH7bZg3Lfy1T?offset=0&filter=0

People have been spamming up the network with it. (I remember adding it to my wallet, and a few days later my whole wallet was filled with transations :))

think i'll stick to my offline wallets rather than any of the online versions. cant trust anything these days ;)

Brain wallets are offline wallets.  That is not the issue.  The issues is passphrase entropy or lack of entropy.

This +9000, I don't think the site is compromised.

Some people probably have tables up and running monitoring all possible addresses created from basic to medium complex pass phrases. Tbh I would not be surprised if the creator of the site is one of them.

/me runs off to create a new vps for his new rainbow tables ....

We already have this though. Cheap smartphones (either low-quality, or old-and-used.) Restrict it to wifi instead of getting a mobile plan, and only have 2 or so apps on it (a bitcoin wallet and a QR-code reader.) That seems like a good enough first step to me, at least.

Memorizing a passphrase of sufficient entropy is possible, but it should be thought of as a feat of mental effort equivalent in terms of difficulty and time investment required to doing this:

http://www.hundredpushups.com/ (http://www.hundredpushups.com/)

It's something that will require training, and effort, and continual practise in order to maintain.

Good (and interesting) point.

a.k.a. "will likely be lost sooner or later". Bad idea.

Is this the same problem we are going to have with hardware wallets?

What are the hardware wallets seeded with, a security phrase of some sort? Who creates the security phrase, the manufacturer or the end user?

It has to be the end user. If it is the manufacturer, they will keep the seed data justifying that it is for customer service. Then their database will get stolen and a bunch of people will lose their coins.

Don't buy a hardware wallet that does not allow you, the consumer, to create private keys that the manufacturer has absolutely no way of ever having seen.

I wouldn't be surprised if some federal agents are creating distrust and hate in brainwallet.
If you use correctly it is the most secure form of wallet.
You can never loose it and nobody can confiscate from you.
However this is not a foolproof wallet.
You need to put a private part and a secret part in the passphrase. Then you need to import the generated private keys in a usual wallet to use it more comfortable.
I created for testing the security an easy memorable brainwallet with a passphrase containing my mother name and the 4 digit pin of my debit card and nobody has stolen it until now. If the secret part of the passphrase is even 3 characters longer and contains random characters then you are safe for the next 20 years.

?? I don't understand you.
I think if you have an algorithm for brainwallet, that takes for example 5 minutes to mung your password into a key pair, your mothers name and a 4 digit number might be enough as creating the rainbow table would take millennia for even this small password space. Or maybe your mother has a very complicated name and there is no public record of it that somebody might ever take as input for a rainbow table? In any other case I would expect your bitcoins to disappear rather soon.

Sad thing is that brainwallet mining is more profitable for some than securing-the-network-mining but it's certainly only beginning. At some point huge amount of computing power will get directed to collect the coins that are said to be lost here in the forum. When we migrate to safer keys, not all coins will migrate and people will hunt for those nobody migrated.

tried it yesterday, took me 5min to crack 2 promising addresses. never ever use brainwallet. NEVER, if you're new to passwords.

Remove it from your qt client, in case the address gets reused.

You can loose it easily, and of course they can confiscate it "you stay in prison until you reveal the key" usually works.

Crack vanity addresses?  ??? ::)

Actually you're just underestimating the amount of computing power and time available to an attacker and overestimating the amount of entropy the average untrained person can generate.

Brainwallet.org is great!

You just need to:

1. Download it from github
2. Use a secure password

As several folks have alluded to already, the relevant aspect of the system's security (i.e., excluding any other potential problems) comes down to the properties of the passphrase relative to the capabilities of available cracking tools.

Unfortunately, our intuition is not always a good guide about the level of entropy in a given string, nor does it necessarily help much when trying to factor in the risk from dictionary attacks. If you'd like a quantitative evaluation of entropy for a given string, together with an approximation of crack time and the relevance of particular dictionaries, I'd encourage you to have a peek at zxcvbn (http://dl.dropboxusercontent.com/u/209/zxcvbn/test/index.html).

Note that while this does offer a quantitative look, as is so often the case when Shannon-style entropy is involved, it is not by any means the only way of looking at the problem. See the original article (zxcvbn: realistic password strength estimation (https://tech.dropbox.com/2012/04/zxcvbn-realistic-password-strength-estimation/)) for a comparison with a handful of other guessers of password strength.

Neat - is there a simple sample that can be used offline for testing?

(if not - perhaps let us know how does it handle hashes being used as passwords - e.g. what would the strength of the password 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 be?)

OK
Lets make a try.
I used a passphrase composed from a known short male name and a 4 digit pin (which could be from your mobile or debit card) and I generated a keypair with it.
The passphrase was so short that my brainwallet generator don't even accept it. But brainwallet.org takes it. (however I also don't agree with this and I don't have any relation with this site)
To the corresponding address I deposited exactly 2 hours ago 100 mBTC.
Here it is:
https://blockchain.info/en/address/1uSDNberTDLZhA1zWB48qSpWQyYq6DFZd

In 1-2 months if the brainwallet is still not broken then I will publish the passphrase. I am also not sure if the passphrase was not to simple.
But if you can break it than the 100mBTCs are yours. You will wonder how easy is the passphrase.

Sure -- the source code is on github (https://github.com/lowe/zxcvbn), linked from the top of the page I mentioned.


The zxcvbn tool shows 185 bits of entropy and a crack time of centuries. It's very easy to type these in yourself and see.  :)

Sorry - didn't notice the link - will look into that - thanks!


Maybe some future improvement could be made to the algo then (that hash is the hash of the word "password"). ;D

What if the input to a brain wallet looked something like this:

Enter Passphrase: ___________
Enter Salt: ______________
Enter Number of hashing rounds:  ____________

This would be better than what is being done today, which is no salt and one round of hashing.

You would have to remember all three in order to reconstruct the private key.  The table becomes much more difficult to produce.

But as has been pointed out several times in this thread if you are going to have to write it down and keep it safe anyway why not just write down (print out) and keep safe a truely random private key anyway (paper wallet).

The idea is good and I am also thinking to implement it with small differences:
Instead of salt and passphrase should be used more suggestive expressions:
- personalization (your name or email):
- secret passphrase(nobody should know this):
The number of hashing rounds should be something standard, like 1.000 or 10.000 otherwise you have to remember it.

I think the problem is that if you are smart enough to think like this then you would have made sure that your password was already constructed in such a manner in the first place.

If you are not then you are probably likely to say "huh? I need to eat some salt first?". ;D

Sure to make it user friendly:

Secret phrase:                              (passphrase)
Email, phone number, SSN, etc:        (used for salt)
Four digit PIN number:                    (used for # of rounds)

You should let the user select the number of rounds as if you use a standard number of rounds the attack table can just use the same number of rounds once it is known.

And maybe also use a hash algorithm for which no optimized ASIC hardware exists to make producing these tables even harder.

Strictly speaking, it is not the hash, but just one of many possible hashes. It's always possible to come up with a hashing function to make a specific trivial password look complex from the standpoint of Shannon -- and, in the absence of information about what that hashing function actually was, there's a good argument for saying that it is complex. After all, the suggested string is also a hash of the word 'easy', and it is a hash of the word 'trivial', and it is a hash of the word 'oops'. However, if I don't tell you what the hash function actually is, it is unlikely that you would actually discover it.

The problem comes not from choosing a word like 'password' to run through a hashing function; it comes from choosing a well-known function with which to do it.

In principle, I suppose someone could translate all the common cracking dictionaries using all the common hashing functions in an attempt to provide a tool that could tell you not to use a word like 'password' run through one of those common hashing functions. But given the one-way nature of hashing functions, I suspect the exercise wouldn't tell you anything you didn't already know: if you're dropping a dictionary word into a hashing function and using the output, you already know what you have done, and a coming up with a tool to confirm that for you seems fairly pointless.

Yes - agreed - but because SHA256( SHA256( random ) ) is *intrinsic* to Bitcoin (i.e. a "meme" that is likely to be used) does sort of imply that some basic hashing checks might be useful (to stop people thinking that just because they use a hash algo somehow magically makes a simple password impossible to guess).

Not trying to "take the piss" - btw - just trying to suggest some possible improvements to the basic algo (as I'm sure you'd agree it won't take someone 150 years to crack hash( 'password' ) with any well known hash algo).

The main point being that "fools can be ingenious" (so of course you'll never help them all but perhaps we can stop the most idiotic - and if we are not trying to stop fools then why bother rating their passwords at all?).

The problem is with the key stretching that if you make it very particular then as user you are dependent from a specific website or provider and you also have to trust him.
So it is most better if you use something standard and widely used where you don't have to remember to much on the particularity of the key stretching and you have alternative key generation possibilities othervise may be it will be not stollen but you forget it or will be not available the generation method in 2 years.
PBKDF2 is the most widely used and they are some alternative sites where you can stretch the keys if your brainwallet generator is not available but it is ASIC friendly.
bcrypt is less used and less ASIC friendly, some web implementations
scrypt  is the most modern ASIC unfriendly key stretching but there is no web implementation and they are a lot of parameters to be configured

Yep, I see what you mean. I think the person who wrote the zxcvbn checker works for Dropbox, and he just intended it to illustrate some of the pitfalls of common ways of measuring password strength, ways which could inadvertently give users bad advice. As you've just demonstrated, this seems like a case where it could do exactly that -- give bad advice.

As I understand it, this is the strength guesstimator which they are now using on the Dropbox registration page. (See his original article for more details.)

See also:  https://www.grc.com/haystack.htm

Yup, the very first password I ever created when I first got my own internet connection, little did I know it happened to be identical to a part number of a popular ham radio component. I never played with ham radios.

When I was playing around with cracking tools (I think it was jtr) and it was quickly cracked, I was shocked to see it was in the dictionary and when I investigated, the dictionary had been made from an electronic parts catalog.

Granted by today's standards it is way too short even without being in a dictionary (7 alphanumeric characters) but still.

Mechs, the coins in question have been returned directly to the address in your sig:

https://blockchain.info/tx/8a91cca81bcb8ce4b9483e7d933b84b9363cd1dc0c40d37521f796403047e606 (https://blockchain.info/tx/8a91cca81bcb8ce4b9483e7d933b84b9363cd1dc0c40d37521f796403047e606)

The brainwallet.org author is not the culprit, my bot is.  Since you don't come off as one of the people running a competing bot (and trust me there are lots), I'm fairly confident these coins are indeed yours and am happy to return them.

PSA: Picking a bad brainwallet password is like throwing your money on the sidewalk ... except instead of just the people around you scrambling to pick it up, the entire internet can and most of the internet has no interest in giving your money back.  Worse yet, it's actually impossible for someone wanting to give them back to do so with 100% confidence they are giving them to their rightful owner. 

I agree with the sentiment expressed in the thread that if it's memorable, it's eventually gonna find its way into someone's rainbow table and I leave all you brain wallet users with this to ponder: https://www.youtube.com/watch?v=a6iW-8xPw3k (https://www.youtube.com/watch?v=a6iW-8xPw3k)

Oh, I'm impressed by this turn of events :)

So you defend the stupid so they can continue using weak passwords on brainwallets? Why not take a 50% recovery fee? The money moved again? Is the account in his sig the the brainwallet(WTF!) ?

Wow Jesse, that is very kind of you to return the funds! It is amazing you even by chance happen to read this threat.  I am definitely not running a competing bot, as you can tell by the weak brainwallet I created.  I was not even that upset about losing the change, it could have been much more than that.
Thank you again!
mechs

wow, that turn of events!

+1

OP - I think the "security breach" part of your topic title should be changed (a poor password that was cracked is hardly a security breach IMO) although it has been a good reminder for people that brainwallets are a dangerous thing (and should not be recommended to people without some specific education about how to go about creating a secure enough password).

I'm puzzled as well.
dafuq happened (https://blockchain.info/tree/80474551)?

Perhaps Brainwallet.org should use their own rainbow table. You can still keep everything client-side for generating the address. However once the address is generated, it can be submitted to the site for checking. Users may be surprised to learn the the chorus from their favorite song (with common mishearings and spellings) is actually in the dictionary.

As has been mentioned earlier in this thread, if you can easily memorize it, it is probably not a secure passphrase. The rule of thumb I use is that If it has ever been published anywhere (http://aws.amazon.com/datasets/41740), it is probably not a secure password. Do you really think the sum total of human knowledge has over 64 bits of entropy? (that data-set is only about 46 bits of entropy).

Another case of cracked brainwallet where the funds were returned: http://www.reddit.com/r/Bitcoin/comments/1j9p2d/blockchaininfo_unauthorized_transactionhow_could/ .  The cracker said he's the same guy from this thread, only this time it was around 3 BTC.

This time the passphrase was quite a bit longer, but was a song title, so the rainbow table is pretty big.  Be smart and careful, people!

Does anyone know who runs that site or how to contact them? The site itself has no contact info on it, the source code is owned by a user just called "brainwallet", the only thing resembling a contact address is a twitter account also called "brainwallet", etc.

Whoever runs this site needs to shut it down now. It's negligent to do anything less.

Personally I think that if people are silly enough to "secure" their bitcoins with nothing more than a poorly chosen password or pass phrase then they probably are best to be relieved of them.

The brainwallet itself is actually a useful "offline" tool (and anyone silly enough to use it "online" well...).

^


Joric (http://bitcoin-otc.com/viewgpg.php?nick=Joric), I found him in #bitcoin-dev once, and IIRC he ragequit because of the core team bitching about bw.org

https://www.bitaddress.org has a brainwallet tab
Not to mention the "SHA256 hash calculators/generators" all over the net - hello, Private Key Hexadecimal Format.

Can't get security through obscurity...

The problem of this thread has nothing to do with online or offline.

Its a useful tool because it creates key/address from a passphrase. This is useful.

Not to mention all the other tools it has in it.

The problem is people *think* they know what they are doing, or think things like S00p3r53kri7 are secure.

Talking about that topic,

I got a doubt and maybe someone else have already done it, though I've never tried this out before:

At the "Transaction" function of brainwallet.org, is it possible to send BTC to same address: "Source Address" = "Destination Address"?

e.g: I was wondering if I could send from a total of 10BTC at address "x", 9BTC to address "y" and 1BTC remaining change back to same address "x".

Does that work through brainwallet.org?

P.s: fees disconsidered in order to simplify the example.

Yes - that's how it creates the tx by default (if you want change to go to another address you'd have to edit it).

BTW - I would not use the tx tab of brainwallet as it only works *online* and it requires you to provide your private key (so a malicious version could simply broadcast your private key).

I'd never suggest that too.

For everyone new to that script, I only suggest that you test it offline, then copy and paste the tx to blockchain.

Thanks for the help.

Cheers!

For someone who lives in a direct democracy that has a lot of personal freedom, and hence, a lot of required personal responsibility, you sure as hell like to impose your moral standards on other people.

Bitcoin source code was authored by some unknowable pseudonym, SHUT IT DOWN, PADRE-MIKEHEARN SAYS NO ANONYMYMOUS CODINGZ!!!

Is it manageable watching the balances of thousands/millions of generated wallets like that everyday (with today's tech resources)?


Is that simple to do by command line (Linux Terminal)?

Very easy.

It's run by "Joric". As was the similar wallettools.appspot stuff which predated it in the role of helping fools and their Bitcoin split ways.

I have some pretty fun IRC logs surrounding the creation of Brainwallet.org... e.g. Joric searching for guessable sha256 keys and redeeming them.

He was really resistant to using a strong KDF. Not because he's malicious, as far as I can tell, but simply because anything worthwhile is going to be slow in javascript.

Why write custom scripts and remember various variables when you can just make your brainwallet a bit longer. 
Add your name and ID/passport number before your complex passphrase, easier to remember, increase entropy  by a lot.

That's unfortunate! Thanks for letting us know OP.

an appropiate thread title might be:

"If you used Brainwallet.org - MUST READ! - weak passphrases!"

na not really. you just combine a long low entropy password with a short high entropy password plus something in the public record. you can remember the former because it uses real words and sentences and the latter because it isn't too long and the public record element adds security for almost no cost (in terms of effort to memorize remember it since all you have to remember is its location). combined you get the best of both worlds. they arnt going to crack it with a dictionary attack or a brute force and some sort of hybrid technique would not be very effective.

I agree with what others have posted already, add a "rounds" parameter to the site. Asking the site owner to do this is much more productive than trying to burn him at the stake...

People can use their birth year as the rounds number and they will easily remember it. The rainbow table computers will have to do much more work, if they compute all rounds from 1900 to 2000 they will have to do 196,950 hashes per password instead of 1! (http://www.wolframalpha.com/input/?i=1900%2B...%2B2000)

Does anyone know how difficult it is to find your passphrase if they know your private key?

It depends on the passphrase :D

Why would anyone care about your passphrase if they have already got your bitcoins?

LOL  :D Let's say it is a supa dupa hard one  ;)

This ^^^

But assuming they have the private key to your standard brain wallet and have already taken all of the BTC in that wallet they might think to themselves "Self, if we can get this bozo's passphrase we may be able to clear out his MtGox, Bitstamp and other accounts if he used the same passphrase."

So there is some reason to do this.  Now in a standard brain wallet the private key is the SHA256 of the passphrase and it is basically impossible to go from the hash back to the passphrase.

So, although all of the BTC in your brain wallet have been lost, your other accounts using the same passphrase are probably safe in this hypothetical scenario.

I think the same. Never use a third party for security.

Thank you :)

Dude, you are quoting the third post in this thread and your response is totally out of context.  Are you a posting bot?

EDIT:  reported as possible posting bot.

Also usefull to know if you are planning to make 10 brainwallets with strong passphrases by themselves, but with very similar passphrases that can link them together.

I know I'm late to the party, but you know what's really annoying...when people post about how this or that service is compromised, but then don't post the password they used.  That's all I have to say.

They used "stfu!", see here:

https://bitcointalk.org/index.php?topic=251037.msg2668158#msg2668158

Good lord

Diceware: http://world.std.com/~reinhold/diceware.html

This. And there are a couple of nice tools on this forum that easily convert dice rolls into passphrases and bitcoin addresses.

Diceware SHOULD NOT be used with anything other than dice: the entropy is not the same otherwise.

Read my post again. The tools I saw WORK WITH DICE. So, full entropy. 

you could always use a sha256 generator first
my - 038468518ad8122e13112743f890c7ba96ac5665b71de548eceb23e9ef237805
m0m5 - f4b4dff4af48415ce1883a01d5589022fb11b1adb2c9b53aa9439cabd9273d5c
c00k135 - c092a98000322afadf557a9754f1fac6d97d21e8c0432e518edd1b5dc7e3c67f
4r3 - 9a55b85547d8d71b45fbd1000d7053fbb254571d11fe3c230592e41531bf6413
n1ce - 781d42e75cbf8d87d48dcbb54a20fdb1d9e70f02d6759124d1a3c7e68d5c9f92

combine the results to become 038468518ad8122e13112743f890c7ba96ac5665b71de548eceb23e9ef237805 f4b4dff4af48415ce1883a01d5589022fb11b1adb2c9b53aa9439cabd9273d5c c092a98000322afadf557a9754f1fac6d97d21e8c0432e518edd1b5dc7e3c67f 9a55b85547d8d71b45fbd1000d7053fbb254571d11fe3c230592e41531bf6413 781d42e75cbf8d87d48dcbb54a20fdb1d9e70f02d6759124d1a3c7e68d5c9f92

then put that into the brain wallet to add further randomness to the words.

or ofcourse run it through a sha256 again (without spaces) to give you f9640de45673cc0baacef1b9d4c407f06c453d72d06c99cf8870d19114d42d51. make your own checksum code to make it a private key more direct without using third party services.

over-react much? of course someone has made rainbow tables, so what? the lesson to be learned here is not that we should crucify brainwallet.org, it is that we should make strong passphrases.

This site just seem too much of a risk since you are either using a weak word or a difficult one which isn't easy to remember,it would be much simpler to just make a wallet (and add a password//encrypt keys) or just make paper ones.

it has been asked many times for the simple snip-it of code that makes a private key. the answer is always view source of brainwallet. pfft i dont need all 1383 lines of code that do all the different functions. we just need the basic convert random characters + checksum and then convert to public. which should be under 100 lines of code

this will then allow people to make their own programs that hash words into giberish in any form they like. EG a mix of md5, sha256 followed by another passthrough of sha, before then converting.

then they atleast can make their own scripts to

take the first page of moby dick and MD5 it.
take the 6th page of the bible and MD5 it
take the 207th page of 50 shades of gray and MD5 it

put all 3 codes into a sha256
add a MD5 of Moses 10 commandments
sha256 again

and then put this through the 'brainwallet converter code'.

then next time they just put in those pages

Oops, now we know your brainwallet ;)

I like to set up and fund brainwallet accounts for people I know who are new to bitcoin.  Then, all I have to do is give them the passphrase.

How else can I achieve this, without either 1) waiting for action from the recipient before I get an address to fund, or 2) having to associate an online account with an email address - which is either mine (the wrong one) or theirs (and they are tipped off about the gift)?

Paper wallet?  using a random (aka 256 bit of entropy) private key rather than some almost guaranteed to be bruted forced brainwallet scheme?

What a great way to introduce someone to Bitcoin, give them a brainwallet, later when it is worth a small  fortune they go to check on it and find out someone robbed it years ago.

Wow. If you think a brain wallet with a "memorable" password is secure you shouldn't be managing people's money at all. Why don't you just print out paper wallets?

You would think the Bitcoin "brain trust" would communicate with each other better:

Also
https://github.com/brainwallet/brainwallet.github.com

People are too worried about this. Everything that should be done is add a disclaimer not to use the Brainwallet site if you don't know what you're doing/can't come up with a proper passphrase. I like my brainwallet and I'll keep using it, it's a very nice idea. No surprise it's not suitable for the masses, just look at any list of leaked plaintext passwords. Or a list of leaked md5 passwords and see how many per cent you can crack.

Definitely, brain wallets are not for newbies!

Paper wallets are easier to manage at early learning stages.

Brain wallets are for pros!  8)

For noobs: Brain wallets are rat poison and will get people to loose their money.

For pros: I like brainwallets as it allows me to give bitcoins totally offline with only pen and paper. I told a friend to make up some 5 long completely unrelated, maybe slang words and write them down. I wrote them down, too and she paid me for one bitcoin back then when it was around $10. I sent a bitcoin there when I got home. Worst thing that can happen is that she loses a paper with meaningless words on it :)

Your worst nightmares has come to reality!!! Please read following post if you haven't seen it before.

https://bitcointalk.org/index.php?topic=421842.60

Dear obvious sock puppet princes12:

That thread is total bullshit.  See my response to that thread here:

https://bitcointalk.org/index.php?topic=437220.msg4813821#msg4813821

and if you do not get the humor of that post, then try the more direct response here:

https://bitcointalk.org/index.php?topic=421842.msg4814386#msg4814386

I love you Carlton. Truly and with all my heart.