Bitcoin Forum

This encryption feature should be removed from all software until the bugs are worked out. I created a set of wallets with an easy to remember password in January 2014 and now it doesn't work. I tested the password to decrypt one of the wallets before loading them. Now I cannot recover them. I have a feeling this will be a problem for a lot of people that think their BIP 038 wallets are secure.

Edit:
Win7
Either Chrome, Mozilla, or Explorer (can't recall which I used) but probably Chrome
It was Bitaddress.org saved to my drive either v2.8.1 or 2.5.1 but probably the newer
I didn't write down the exact PW, but wrote down a hint to it.

I hope this isn't a bug and is merely human error. It will be much easier to fix that way.

How much did you loose?

I'm really not counting them as totally lost yet. That would be unthinkable. It is enough to shake my faith in cryptocurrency development that such a serious bug can occur. I will not completely rule out user error, but it's highly unlikely.

whose code did you use?

Assuming you used bitaddress.org, have you tried using older versions of that site? They have a github repo where you can download old versions:

https://github.com/pointbiz/bitaddress.org/releases

I updated the OP with details. I am trying all combinations of versions and browsers.

Well it looks like bitaddress doesn't tag all its releases so you will have to use the commit log to see which version was latest around Jan:

https://github.com/pointbiz/bitaddress.org/commits/master

I always use bitaddress offline. I only have two versions saved to the drive. It looks like the newer one I updated April 5, 2014. I will look for the version from January on Github.

could this be the problem?

It was my most commonly used pw for sites I don't care about with one added salt. I have a few variations, but not many. It was such an easy pw that it was the only one I didn't bother to write it down precisely. I did test it as well before loading the bitcoins.

Well anyway. If I don't recover the PW, perhaps I'll hire someone to brute force crack it.

I noticed bitcoinaddress v2.5.1 wallet details tab occasionally pops up a new address. It might have fooled me into thinking I verified the pw. No worries.

Is it one of your bible codes?

No, my brain wallets are much more complex. This was the kind of pw most websites would reject as too simple except for adding the salt. With BIP 38 you need the private encrypted key, so there wasn't the need for a tough pw. I am perplexed and befuddled. I still think it may have been a possible bug in which case I will need help someday.

Honestly I think this sounds like user error. Which should be somewhat comforting as you seem like you know a good starting point from which to brute force the password. This is exactly the sort of situation my device I hope will help solve.

https://bitcointalk.org/index.php?topic=566626.80

BIP38 uses scrypt to hash the password. Scrypt ASICs have been out for a few months now and faster devices are released all the time. Soon scrypt hashing will be very fast and someone will be able to brute force your keys for you. In the meantime you would do well to get a notebook and write down everything you remember about your password. The more info you have the better the chances of cracking it.

Oh and if you want to try and get it bruteforced today you can consider this guy's services:

https://bitcointalk.org/index.php?topic=240779.0

Really?  any sources for that?

if true, there's going to be alot of surprised ppl who assumed this would stand the test of time.

The existence of ASICs for scrypt-mining has little to no effect on the strength of scrypt as a password-hashing-function. Mining ASICs perform a very specific operation on a very specific input-format and they can't be reconfigured to go password cracking. SHA-256 is being used to hash passwords across the globe, but we haven't seen the Bitcoin miners switch their equipment to crack some passwords. For the simple reason that it is impossible. You'd need a different device for it.

Try again like 10 times. Someppl reported it works after tring a couple times

U should also use the same os and browser version

https://www.youtube.com/watch?v=b3_lVSrPB6w

I see. I didn't know that. My mistake.

If that were the case, then a lot of people will be surprised one day when their wallets won't open.

There actually was a bug for a while where a version of Safari was giving different encryption than every other browser.

Thanks for the suggestion. I removed that bit of code, but still got the incorrect passphrase alert when I tried to decrypt. I've spent over 20 hours casually trying to manually brute force my simple pw. It was a keyboard peck type pw similar to qwerty only longer.

always make sure you have actual private keys and test them.

That is completely wrong.

First Litecoin et al used an crippled version of scrypt making it many orders of magnitude less memory hard.   Before the history of Litecoin was revised it was designed to be anti-GPU because GPU farms were going to kill Bitcoin.   However it turns out the parameters chosen were "accidentally" too weak and it allowed GPU cache to be used very effectively.  BIP38 is designed to actually be memory hard.

Litecoin Scrypt paramters: n = 1024; p = 1; r = 1;
BIP38 Scrypt paramters: n = 16384; p = 8; r = 8;

Still even if BIP38 used the gimped parameters selected for Litecoin the ASICs would be next to useless.   Mining ASICs are heavily optimized to only be effective at mining.  They only hash block headers and the internally increment the nonce so that 4 billion hashes are computed for a given partial block header.   This makes them beyond useless for password cracking. 

BIP38 is the real deal.  Brute forcing is essentially impossible although in the OP case the fact that he may have a partial password means that a permutation attack may be effective but even that really depends on how different the remembered password and actual password are.  If it is a significant deviation it may be infeasible, Scrypt is that tough to crack (except when gimped to create a "CPU only POW which turns out it is GPU capable but turns out that is ok because ASICs are the real threat and ASIC Scrypts will never be possible except they are so it served no purpose except maybe to people who figured out it wasn't as memory hard as claimed early on").

I am certain I tested it. The pw wasn't complex. I only wrote a hint because that's all I needed after testing it. We'll see someday if anyone else had this happen. Like I said though I may have been tricked into thinking I verified the pw because the older versions of bitaddress.org will sometimes just randomly pop up a bitcoin key pair. I should have double tested it but who does that? They usually ask you to enter the pw twice when you create them.

http://www.walletrecoveryservices.com/

If the amount is significant to you, give this guy a try.

Fuck this could be big, i have some btc encrypted that way too.

But if its a problem with the software than that guy cant help.

Well while I respect cbeast I would say "Exceptional claims require exceptional proof".  So far this hasn't been replicated and thus the most likely explanation is user error.  That doesn't mean it is user error just that it is the most likely.  However it probably would be a good idea to verify your encrypted keys.  The more people that do that the more potential datapoints.

The potential issue however did make me think of a way web services like this could be improved.  Unit testing is a pretty common way to ensure code changes don't introduce bugs.  They usually are done prior to deployment but with browsers being open systems with potential incompatibilities and the fact that javascript is interpreted it might be a good idea for this (and other) projects to do some "inline unit testing" as a form of self check.  When the service loads (maybe just after collecting entropy) it could perform some keypair generation and encryption using known inputs and outputs.  If there is a browser javascript incompatibility that may catch it.  The code takes a known private key X and password P, generates PubKey Y, and encrypted key Z.  The computed Y & Z are compared against the known correct Y & Z.  Depending on execution time it may be possible to run multiple unit tests to provide a level of code coverage.

If nothing else a green "self check = OK" would provide a form of user feedback/assurance.  For the paranoid maybe provide an option a more extensive self check that may take multiple minutes to complete. 

Just as a sanity check, does your BIP38 address starts with 6PR or does it start with 6PY ?

It starts with a 6Pf

6Pf is the correct format for bitaddress.org I was looking at something else.

6Pf means EC-multiplied keys without compression, I will look into the code and see if I can find anything unusual.

I appreciate that. It just seems impossible I could have erred in such a way while sober.

cbeast -

Probably totally irrelevant, but I ran into a similar situation with Bitcoin QT.  
Despite copying and pasting (versus manually typing) my private key passphrase every time, from a source document, I woke up one morning to a wallet that was rejecting that passphrase.
I had a lot.  And I mean a lot ... of Bitcoins in that wallet.  It was stored offline.
Different issue, but strange solution.
I went through every single character and tried its inverse.  Like this:
Known and quadruple verified passphrase which was copied and pasted:  

uPjKmN
Tried:
UPjKmN
then...
upjKmN
then...
uPjkmN
then...
uPjKmn

Switching the case of each character each time i re-tried.
and that worked.
It shouldn't have.

Immediately got rid of QT and put all my sh*t on paper wallets.

I've looked into the code: nothing has changed to it since October, and it seems to be doing the right thing, although I haven't looked at it in very close detail. It works now, so it should have worked when you generated it. The only thing I can really suggest right now is that you send me the BIP38 encoded address and I will see if I can work out if there is anything wrong with it (which is a small possibility).

Just tell him what it is, telepatheic!  ;)


Also, I hope that cbeast recovers his funds, and finds that BIP38 is ok after all. Otherwise, this is pretty bad news.

BIP38 is still technically a draft. There hasn't been a huge amount of technical discussion about it. Personally I think there are some weird design decisions and it could be made a lot simpler. Unfortunately, it is being used so much in the wild that a change in protocol seems unlikely.

ummm... that's actually very similar to my passphrase. It was THAT simple, though much longer. And yes, it was over 100 BTC and they are not all mine.

Is it possible passphrases are truncated at a certain length?

NO

The code should deal with this fine, just out of interest was your passphrase longer than 32 characters/bytes?

It is possible.

WHen I made my ironkeys with bip wallets on them, I put the setup file for the version of the browser I used as well.  There were various reports as issues with that.

I am working with a professional to try to recover them. If I don't, then I think I am done with it. I've lost over half my bitcoins to key management problems. If all bitcoin is good for is to make paper wallets and store them in safes, then it isn't a useful technology.

Just run through the gambit of browser versions and types.  You'll be fine.  Keep calm and bitcoin on, sir :)

not BIP38 problem probably