Bitcoin Forum
November 11, 2024, 07:55:55 PM *
News: Check out the artwork 1Dq created to commemorate this forum's 15th anniversary
 
   Home   Help Search Login Register More  
Pages: « 1 2 [3] 4 5 »  All
  Print  
Author Topic: Brain Wallet hacked, suspect bitcoin talk hackers.  (Read 5564 times)
LiteCoinGuy
Legendary
*
Offline Offline

Activity: 1148
Merit: 1014


In Satoshi I Trust


View Profile WWW
May 29, 2015, 02:20:32 PM
 #41

Hi everyone,

This serves as another lesson to make your brain wallets silly hard to hack.

My Brain wallet, in the form of example123example123example123 (example123 was my bitcoin talk password,) was hacked resulting in the loss of 12btc I had freshly put in there. Before I noticed it was hacked I sent another 7btc there and luckily got it out before the hacker did.

This was my brain wallet 17z2uppQS9fyag5KtbQ6KNiCBrNSL1z64r

This is the Hackers wallet, with the funds in it at the time of writing 153h8BH61rQgfyujZjJqjQNSsRK2Hsaf3A


The community might take interest in this address as the hackers of bitcoin talk are prime suspects.

Its crazy, is this guy lucky or is it really that easy to hack brain wallets??

Take care!

you could buy a hardware wallet, that is safer than your password:

https://bitcointalk.org/index.php?topic=899253.0

Light
Hero Member
*****
Offline Offline

Activity: 742
Merit: 502


Circa 2010


View Profile
May 29, 2015, 02:41:33 PM
 #42

That sounds bad, but I dont understand how it could get around root access in linux? it is not a simple mission to do anything like that surely??

I'm not an expert on Linux security - but IIRC linux is incredibly well locked down in terms of user privileges - far more so than Windows. As long as you don't run around as a superuser account all day, generally even if malware gets in you should be ok. Not to mention that it is rather rare for malware to target Linux given that it is used by such a small percentage of people. I do think it more likely that the hacker managed to access your coins via working out your password then bruteforcing brain wallets.
thejaytiesto
Legendary
*
Offline Offline

Activity: 1358
Merit: 1014


View Profile
May 29, 2015, 02:49:29 PM
 #43

That sounds bad, but I dont understand how it could get around root access in linux? it is not a simple mission to do anything like that surely??

I'm not an expert on Linux security - but IIRC linux is incredibly well locked down in terms of user privileges - far more so than Windows. As long as you don't run around as a superuser account all day, generally even if malware gets in you should be ok. Not to mention that it is rather rare for malware to target Linux given that it is used by such a small percentage of people. I do think it more likely that the hacker managed to access your coins via working out your password then bruteforcing brain wallets.

There's no way someone randomly typed out the password. You either find out or bruteforce it. Now, he sad he was using the same password that he uses here, but x3 for his brainwallet... that's pretty much it IMO. You should never use the same password twice, specially passwords you use in public forums.
LFC_Bitcoin
Legendary
*
Offline Offline

Activity: 3710
Merit: 10448


#1 VIP Crypto Casino


View Profile
May 29, 2015, 02:59:08 PM
 #44

I'm sorry to hear that chessnut, it sucks tbh.
It makes me a bit angry & a little deflated to hear stuff like this.
No matter what we do & how well secure we've made our coins people always seem to find a way to steal some.
You've been really unlucky, it could have been any of us.
I don't know what to say apart from I'm sorry for your monetary loss mate, people you can never be 100% secure but please do everything you can to look after your coins, you can't leave any stone unturned.

█████████████████████████
███████████▄█████████████
██████▀░▀█▀░▀█▀░▀████████
███████▄███▄███▄█████████
████▀██▀██▀░▀████▀░▀█████
███████████░███▀██▄██████
████▀██▀██░░░█░░░████████
███████████░███▄█▀░▀█████
████▀██▀██▄░▄███▄░░░▄████
███████▀███▀███▀██▄██████
██████▄░▄█▄░▄█▄░▄████████
███████████▀█████████████
█████████████████████████
 
.Bitcasino.io.
 
.BTC  ✦  Where winners play  BTC.
.
..
.
    ..





████
████
░░▄████▄████████████▄███▄▄
░███████▄██▄▄▄▄▄▄█████████▄
███████████████████████████
▀████████████████████████▀
░░▀▀████████████████████
██████████████████▄█████████
██
▐███████▀███████▀██▄██████
███████▄██▄█▀████▀████████
░░██████▀▀▀▄▄▄████▀▀████
██▐██████████▀███▀█████████████    ████
███
████████████
███████████████    ████
█████▀████████████████▀
███████▀▀▀█████████▀▀
..
....
 
 ..✦ Play now... 
.
..
NorrisK
Legendary
*
Offline Offline

Activity: 1946
Merit: 1007



View Profile
May 29, 2015, 03:04:55 PM
 #45

Maybe the entropy was just too low?

If say your password was 8 random characters and you repeat this 3 times, a hacker could just do all random possibilities containing up to 8 characters (still quite a bit) and past it 2 more times behind it.

jonald_fyookball
Legendary
*
Offline Offline

Activity: 1302
Merit: 1008


Core dev leaves me neg feedback #abuse #political


View Profile
May 29, 2015, 03:41:44 PM
 #46

After this experience you should go to the highest level of security,
which is true cold storage.  You generate your keys on a machine
that has never been online and never will be, and use physical
coins/dice to generate entropy. 

Well, the Winklevoss brothers use Brain Wallet, or at last that's what i've seen on the latest interview. I would never store all of my wallets on a brain walled tho, just "spending money" like you do with Mycellium etc (im hoping no one stores their main stack Mycellium..)

You can still use a brain wallet with cold storage.

The point is, you 1) generate and store your keys in an unhackable way and 2) make sure they have enough entropy.
OP failed to do at least one of those two things.

snarlpill
Hero Member
*****
Offline Offline

Activity: 910
Merit: 530


$5 24k Gold FREE 4 sign-up! Mene.com/invite/h5ZRRP


View Profile WWW
May 29, 2015, 03:44:48 PM
 #47

I am very sorry to hear this happened to you, it is an unusually shitty circumstance.

I haven't read the whole thread, so this may have been mentioned, but I saw you said you weren't very computer savvy: You don't have to mess with Github at all, but if you want to use bitaddress.org, go to the options on say Chrome browser and click "Download Webpage". Download it as a complete webpage, then disconnect your computer from the Internet, open the file in your web browser, and then generate your desired amount of addresses while disconnected from the Internet. It is the best way I can recommend to anybody who is not really computer savvy; it is pretty simple for I think anyone to do.

LiteCoinGuy
Legendary
*
Offline Offline

Activity: 1148
Merit: 1014


In Satoshi I Trust


View Profile WWW
May 29, 2015, 03:57:40 PM
 #48

maybe you should ask your brother where your BTC are, or your friend?  i guess you shared the password with them. or you downloaded some shady stuff...


but Linux and bruteforce seems to be pretty unlikely  Roll Eyes

spazzdla
Legendary
*
Offline Offline

Activity: 1722
Merit: 1000


View Profile
May 29, 2015, 04:00:14 PM
 #49

If your passphrase has EVER.. EVEN ONCE been typed into the web.

YOU SHOULD CONSIDER YOUR BITCOINS OUT OF YOUR CONTROL...

The same password as your bitcoin talk... you knew it got hacked and didn't act..?!?!?!?!?
S4VV4S
Hero Member
*****
Offline Offline

Activity: 1582
Merit: 502


View Profile
May 29, 2015, 04:26:54 PM
 #50

I am very sorry to hear this happened to you, it is an unusually shitty circumstance.

I haven't read the whole thread, so this may have been mentioned, but I saw you said you weren't very computer savvy: You don't have to mess with Github at all, but if you want to use bitaddress.org, go to the options on say Chrome browser and click "Download Webpage". Download it as a complete webpage, then disconnect your computer from the Internet, open the file in your web browser, and then generate your desired amount of addresses while disconnected from the Internet. It is the best way I can recommend to anybody who is not really computer savvy; it is pretty simple for I think anyone to do.

I wouldn't do that on a computer that has/had computer access - at any time.
Temporarily disconnecting from the internet will not work.

The address generation should be done on a PC that has never and will never connect to the internet.
In fact, once you have created your address, format and re-format a couple of more times.
(and even then, data can still be recovered)
Beliathon
Hero Member
*****
Offline Offline

Activity: 784
Merit: 1000


https://youtu.be/PZm8TTLR2NU


View Profile WWW
May 29, 2015, 05:37:37 PM
 #51

to use or not to use brain wallet I think is a careful choice you need brainpower to make.
A safe rule: If you're unsure whether or not you're savvy enough to use it correctly, you're not savvy enough to use it correctly. You should have absolutely no doubt in your mind when you commit wealth to your chosen form of cold storage.

Remember Aaron Swartz, a 26 year old computer scientist who died defending the free flow of information.
virtualx
Hero Member
*****
Offline Offline

Activity: 672
Merit: 508


LOTEO


View Profile
May 29, 2015, 05:48:50 PM
 #52

If your passphrase has EVER.. EVEN ONCE been typed into the web.

YOU SHOULD CONSIDER YOUR BITCOINS OUT OF YOUR CONTROL...

The same password as your bitcoin talk... you knew it got hacked and didn't act..?!?!?!?!?

This is a good practice. One should not be share a password all across the web or to use brainwallet passwords as forum/email passwords.

...loteo...
DIGITAL ERA LOTTERY


r

▄▄███████████▄▄
▄███████████████████▄
▄███████████████████████▄
▄██████████████████████████▄
▄██  ███████▌ ▐██████████████▄
▐██▌ ▐█▀  ▀█    ▐█▀   ▀██▀  ▀██▌
▐██  █▌ █▌ ██  ██▌ ██▌ █▌ █▌ ██▌
▐█▌ ▐█ ▐█ ▐█▌ ▐██  ▄▄▄██ ▐█ ▐██▌
▐█  ██▄  ▄██    █▄    ██▄  ▄███▌
▀████████████████████████████▀
▀██████████████████████████▀
▀███████████████████████▀
▀███████████████████▀
▀▀███████████▀▀
r

RPLAY NOWR
BE A MOON VISITOR!
[/center]
Klestin
Hero Member
*****
Offline Offline

Activity: 493
Merit: 500


View Profile
May 29, 2015, 05:49:34 PM
 #53

to use or not to use brain wallet I think is a careful choice you need brainpower to make.
A safe rule: If you're unsure whether or not you're savvy enough to use it correctly, you're not savvy enough to use it correctly. You should have absolutely no doubt in your mind when you commit wealth to your chosen form of cold storage.

This.

If you "picked" the brain wallet passphrase, it is not good enough and will be cracked.  Use (at a bare minimum) 12 random words.  15 would be better.  

Not "words I picked at random", but really (truly) randomly selected.  Words selected with dice from an appropriate list will work fine.  

Be aware that the computer you use to generate the wallet must be secure, and the page you use must be offline.  

If you're not sure of any of these factors, your funds are as good as gone.  Use a trezor.

odolvlobo
Legendary
*
Offline Offline

Activity: 4494
Merit: 3412



View Profile
May 29, 2015, 06:26:07 PM
 #54

Your bitcointalk password is very weak, so it could have been cracked in a short amount of time, but I don't see how anyone could have known that your bitcointalk password was the basis for a brainwallet passphrase. That seems extremely unlikely.

It is much more likely that the hash of "example123", plus variations (such as "example123example123example123"), have been precomputed by the hacker. You can probably store hashes of the 1 million most common passwords with 1000 variations each in less than 100 GB, and looking up a hash might only take a few seconds.

Join an anti-signature campaign: Click ignore on the members of signature campaigns.
PGP Fingerprint: 6B6BC26599EC24EF7E29A405EAF050539D0B2925 Signing address: 13GAVJo8YaAuenj6keiEykwxWUZ7jMoSLt
Cruxer
Full Member
***
Offline Offline

Activity: 184
Merit: 100


Bitcoin FTW!


View Profile
May 29, 2015, 06:45:52 PM
 #55

This same password in the form of 'passwordpasswordpassword' was my brain wallet. Its a pretty random password, I dont believe it was brute force hacked. Im really baffled, I think it must have been the bitcoin talk hacker targeting me. There is also a chance it was bitaddress.org that was compromised but Ive never had that trouble before.
I can't think of a reason hacker would crack your password and then try to use it as brain wallet while copying it two times (passpasspass).
How to get to idea that someone could use password as brainwallet ; o
Klestin
Hero Member
*****
Offline Offline

Activity: 493
Merit: 500


View Profile
May 29, 2015, 06:48:13 PM
 #56

It is much more likely that the hash of "example123", plus variations (such as "example123example123example123"), have been precomputed by the hacker. You can probably store hashes of the 1 million most common passwords with 1000 variations each in less than 100 GB, and looking up a hash might only take a few seconds.

That's the way rainbow tables work to crack a password table.  However, with hashing hardware running as fast as it does currently, it's far faster to compute the hashes as they go, rather than look up in a table.  They can try billions of hashes per second.
moriartybitcoin
Hero Member
*****
Offline Offline

Activity: 560
Merit: 500

★777Coin.com★ Fun BTC Casino!


View Profile
May 29, 2015, 06:48:48 PM
 #57

brain wallets are not secure unless you can remember 128bit password .. even then, i wouldn't trust them

Klestin
Hero Member
*****
Offline Offline

Activity: 493
Merit: 500


View Profile
May 29, 2015, 06:49:31 PM
 #58

I can't think of a reason hacker would crack your password and then try to use it as brain wallet while copying it two times (passpasspass).
How to get to idea that someone could use password as brainwallet ; o

They don't have to.  Since they can try billions of hashes per second, per machine, they have the luxury to try just about anything.  If you don't have 100+ bits of entropy in your pass phrase, you are hosed.
chessnut (OP)
Legendary
*
Offline Offline

Activity: 924
Merit: 1001



View Profile
May 29, 2015, 11:27:28 PM
 #59

Thanks for all the helpful comments guys,

What I find quite ironic though is that Ive left a paper wallet in plain view as my facebook profile picture. It has 0.1btc in it and been there for months with no trouble! I guess that sort of thing might give one the wrong impression about wallet security.

Now the race is on to find my facebook profile  Grin

chessnut (OP)
Legendary
*
Offline Offline

Activity: 924
Merit: 1001



View Profile
May 29, 2015, 11:59:26 PM
 #60

you could buy a hardware wallet, that is safer than your password:
https://bitcointalk.org/index.php?topic=899253.0

This is interesting, some nice looking units there. I would like one that I could store a brain wallet on (a proper one!). I have a phobia that my house will burn down (for example) and I will lose all my paper wallets and computer memory with my passwords to my backups etc... I think that is the beauty of a brain wallet, even if you lose everything you still have a chance to get your btc back, and if you make it special to you, maybe your family could  still get the bitcoin if you die.

That sounds bad, but I dont understand how it could get around root access in linux? it is not a simple mission to do anything like that surely??

I'm not an expert on Linux security - but IIRC linux is incredibly well locked down in terms of user privileges - far more so than Windows. As long as you don't run around as a superuser account all day, generally even if malware gets in you should be ok. Not to mention that it is rather rare for malware to target Linux given that it is used by such a small percentage of people. I do think it more likely that the hacker managed to access your coins via working out your password then bruteforcing brain wallets.


I have since generated a stronger brain wallet on my computer and baited it with some btc..... no trouble at all. Ive been using linux for about 8 years now, my dad got me into it, and we havent had a single problem with viruses or any kind of compromise as far as I know. I really dont think my computer is compromised.

I'm sorry to hear that chessnut, it sucks tbh.
It makes me a bit angry & a little deflated to hear stuff like this.
No matter what we do & how well secure we've made our coins people always seem to find a way to steal some.
You've been really unlucky, it could have been any of us.
I don't know what to say apart from I'm sorry for your monetary loss mate, people you can never be 100% secure but please do everything you can to look after your coins, you can't leave any stone unturned.

Yeah, learning the kind of power these guys have to crack passwords is nerve wrecking. I would have thought that it wouldnt be economical to even try when you get to password sizes like the one I was using, even when it is repeated. I dont understand the work it must take to go through billions of combinations, hash them all into private keys, and then rake all those billions of wallets all day long.

I wonder if bitcoin mining technology is making this possible where it wasn't before?




Pages: « 1 2 [3] 4 5 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!