Brain Wallet hacked, suspect bitcoin talk hackers.

[repentance]

This same password in the form of 'passwordpasswordpassword' was my brain wallet.

Why on earth would you do that?

[1714758910]

1714758910

[1714758910]

1714758910

[chessnut]

This same password in the form of 'passwordpasswordpassword' was my brain wallet.

Why on earth would you do that?

Clearly because its easy for me to remember, and I was under the impression that the btc talk hacker would have difficulty cracking my password hash and that three combinations of a fairly difficult password was enough on top of that.

Full Disclosure: Im not proud of what I did!

[Light]

Clearly because its easy for me to remember, and I was under the impression that the btc talk hacker would have difficulty cracking my password hash and that three combinations of a fairly difficult password was enough on top of that.

Full Disclosure: Im not proud of what I did!

IIRC, theymos stated because of the way the data was salted it would slow down any decryption giving you more time to change your passwords before they were fully compromised - but yeah, it wasn't going to guarantee your security. That being said, repeating your password over and over is something people would look for when bruteforcing.

[achow101]

Yeah, learning the kind of power these guys have to crack passwords is nerve wrecking. I would have thought that it wouldnt be economical to even try when you get to password sizes like the one I was using, even when it is repeated. I dont understand the work it must take to go through billions of combinations, hash them all into private keys, and then rake all those billions of wallets all day long.

It takes less time than you would think. The hackers just write a script of program that randomly generated passwords and then generates the keys and sweeps the funds. They run it and the program does all the work while they go and do other stuff.

I wonder if bitcoin mining technology is making this possible where it wasn't before?

It does not. Mining technology is designed to do one thing and one thing only: compute sha-256d hashes. They are not capable of doing anything else which means they cannot be used for password cracking unless the sha-256d hash were used.

[repentance]

Clearly because its easy for me to remember, and I was under the impression that the btc talk hacker would have difficulty cracking my password hash and that three combinations of a fairly difficult password was enough on top of that.

Full Disclosure: Im not proud of what I did!

Even if you think your password is difficult, it's still a really bad idea to reuse it.  The forum hacker is almost irrelevant because your password wasn't difficult AND you used the same one for something relatively unimportant (a forum account) and something important (your brain wallet).  It's not a human being who's trying to guess your password when your account is hacked, it's a machine which can make millions of attempts per second.

Convenient passwords are best left for trivial stuff.  If something's important enough that losing it would be disruptive to your life, then protect it properly.  Now go through all of your passwords for everything and think of the worst case scenario for one of them being obtained by someone else.  Ideally, someone getting hold of one of your passwords should lead them to a dead end, not give them the keys to the city.

[fbueller]

I have found sending to asdfasdfasdfasdf gets coin stolen too. I suspect, like correct horse battery staple, people are clearing out the address automatically

Example123 would likely already be in a password dump from somewhere.

[maheshmahi]

Brain wallet are not such easy to hack.
You should have changed your password

[repentance]

Brain wallet are not such easy to hack.

Practically everyone who knows about or cares about the BIP process loudly yells at people DO NOT USE BRAINWALLETS. We've seen pretty concrete evidence that users are resistant to good advice in this space, and they are shocked when their favorite quotation is cracked and they lose their coins (But it was 60 characters long! I even added a special character! how is this possible?!), the existing sites promoting this stuff won't use a KDF stronger than SHA256*1 because "users are stupid if they use weak passwords".

Brainwallets.

FOR GODS SAKE. DON'T DO IT. YOU MAY THINK YOU ARE SMART ENOUGH. SO DID EVERYONE ELSE WHO GOT ROBBED. HUMANS ARE NOT A GOOD SOURCE OF ENTROPY.

YOU HAVE A SCHEME? Pfft. THE SPACE OF ALL SCHEMES YOU'RE LIKELY TO HAVE PROBABLY ONLY HAS A FEW BITS OF ENTROPY. RANDOM PHRASE IN A BOOK? THERE ARE ONLY ABOUT 30 BITS OF SENTENCE SELECTION IN A LIBRARY.

OH NO. YOU ARE NOT LISTENING TO ME, ARE YOU?

OH CRAP. YOU THINK THAT "EIGHT CHARACTERS AND ONE FROM EACH CHARACTER CLASS" APPLIES HERE?? WEBSITE SECURITY MIGHT HAVE TO DEAL WITH 1000 ATTEMPTS PER SECOND, BUT SOME DUDE WITH A FPGA FARM IS PROBABLY PRECOMPUTING A BILLION BRAINWALLETS PER SECOND. JUST STOP.

NOOOOOOOOOOOO.

Well, now that you have no more Bitcoin I guess we don't have to worry about you using a brainwallet.

https://en.bitcoin.it/wiki/Brainwallet#Low_Entropy

[RoxxR]

@chessnut


So what was the password?  Since it is compromised now, please tell us, so other people can learn from this mistake as well.

Sorry for your loss.

[oda.krell]

When generating a brain wallet, you MUST use something like DICEWARE and have at least 96 bits of entropy. Only then will you be "safe".

Your password had very low entropy - it was just a matter of time. Repeating words in patterns does NOTHING against an attack.

Password123 and the same repeated 10x is worthless.

I know that Password123 is literally worthless, but are you saying that a stronger password such as YankeeDoodle123 is useless too? surely a password like YankeeDoodle123YankeeDoodle123YankeeDoodle123 would be very unlikely to be hacked?? and three times the password would mean at least 3x the difficulty to hack no? if hackers need to combine every password in multiples of three they must be doing 3x the work (which is already a lot in the case of YankeeDoodle123!?)

Hey. Sorry for the loss. Also, no moral lectures from me. But I'd like to chime in, if you allow, because the line above is quite a bit of a misconception.

Basically, "3 times the effort" is nothing in computing. You are aiming for exponential increase in difficulty when setting good passwords. Here are a few more details...

Thinks of it as follows: imagine the attacker has a dictionary of common words, and a method to combine words from that dictionary in a reasonable* way. Now, "Yankee" is one word. "Doodle" is another word. Even "123" could be considered a word, since it's such a common string of numbers, together with "111", "789", and a few others.

Say that dictionary of words (and sort-of-words, like "123") has 10k entries in total. Probably not the exact right number, but let's assume it for a moment. Leaving capitalization of words aside (which we can in your example, because you just capitalized the first letters of a word, which only effectively doubles the size of our hypothetical dictionary), a single 3 word combination out of that 10k word dictionary represents one out of 10k^3 possible combinations.

I didn't look up the latest developments in the last 2 or 3 years, but a 2012 result I found reports an offline brute force attack (using rainbow tables) running at a speed of 350 billion passwords per second. Therefore:

A 3 word combo out of a 10k dictionary would take about 3 seconds to find.

Let that sink in for a  moment.

Now here's how to solve the problem, and still use, in principle, a similar method to yours, one that is easier for humans to remember than random ASCII characters:

Don't repeat the same combo. Doing so is useless, and doesn't add any substantial security.

In your example, "YankeeDoodle123" can be seen as one phrase (that the attack described above could find in 3 seconds). To get from "YankeeDoodle123" to "YankeeDoodle123YankeeDoodle123YankeeDoodle123", i.e. the 3 times repetition will take only minimal additional time (constant, or almost constant), assuming the attacker knows a) he just needs to, verbatim, repeat the phrase, and b) he can stop the repetitions after testing about 5 or so repetitions per phrase, since most humans don't enter passwords of 100 or more characters.

Here's a much safer example password, still using a dictionary based method:

yankee colour doodle resulting table parsley under chair (without the spaces)

Only slightly harder to remember in my view, but a lot better. Even assuming you took the words from a smaller dictionary of only 5k words, using 8 different entries from that dictionary means the attack mentioned above would take 10^12 years to brute force it. In other words, impossible. **




Take home message: For reasonably safe passwords, use the xkcd method ***

(but don't even think of using the same words used in the comic)




* "reasonable" here means: by an algorithm that is trying to capture how we, human users, set non-random passwords.

** no guarantees on that. it assumes you picked the 8 words randomly from the dictionary, which humans are notoriously bad at. But in any case, much better than repeating  a phrase inside a password.

*** I know, xkcd didn't invent it, just described it nicely imo.

[syuhide]

Hi everyone,

This serves as another lesson to make your brain wallets silly hard to hack.

My Brain wallet, in the form of example123example123example123 (example123 was my bitcoin talk password,) was hacked resulting in the loss of 12btc I had freshly put in there. Before I noticed it was hacked I sent another 7btc there and luckily got it out before the hacker did.

This was my brain wallet 17z2uppQS9fyag5KtbQ6KNiCBrNSL1z64r

This is the Hackers wallet, with the funds in it at the time of writing 153h8BH61rQgfyujZjJqjQNSsRK2Hsaf3A


The community might take interest in this address as the hackers of bitcoin talk are prime suspects.

Its crazy, is this guy lucky or is it really that easy to hack brain wallets??

Take care!

feeling sad for your losses..
yhats why i changed my password and everything as soon as possible..

[RoxxR]

When generating a brain wallet, you MUST use something like DICEWARE and have at least 96 bits of entropy. Only then will you be "safe".

Where are you pulling that number from? Source would be nice.
BTW, does anyone know what is the strongest entropy password that has been successfully cracked to date?

[Soros Shorts]

BTW, does anyone know what is the strongest entropy password that has been successfully cracked to date?

That would be a moving target and it would depend a lot on how your brute-force program searches the space (since no brute-force tool is really 100% brute-stupid and would start attacking commonly used characters first). 15 years ago using a regular PC I was using L0pthcrack to scan our network for weak passwords and found many with 40+ bits of entropy.

[chessnut]

Brain wallet are not such easy to hack.

Practically everyone who knows about or cares about the BIP process loudly yells at people DO NOT USE BRAINWALLETS. We've seen pretty concrete evidence that users are resistant to good advice in this space, and they are shocked when their favorite quotation is cracked and they lose their coins (But it was 60 characters long! I even added a special character! how is this possible?!), the existing sites promoting this stuff won't use a KDF stronger than SHA256*1 because "users are stupid if they use weak passwords".

Brainwallets.

FOR GODS SAKE. DON'T DO IT. YOU MAY THINK YOU ARE SMART ENOUGH. SO DID EVERYONE ELSE WHO GOT ROBBED. HUMANS ARE NOT A GOOD SOURCE OF ENTROPY.

YOU HAVE A SCHEME? Pfft. THE SPACE OF ALL SCHEMES YOU'RE LIKELY TO HAVE PROBABLY ONLY HAS A FEW BITS OF ENTROPY. RANDOM PHRASE IN A BOOK? THERE ARE ONLY ABOUT 30 BITS OF SENTENCE SELECTION IN A LIBRARY.

OH NO. YOU ARE NOT LISTENING TO ME, ARE YOU?

OH CRAP. YOU THINK THAT "EIGHT CHARACTERS AND ONE FROM EACH CHARACTER CLASS" APPLIES HERE?? WEBSITE SECURITY MIGHT HAVE TO DEAL WITH 1000 ATTEMPTS PER SECOND, BUT SOME DUDE WITH A FPGA FARM IS PROBABLY PRECOMPUTING A BILLION BRAINWALLETS PER SECOND. JUST STOP.

NOOOOOOOOOOOO.

Well, now that you have no more Bitcoin I guess we don't have to worry about you using a brainwallet.

https://en.bitcoin.it/wiki/Brainwallet#Low_Entropy

Hehe fun to read, I might have thought twice reading this beforehand. Thankfully I still have most of my bitcoin to worry about.

Thanks for your input Oda.krell

The more I think about it the more I realise how ridiculously insecure it was, but surely the decision to combine passwords in sets of three goes hand in hand with many different ways of combining passwords, an on top of that, doesnt hashing and sweping a brain wallet take some compuation? wouldnt that be an ongoing recomputation every day to sweep wallets? is that billion hashes per second inclusive of that work?

@chessnut


So what was the password?  Since it is compromised now, please tell us, so other people can learn from this mistake as well.

Sorry for your loss.

I would rather not tell, for all I know I might still be using it at some old account I have forgotten about, besides being the key to my hacked brain wallet.

lets say it was about as strong as Clock123Clock123Clock123.....

[Soros Shorts]

doesnt hashing and sweping a brain wallet take some compuation? wouldnt that be an ongoing recomputation every day to sweep wallets? is that billion hashes per second inclusive of that work?

The computation for the rainbow table entry for your address could have been done months or or even years ago. The attacker could just have been comparing live transactions to see if he already has computed your private key in his rainbow table, and then use that to do the sweep.

[deleted partial garbage]

[oda.krell]

... doesnt hashing and sweping a brain wallet take some compuation? wouldnt that be an ongoing recomputation every day to sweep wallets? is that billion hashes per second inclusive of that work? ...

Yes, I did my back-of-the-napkin calculations based on the speed of an approach using rainbow tables, without knowing whether that attack would work on what they actually got from the btctalk hack.

That said, the point I wanted to make remains the same: passwords consisting of (systematically) repeating substrings have lower entropy than equal length password with no such (systematic) repetition.

[AtheistAKASaneBrain]

Brainwallet is just so convenient: say goodbye to constant backups and having to carry a trezor/usb/whatever, say hi to HD wallets and privacy and accessible wallet everywhere.

Of course, security is an issue, Andreas has addressed this before. So I would use brainwallet only for small amounts of BTC that you want to have accessible everywhere, never for your main amount.

[Lorenzo]

When generating a brain wallet, you MUST use something like DICEWARE and have at least 96 bits of entropy. Only then will you be "safe".

Where are you pulling that number from? Source would be nice.
BTW, does anyone know what is the strongest entropy password that has been successfully cracked to date?

An 8 word Diceware password contains 96 bits of entropy. This should be enough to thwart brute forcing attempts for several more decades but personally, I'd go for something a bit higher just to be on the safe side. It wasn't too long ago that 5 word passwords were supposed to be "good enough" but advancements in processing power now mean that this is no longer true:

Five Diceware words has long been thought to provide enough security for the average user...

...But five words is no longer enough, Diceware creator Arnold Reinhold wrote earlier this month. Since creating Diceware in 1995 Reinhold had recommended at least six random words for people "with more stringent requirements and where the passphrase was being used directly to form a cryptographic key," but for average users he had said that five would do...

...Further, he noted that "Criminal gangs have built botnets from thousands of computers infected with their malware. Marshaling large numbers of these computers they control might allow them to crack a five word passphrase in a reasonable amount of time."...

...In Reinhold's Diceware FAQ, he writes that "Six words may be breakable by an organization with a very large budget, such as a large country's security agency. Seven words and longer are unbreakable with any known technology, but may be within the range of large organizations by around 2030. Eight words should be completely secure through 2050."

Link: http://arstechnica.com/information-technology/2014/03/diceware-passwords-now-need-six-random-words-to-thwart-hackers/

Both Electrum seeds and Casascius coin addresses have 128 bits of entropy (equivalent to a 10 word Diceware password) and they've been holding out pretty well so far. An fresh address generated by Bitcoin Core contains 160 bits of entropy (about 4 billion times stronger than 128 bits). To get the same level of security for a brainwallet, you will need a 13 word Diceware password.

[oda.krell]

When generating a brain wallet, you MUST use something like DICEWARE and have at least 96 bits of entropy. Only then will you be "safe".

Where are you pulling that number from? Source would be nice.
BTW, does anyone know what is the strongest entropy password that has been successfully cracked to date?

An 8 word Diceware password contains 96 bits of entropy. This should be enough to thwart brute forcing attempts for several more decades but personally, I'd go for something a bit higher just to be on the safe side.

[...]

If you're reasonably fluent in more than one language (i.e. can remember words in it), you can push that up a bit, e.g. ~116 bit for 8 words instead of ~103 with one language list alone. Language selection needs to be randomized as well though.

[spazzdla]

I don't think we need to rip on the OP anymore.  He has shared with us a good tale of why going to extreme lenghts to protect your wealth is a wise idea.