I think it's amusing that the two people in this thread loudly trumpeting brainwallets are someone who says they have a fetish for cracking passwords and someone who has posted extensively about wallet cracking and tried to sell scam wallet cracking tools.
This fits right in with the fact that person who popularized the idea and created brainwallet.org was cracking these kinds of keys and complaining about how few he was finding online before creating the site.
Food for thought.
Give me a break  By this logic nobody should trust your expertise on cryptography because you know too much about the topic and your advice might be luring unconscious people into using solutions that you claim are secured, but personally know how to break. How are you going to answer that? If you want to have an adult debate with me, question the technical aspects of what I'm saying, instead of trying to undermine my motives. It's just pathetic, man. How old are you? |
|
|
|
Why does the title say "Mod note: Do not use brain wallets"?
Because the mod is a type of person that prefers to run a forum for kids who he can impress and patronise all the time. Rather than a forum for adults who can challenge his thinking, so he could sometimes learn something more here. |
|
|
|
The lyrics of a song, a quote, or, for that matter, any sentence that makes sense, are very insecure.
Yes - that is what one should assume making a password that will protect his life's savings. That's what I assume... But I'm still dying to see any research that would approach a problem of cracking brain wallets passwords being a "sentences that makes sense". Let me give you few examples: I met a girl, her name was Marlena Witchenberg, I asked her out and she said NO. When I was a kid my dad used to take me out for fishing - to a place called Bloodrocks One day I will be a milioner, because the only one bitcoin I own will be worth more than 1 million :) These are all sentences - grammatically correct and quite easy to remember if they have sentimental value for you. But according to my knowledge and understanding, as of today, they are (were, before I posted them) impossible to crack. There is loads of research to be done, before anyone can even start cracking these kind of wallets. Obviously it cannot be done by a man thinking of sentences and typing them in - he would die behind the keyboard with zero hits. But there is no software that can brute-force "sentences that make sense", preferably only those that have a sentimental value to a targeted person. Even if there is some software like that, it is not very fast, because creating all kind of "sentences that make sense" is a very complex problem to solve by a machine. For a machine, it might actually be easier to reverse the EC multiplication function. |
|
|
|
For me cracking brain wallets is not quite about dictionary attack. Obviously if anyone is using a single word from a dictionary as the seed for his brain wallet then he is an idiot. Idiots get hit by buses every day - we can't save them. But... any modern wallet can bring it's actual seed to a sequence of 12 or 24 words - and that's from a 'dictionary' of 2048 words. Because that's what 256 bits of data come down to. Plus Bitcoin address have only 160 bit security - so, it's even fewer words. So what if I am to choose my seed to be a sentence made of 12 or 24 words? From an undefined dictionary... Should it not be at least as much secure as the other 12/24 words method??? And they say: NO - because we have 'researched' it and our 'studies' have proven [again!] that if you choose 12/24 words from the unlimited dictionary, then we can guess what these words were!  There is absolutely no published science to back this up. It's fucking bollocks - show how you do it, or you are a fraud! And I haven't seen a single paper, let alone a software, on how anyone would be choosing the words to mimic my thinking. What I've seen so far was only a primitive software that either uses brute forcing on characters or requires the list of the passwords to be provided to it - that's it. That's all their 'research'. Where is a research showing that a software can choose/guess/predict a set of words in a way to 'guess' what a human being was thinking? There isn't any. Because it's nowhere even close as simple as they suggest. People publishing these papers are too stupid to even understand the problem - they have absolutely zero chance to start approaching it from the right angle. |
|
|
|
|
I found it interesting.
Thanks for starting this topic, @amaclin
It intrigued me how one can make a valid signature before having the message.
Thanks for explaining, @gmaxwell
|
|
|
|
Excuse me posting the third time in a row, but I was rushing out in the morning and didn't have much time to write down all my thoughts. Brainwallets were literally invented by someone who was out to rip people off; no joke! Well, if it's not a joke, then let me explain how you are wrong. Nobody invented brain wallets!Perhaps there was a person who named it like that (nice naming, BTW), but he did not invent it! Brain wallets are natural, just like using the fingers for picking your nose is natural. You don't invent it - it's just there, ready to be used. I use brain wallet not because someone showed it to me. I use it because one day I found it to be a perfect method for creating a seed for a master private key of a bitcoin wallet. And it didn't take a process - it was just a thought; a natural thought, like thinking of having a swim in a hot weather. So please stop spreading such disinformation, because not only that it isn't helpful to anyone, but it's also not good for you. Unless your goal is not to be perceived as a bitcoin scientist/technician, but rather as a bitcoin apostle/preacher. EDIT: In the other part of your argument, you mentioned that "rainbow tables" can be used to crack the brain wallets.. I mean, come on, man - are you kidding me? There is no fucking way you don't know that rainbow tables are completely useless for cracking 256-bit hashes.. Why would you even bring such a term into the discussion? What is a purpose of that if not trying to convince clueless people that your thesis is right, without providing any actual arguments? EDIT2: I have been fascinated with passwords-cracking ever since I was 20. They almost kicked me out of the university, because of that. But it wasn't my fault - I was just a kid harmlessly experimenting with stuff. Back then, in the 90s, cracking unix account passwords was as easy as looking for the match inside the /etc/passwd file. John the Ripper - is the software I will always remember. It's old school, but still great software. I know very well how much progress has been made on the filed for the past 20 years. And today I choose brain wallet. It's not preaching - it's experience. I am not telling anyone what he should or should not do - I'm just telling him what I know. Well, maybe I'm also preaching a bit: Believe in your brain and its limitless imagination - it's far more sophisticated than any PRNG invented by man. EDIT3: When I read about all these "research" papers and browse through slideshows from some DEFCON meetings - for me it's just some kids looking for attention, playing with 30 years old technology, which they don't really understand. Had they understood it, they would have had much bigger respect to the very complex problem of cracking passwords. But all I see is an infant boosting and patronising with statements that have absolutely no technical backup. You kids... |
|
|
|
(I knew that only genesis block reward cannot be spent)
Not only. I believe there are two cases in the block chain where coinbase TX had the same ID as another one before it. It is not possible anymore, but it used to be possible. The two rewards became unspendable when the nodes' implementation switched to LevelDB (that replaced BerkeleyDB for storing UTXO set). They were spendable before, but now such is the "consensus". But I don't know anything about "[reward from] the block immediately following every halving can never be spent" That would be something new, would have to be some implementation bug. But more likely it's just fake news |
|
|
|
But I still think that the brain wallets in the traditional sense of the word should be secure enough, if their owner only puts enough effort into their complexity and uniqueness. Like the example I mentioned in the other thread: Make a poem and remember it. Not a short poem, but it also doesn't need to be very long one - a haiku might be long enough, although two haiku (one after another) would be much better. Despite of what some people might be claiming, there is no way to paint a second Mona Lisa just by coincidence. Almost every human being (there might be some brain damaged ones) is able to create an original artistic constructs inside his brain. And the one thing computers can't do is artistic - the only way to crack an original poem is through brute forcing. So, to make it even harder for dictionary-based, lexical-whatever-sf-enforced brute forcing, do not use the words as they are. Modify the words inside your poem, using a system that only you know. For example: - Use only the first and the last letter of each word - Skip words of certain lengths - Repeat some words or some characters - Use customised separation characters between the words (e.g. - | & * @) - Swap the letters (all or only two of them) inside each word - Add the salt (e.g. your name, phone umber, your email's password) at the end, the beginning or (best) somewhere in the middle. - etc. etc. etc. - use your imagination - it's limitless! Also: the last thing you should do is following the exact system I just described. It was good, before I posted it, though. Anyway, I hope you catch my point. Mind that you can also combine one or more of the methods/technics/systems, if you are still unsure about a security of a single one. So for instance: the book, combined with the wife's photo, combined with the poem - even god himself armed with an MRI connected to your head won't crack that, if you don't screw it up. |
|
|
|
What we maybe should also mention here are a kind of wallets that actually require a file, but the key to their existence is only in your brain. A bit like a system with a book I mentioned before, but slightly different... Think of a photo of your wife. A jpeg file would be good, as it has nice "entropy". Now, think of two numbers - e.g. her birthday and age... or whatever big enough. Then cut (from the file) the number of bytes expressed by the second numer, from the file's offset expressed by the first number. All you need for that is "dd" command. You can concat two or three such fragments, to increase security... Maybe even append some simple string (e.g. your last name) at the end of the extracted data... Then get a 256-bit hash of it - that would be your master private key. A photo of your wife you can have stored anywhere, even in the cloud - nobody is going to find it suspicious. Perhaps they will even let you to have it in a prison. But the key to the wallet is only in your brain. Now, if nobody knows that the wife's picture is actually the wallet, there is no way to crack it. This is just one of unlimited methods for making a secure brain wallet. Just use your brain and imagination and you can create a very secure brain wallet, that no person on earth can crack, find or seize - while you always have it with you. This is a security and convenience that no random generator based wallet will ever give you. |
|
|
|
You seem to have ignored my point that a brainwallet is equivalent to storing an unsalted password hash in a public database. Do you consider that incompetent security?
Of course, a randomly generated and then password-encrypted wallet is by definition more secure than a brain wallet made by the same password. But then you come back to the problem of choosing the secure password, don't you? Which brings you back to the point that you need to learn about choosing secure passwords. And after you learn to choose passwords that are secure enough, you might just as well use brain-only solution. |
|
|
|
- They cannot be seized
Equally true of a pasword protected backup wallet. And both can be seized after finding evidence of you using them in the blockchain or on your computer and then liberally applying a hammer to your non-dominant hand. Sorry, I didn't mean that they cannot be seized by any type of government. Mine isn't running a torture camp in Guantanamo - applying a hammer to my head would be illegal where I live. Plus then I'd most definitely forget it |
|
|
|
|
Also nobody is talking about the advantages of (strong) brain wallets, that are actually making them more secure than PRNG based wallets.
Besides of the two I mentioned already:
- They don't rely on anyone's (publicly known) implementation of the "entropy"
- They don't require backups
There is more:
- They cannot be seized
- They don't need to be carried
- Their existence can be denied / can't be proven
- Even if someone can prove that a brain wallet had existed at some point in time, he's still unable to prove that you have not forgotten the password
These are mostly about legal security, but isn't Bitcoin's success itself exactly about it?
You see, in my opinion, the biggest enemy of the brain wallets should be the government.
|
|
|
|
piotr_n: Errors like you talk about are what happen sometimes when technical experts given all the time in the world work on secure entropy. What do you think will happen when you ask less technical end users to take care of it for themselves? By this logic: what do you think will happen if you ask an average John to secure his backup of the wallet file? Is this a forum for Development & Technical Discussion - or not? If it is, then why are you bringing politics into it? If people _massively_ overestimate their ability to choose unguessable strings then shouldn't we be discussing and advertising methods of choosing unguessable strings? Instead of not-discussing brain wallets at all, because you believe that people are too stupid to choose a password that cannot be "easily predicted and exploited by attackers". I believe that a brain wallet is the most secure wallet for me - and I am putting my money behind it, because I use such wallets myself. I am willing to share my knowledge of choosing a complex enough passwords with anyone who wants to learn about the topic. But I am not interested to argue with your "research demonstrates again that brain wallets are not secure and no one should use them" propaganda, because I have no time for such bullshit. |
|
|
|
|
Every now and then we hear about people coins getting lost, because their wallet was using a fucked up random number generator.
Fucking Google distributed a "secure" random number source to millions of android devices and it was only discovered by lost bitcoins that it was being initiated with 31 bit seed.
They claimed that it was a bug, but who the hell knows - might had just as well been a mistake by design.
How many more fuck ups have to come out in PRNG implementations, before you guys start considering a thesis that your brain combined with a simple sha256 hash might be actually far better source of (pseudo) entropy than all of these corporate solutions that nobody is able to fully audit?
|
|
|
|
Mind that entropy is just an abstract concept that basically quantifies the amount of chaos within a certain set of data. Trust me: there is no chaos inside the data provided by the random number generators that you guys use and praise to be so much more secure than my brain. Software based (pseudo) random number generators follow an algorithm, that is just a mathematical function which turns input data into the pseudo-random numbers. The input data for this function are things like: current time, content of your system's memory, the keys you're pressing on your keyboard, or your mouse cursor movements - that's it. There are some implementations of a hardware-based random number generators, which are supposed to provide a real random numbers, but they are so shady that smart people will rather stick to the software solutions - pseudo random number generators. And why? Because at least with the software PRNG they can audit the code and quantify the complexity of recovering the seed by an attacker. Which is exactly where the security of the brain wallet is - in the complexity of recovering the seed by an attacker. http://arstechnica.com/security/2013/12/we-cannot-trust-intel-and-vias-chip-based-crypto-freebsd-developers-say/ |
|
|
|
Now you've made me intrigued, how is it possible that nobody have painted a second Mona Lisa, just by coincidence If you don't understand that the security of ECDSA is all about complexity of reversing the EC multiply function, then we have nothing to discuss any further.
Finally, we can agree on something. Certainly Bitcoin would be broken if it was possible to quickly calculate a private key from a given ECDSA public key. However, without sufficient entropy in the selection of the private key, the security is lost before you ever even know the public key. You're wasting my time and the time of people reading this topic.
One of us is. You're embarrassing yourself. |
|
|
|
It also is about the likelihood that someone else will choose something similar by coincidence. Now you've made me intrigued, how is it possible that nobody have painted a second Mona Lisa, just by coincidence The security of bitcoin is based entirely on the entropy of the private key. What??? Man, you don't know what you are talking about. If you don't understand that the security of ECDSA is all about complexity of reversing the EC multiply function, then we have nothing to discuss any further. You're wasting my time and the time of people reading this topic. |
|
|
|
What he's saying is that really smart people understand the importance of entropy and the lack of entropy in their own minds. Therefore, they tend to acknowledge that they are not capable of thinking of a strong password. Those that are most likely to believe that their password is strong enough are the ones that are most likely to be wrong about that belief. Not everyone. Just most. Perhaps you actually have come up with enough entropy in your brainwallet, but that doesn't mean you should encourage the average person to try. Stop talking this nonsense about entropy. What's this obsession of you guys, with the entropy of brain wallets? Entropy has nothing to do with it - the security of brain wallets is solely about complexity of breaking the password. How much entropy the EC multiply function gives you? Fucking zero! Each time it calculates exactly the same public key, for the same private key. And yet, all the bitcoin security is based on this zero-entropy calculation. Why? Because reversing this function is too complex for anyone to calculate the private key, from the public key. Just like cracking a good brain wallet is too complex. |
|
|
|
Now, please prove me wrong.
You're using math that assumes people generate their passphrases or passwords randomly. It is possible for people to do this. A small number of them do. The problem is that, as every database leak that's included hashed passwords has shown, the vast majority of people choose weak passwords. This is a problem, since brainwallets automatically leak what amounts to a hash immediately on use. So yes, I believe that most people are not capable of choosing a password or passphrase that is sufficiently strong to use as a brainwallet, and there is a mountain of evidence to support me. This is not a matter of ego. I would not feel comfortable in my ability to come up with a password or passphrase that could not be cracked without a secure random number generator. Is it really so hard to believe that I, and others like me, genuinely want to help prevent people from losing money? I am not saying "it's impossible to create a brainwallet that won't be cracked". My argument is that so many people are not able to evaluate whether their passwords or passphrases are strong enough that assisting them in creating a brainwallet is an act of gross negligence. Of couse I am using math - what else am I supposed to be using? Math is the only objective language to describe the complexity of the problem. Or a lack of it, if you prefer... Without the math we are only debating our belives. What you are saying it that you belive people are not smart enough to think of a strong password. However, you seem to belive that the same people are smart enough to secure their file system from the hackers, plus to secure all the possible storage places (for the backup) from accessing by unwanted parties. Not to mention a physical access to the actual storage. Well this is where we disagree. I believe it is much easier to come out with the password that no other person on earth can crack/think-of, then to find a file storage that no other person can access. And is it really so hard to believe that I, and others like me, genuinely want to help prevent people from losing money? And again: I wish we could discuss technical and numbers here (exactly the math), instead of playing politics on which demagogy is going to get a bigger applause. So, coming back to "how much wood could a woodchuck chuck if a woodchuck could chuck wood" - obviously it is a very bad password. It is not better than my 8-random-characters example. Anything that can be searched in Google is a very bad password. Even the entire Tolkien's trilogy would be a bad idea to use as a brain wallet... unless you pick a set of words from the trilogy, by the system that only you know and remember - such could be a very strong password. Now, if you don't know the system by which I chose the words from a book, how can you possibly write a software to crack it, even had you known the book? Anyway, do you have any other "strong" passwords that you or anyone else have cracked? Because so far I have not seen an example of a cracked password that I'd consider strong. IMO, there is absolutely no backup to conclude that [any] "research demonstrates [again] that brain wallets are not secure and no one should use them". This is a bunch of bollocks and people claiming such nonsens, calling it a research, are embarrassing themselves. |
|
|
|
I just want to add that I think that this is a very interesting topic and I wish we could just discuss it in a cold professional manner, putting emotions and dick measuring aside. I wish we were able to discuss the complexity of cracking brain wallets and the important aspects around their security. So why won't I start. I think it would be fair to assume that the throttle is set by the EC function that multiplies a number repesenting a potential private key by the G point of the curve. To simplify, let's put the times of any hashings aside - let's say they are zero. In the library I currently use, my i7 Intel CPU, needs about 120 nanoseconds to perform such an operation. But it is obviously not the most optimal implementation - so let's assume that the optimal implementation is more than one million times faster than it: it can calculate 1 million public keys within 100 nanoseconds, which comes to 10000000000000 (1e13) operations per second. Now, let's take a simple password - only low case characters: 'a' to 'z' For 8 characters long password, at this speed of brute forcing, it would take 26^8/1e13 = 0.02 second (in the worst case) to find the password. Meaning: you do not want to use 8 characters long password - 8 characters long brain wallets are shit! But it does not yet mean that all the brain wallets are not secure... Because, what would the time be for 16 characters long password? Well, the number is 26^16/1e13/3600/365 = 3318 years. How about 32 characters password? According to my calculator, 26^32/1e13/3600/365 equals 144727736474009759620915358 [years] - I'm sure we don't have that much time. This is 32 characters long password, with only lower case letters ('a' to 'z')! And here we come to the point. Some people out there are saying that they can program a software to predict what my brain had been thinking while generating the 32 characters long password. They are going to use dictionaries and all kind of technics to only check the sequences that my brain would think of, skipping those that it would not... And this software will be so efficient that it will simplify the problem by about 144727736474009759620915358 times, so they can find my password within a year. Right! I am really dying to learn about these breakthrough technics and their ingenious algos. Because what I have seen so far is only making me to say: spare your efforts little boys, before you shit yourself trying. And forgive me concluding with this humorous metaphor. Now, please prove me wrong. |
|
|
|
|
Show Posts
