Bitcoin Forum

So the Bitcoin website itself states:


But as explained fantastically well by XKCD (http://xkcd.com/936/), it's actually not entirely true.  Random characters only make it harder to remember, not to crack.  As pioneers of this revolutionary cryptographic technology, shouldn't we of all people have a better grasp of this concept?  The responsibility is on us to make sure new users understand it correctly, but that won't happen until we get it right ourselves.  This part of the site should ideally be edited to be more accurate. 

I assume you are talking about https://bitcoin.org/en/secure-your-wallet

Bitcoin.org is not an official website. (it actually says that literally on their about page: https://bitcoin.org/en/about-us )

But since this is a website where many new members come, I can agree with you that it should be adjusted. I would suggest to come up with a better explanation and just e-mail it to them. Perhaps they will change it. Most importantly it should say to keep different passwords for all websites.

I personally advise programs like KeePass and LastPass with 30(+) characters.

I use KeePass with the default (20 characters). Should I increase it?

Just a friendly warning that comic is bullshit. ;) You would need at least 8 random words to have about the same security as 12+ random characters. The entropy maybe higher, but every serious hacker uses rainbow tables, dictionaries or even phrases from common digitalized books...

Here is a quote from from the website of none other than TrueCrypt (http://www.truecrypt.org/docs/choosing-passwords-and-keyfiles)


Shouldn't the TrueCrypt designers, of all people, have a better grasp of this concept?  :D

Actually, that XKCD comic is dangerous advice for Joe Average.  It is true only IF those words are chosen completely at random.

But that is not how Joe Average would go about choosing he words. He would go something like "Horse...uhm...Cart...uuhhhm...Galloping...Away!"

Or he would click on "random article" on Wikipedia 4 times.

None of these methods are random enough to create secure pass phrases.

Also, to resist brute force attacks by supercomputers (a realistic threat for high balance bitcoin wallets) you need something like 10-12 words and not 4.

Which is not that much easier to remember than 16 characters.

The comic didn't say 12 random characters.  Most people don't use 12 random characters for their password.  So was the problem the example in the comic or your understanding of the example in the comic?

which is useful against a set of random words how?

Someone that foolish is also likely to use "p@sswordZ1234 as their password instead.  See the @ and the "Z" give it strength.  Even "Horse Cart Galloping Away" is stronger than most passwords (based on the results of password table breaches).



Please show me the math where it takes 10 to 12 random words from a list of say the diceware (http://en.wikipedia.org/wiki/Diceware) list to equal the entropy of 16 random characters.  If you are right and have the math to show it I will give you 100 mBTC.

Don't get excited how about we estimate it like this.  There are 80? 96 characters (upper, lower, number, and symbol) on standard keyboard.

A guestimation game.  Do you think 96^16 >= 7776^10?  If not what x do you think solves this equation 7776^x >= 96^16

For those playing along at home, don't grab a calculator right away.  Just take a guess based on the base and the exponents.

Well it doesn't hurt to have more :D probably in most cases 20 is enough tho. Better yet... some websites have a limit on like 24 characters :(

Microsoft has 16, and it has been like that for years :(

My answer hidden to avoid spoiling the fun for others.  Click "quote" on this post to see my answer.



<sub>Well,

I started by noticing that 7776 is pretty close to 96^2. That would mean that everytime x increases by 1 the exponent on the other side of the equal sign would have to increase by approximately 2.  Since the exponent is 16 on the other side of the equal sign, x must be somewhere around 8 (give or take 1).

How'd I do?</sub>

Random is overrated.  Its not pure random thats important, but that the combination is unique, and that it hasn't been used and found in an unsecured system.  What XKCD is trying to highlight is that length is better than complexity.  Given two passwords of 10 char, "(wRD9=K-]3" or "Complacent" have the same entropy for a brute force attack.  

However if there is a dictionary attack, then the latter is weak.  But if you'd used the first in a system that has poor password security, it would be just as weak as it would be included in dictionary attacks.  Thats what they are, long lists of all the compromised passwords found before.  Random just gives us a better starting point for being (far) less likely to have been used and included in a dictionary.

Assuming we don't reuse passwords and they aren't exposed through a poor site, a longer memorable password is always preferable.  Memorable passwords help avoid reuse, so help avoid that weakness.  If I use a "random", previously unused sequence of words, thats good enough for 99% of use cases.  Knowing that its unused is difficult of course (unless checking against dictionaries) so needs a bit of thought.

If you want to protect against supercomputers, you need to reduce the opportunity to access the secured system, not worry about password length.  If one can access your system for your high value wallet, you are already exposed to physical attack methods (keylogging, forensic data capture, good 'ol fashion lead pipe threat)

Or worse, Schwab.com has a limit of 8, yes, eight, characters.

Many banks are like this as well.

I don't understand why some websites set a limit on the length of passwords, since the passwords are supposed to be stored as salted hashes (of the same finite size).

That is a good point. It must be a sign that they don't store it as salted hashes!:D On the other hand password for a web-service need not be as complex as a file encryption pass. Since they can stop brute force pretty easily.

Seems I've caused some controversy, heh.  Can we at least agree that in order from weakest to strongest password strength, it would be:

• elephant
• 3l3ph4nT
• flying elephants with bow ties
• fLy1ng-3l3ph4nT5_wiTh*b0w.t13$

But it would be almost impossible to commit the last one to memory.

There are about a million words in English. Assuming my math is right, here's the number of passwords for x words:
1: 1000000 possibilities
2: 1000000000000
3: 1000000000000000000
4: 1000000000000000000000000
5: 1000000000000000000000000000000
vs a 14 character password of letters, numbers, and common symbols: 67822307284900000000000000
so as long as you've got a good list of words to randomly pick from, you need 5 words to beat the security of a typical password. With real word lists, however, I imagine it being closer to 7 or 8 words.

None of the above are very secure against a determined and well-funded attacker - not even the last one.
7 to 8 diceware words, on the other hand, is all you need to be very safe for years.

You might be interested in my NoBrainr script, which is a simple example of diceware applied to bitcoin address generation:
 https://bitcointalk.org/index.php?topic=308972.0

My wallets password is : F4tF0cKM4rkT0oKMyCoIns 

Is that strong enuf to keep me safe ?

Random words just makes it more possible to forget the password. For me it just makes a difference for what I use the password. What are the costs when an account is hacked? How high the costs to remember and type on the password? How easy is it to run a brute force attack?(it is more difficulty if you only have a few attempts)

Take an facebook account:
What are the costs when an account is hacked?
-> It would be stupid but I don't lose money.
How high the costs to remember and type on the password?
-> I use it often, so a long password is inconvenient.
How easy is it to run a brute force attack?(it is more difficulty if you only have a few attempts)
I guess Facebook has some build in mechanism to prevent thousand of attempts
What can the hacker get?
Not really much.

-> So my password is short and convenient. I have 8 letters. (but maybe I should make 12 or so)


I use a brain wallet for my cold storage.
What are the costs when an account is hacked?
-> I lose money. Depending on the amount of money.  
How high the costs to remember and type on the password?
-> I just need it to remember and don't use it a lot use it only one time. I have a paper as backup, too.  
How easy is it to run a brute force attack?(it is more difficulty if you only have a few attempts)
No limits for hackers.
What can the hacker get?
$$$$

So what password do I use?
I have 4 words separated by different symbols. I have 40 characters and I am pretty sure 3 of those 4 words are not in any of those large dictionaries (not that 7500 word list, I mean a list with 2mio. words).

What words do I use? I do not really want to say, but I take names. A city or village (small), a street name, a mountain, the bakery you use, your favorite football player and so on. It depends how popular that name is. A name like "coca cola" is not strong, so like a city called "berlin". But things chance if you take a city called "Dietmannsried" or "Bad Tölz", the city where your mother grew up.

Because this is important. An address is not linked to an person. So the attacker doesn't know about your mom.
-> just be creative!

ah c'mon. The last one is nearly like 80^31 (80 = number of characters). This is 10^59. But ok, it's not completly random. So let's make 10^40.
If you take your 8 dice words out of a 10 000 dictionary, what do you get? 10^32

You can derive a strong password from a phrase or sentence that you're unlikely to forget.

Take, say, "Dead or alive, you're coming with me." Yes, from Robocop.

This becomes "Doa,ycwm."

Throw in a number and a cap and you get "D0a,Ycwm.", which is easily remembered and pretty strong for an 9 char password.  Modify it for each website you use e.g. by adding "@alk" (for bitcointalk) or "@gle" (for Google).

Ideally the phrase or sentence should be something unique to you and something you can recall instantly.

why would a horse need a battery staple?  what is this the matrix where people are run on batteries??  ???

I always thought password complexity went up with character count more than anything. Throwing in some special characters might have helped 10 years ago but people cracking passwords are clued up to that and will include those in their brute forcing techniques. So ultimately if we are dealing with brute forcing the best defense is long passwords.

So can someone tell me why this password wouldn't be secure?

"OnMondayMorningsILikeToWakeUpWithANiceGlassOfOrangeJuiceBeforeEatingMyTooast"

This is secure. You are correct. You have 76 characters. It's not completly random, but you have 76 characters or 19 words.

Yes, isn't the password aaaaaaaaaaaaaaaa
just as strong as          arjb%@&5859snJk

?

Can I use æ commands in my bitcoin password?

Sadly, XKCD's explanation is simple to the point of being deceptive— it's caused a lot of terrible misunderstanding.

True randomness is absolutely essential to password security. If there is enough, your key is secure— if there isn't it may not be.  It doesn't matter from a security perspective if that randomness is used to pick letters or whole words, so long as enough goes into it. If you'd find words easier to deal with— then great do that.

But there must be enough and, sadly, the example that XKCD gives is targeted around things like website passwords where very high speed attacks are infeasible, and where a multi-target speedup (e.g. from an unsalted password) is unavailable.  For an offline attack scenario where an attacker can have an effective attack speed of a billion attempts per second— or more— the strength discussed on XKCD would fail in a day or two.

A lot of people read the comic and completely miss the point of randomness being essential and just the form of its expression being irrelevant, and so they think any random human generated string is acceptable "'duck spatula stapler outlet', that's totally random!" when in fact it is in grave danger of being compromised by attackers with powerful statistical models for human generated passwords.

The only issue would be if this phrase is from a book or movie (potentially even one you are unaware of).  That is why systems like diceware exist to create a truly random sequence of words.

Although brute force capabilities have come a long way, passwords consisting of 10 digits (all keyboard symbols) are beyond the brute force (see below before you complain) capabilities of most entities and 12 digits would be beyond the capabilities of nation states in most situations (i.e. no nation is going to expend a year of super computing time at a cost of $500B in order to break your facebook password :) ).   If your a significant threat to a nation state and they would be willing to expend billions of dollars to attack you well you should probably push that out to 15 digits.  For those who prefer dicewords that would be 5, 6, and 8 dicewords respectively.

However that assumes the attacker is just doing a pure brute force attack of all possible passwords.  The reality is that beyond 9 digits it starts taking an increasingly incredible amount of time for each additional digits.  So password crackers are going to try a variety of methods which are often much faster (even on much longer passwords).

1) Check the hash against databases of known compromised passwords (you can find on various sites lists of 15M+ previously leaked and broken passwords).  If your passphrase is on that list your toast.  Even some hobbyist with a single CPU can break it in a matter of minutes.

2) Check the hash against phrases from movies, books, memes, pop culture (no doubt Satoshi's genesis block quote is insecure).

3) Check the hash against a dictionary (possibly foreign languages as well).

4) A modified version of #3 is to take the same dictionary and perform derivations (which is why Troub@dor1 is a lot weaker than it may initially seem).

So having a long passphrase is good but it isn't a guarantee that the password is strong (unless it is random).  To ensure it is strong it needs to not be breakable by the four methods above as well.  I noticed in your example you wrote "Tooast" not "Toast".  If that was intentionally then congratulations it ensured it probably isn't going to match any phrase search.

Thanks for the excellent explanation, it's appreciated.

Tooast was indeed intentional. I base all my passwords on long phrases where possible and I always repeat a specific vowel just to mess up the dictionary attacks and I always use slang.... Benefits of growing up in East London is that I have quite a large vocabulary of it.

I just wish more websites would stop limiting password length. Seriously 8 chars?

from what I read from someone's advice, one of the greatest way is to remember your password first then SHA256 it.
You may use any sort of encryption depends on your preference, as long as the encryption method is easy to acquire.
And use the encrypted hotword as raw password.

I'm sorry, but I would find it very hard to remember it using this method. (which is the letter that will be a number now?)

I use a similar approach. I write words intentionally wrong. A long time I used passwords like "ausdralia" or "intonesia". One different character should be enough. Just something like "d-t" or "b-p" or "g-k". And a two numbers which are conveniant to type.
-> short and no chance for a dictionary attack.

But way to short for a brain wallet. There you have to use more words. Take the places of your first trip in Thailand + your first car + one word written wrong-> done.

...

Here is a technique that will work for some who are not tekkies.

1)  Take an obscure word or more from a foreign language (preferably one you speak and/or is obscure)

2)  Misspell the word a little

3)  Add a prefix and/or a suffix like some numbers and/obscure abbreviations from something you know about

Example:

You have a Polish grandma, and you are a long distance runner who likes astronomy:

21milespolsckujestnajlepszaproxbantauri

Crack that!  No caps, no symbols, but if you choose well, I doubt your password would get cracked for quite a while...

Here is a practical idea that would work for some people. It involves using a large random character list. Use your imagination to make it stronger than it is explained in the link: https://bitcointalk.org/index.php?topic=435050.msg4779209#msg4779209.

:)

If you're using Keepass might a well make it longer. Mine is 100+ (generated within Keepass, with all the random options turned on)

Of course there's the additional discussion about Keepass only being as safe as your master password + (hopefully) key file. Also, using Keepass the question you have to ask yourself is how do you handle your master password and key file?

The only thing that matters is how predictable each character is.

Truly random ASCII printable characters have about 6 bits of entropy each. You probably want between 64 and 128 bits of entropy (11-22 characters). That implies 100 character passwords are excessive.

I sometimes hash a file that changes over time, and use the resulting 32 hex digits (4 bits each) as a high-security password.

My favourite Online Password Generator (https://www.grc.com/passwords.htm)

Simple entropy is not necessarily a good indicator of password strength. For example, "1q2w3e4r5t" looks relatively strong because it has about 42 bits of entropy, but it is a terrible password because it is one of the 10,000 most common passwords and it is in every cracker's dictionary.


Read this about judging a password by it's entropy: https://tech.dropbox.com/2012/04/zxcvbn-realistic-password-strength-estimation/

Well 42 bits of entropy is also awful.  Even if it wasn't on a password list, it could be brute forced by just about anyone and then once it is, it will be on a password list.  Really one should be look at a minimum of 80 bits of entropy and for high security applications more is better (128 bits would be optimal).

Still I do like the fact that the linked password meter checks against known weak/broken passwords.