---

[HostFat]

It could be even more interesting to have an always updated website with the stats about the current costs of some/many configurations, so the user can choose which one he prefers.

[1714998715]

1714998715

[1714998715]

1714998715

[1714998715]

1714998715

[ryanc]

It could be even more interesting to have an always updated website with the stats about the current costs of some/many configurations, so the user can choose which one he prefers.

The user should still not be coming up with a password or passphrase themselves. If they use an actually random passphrase they can ensure it has enough actual entropy to not be cracked.

Tools like brainwallet.io and warpwallet are like giving clean needles to heroin addicts. Harm reduction. Heroin (brainwallet-like tools with user-generated passwords/passphrases) is bad, but we can at least make it slightly less bad...

[Financisto]

The same could be said about brainwallet.org.  It would be wise for anyone who is using a brainwallet to download a copy of the website that they can run on an offline computer, and to store the files in case the site goes down.  All of my source code can be found on GitHub, so even if brainwallet.io goes down, you can still access your funds.

Additionally, there is nothing I am doing that you couldn't do on your own.  Scrypt is a widely used key derivation function.  I am taking the output of the scrypt function and feeding it into the "classic" brainwallet algorithm. 

If you'd like to see for yourself, use this online scrypt generator:

http://kclnn.github.io/js-scrypt-async/test_scrypt_browser.html

And type in a passphrase and salt (where the salt is your name, email, phone, and DoB combined with no spaces), with parameters N=262144, r=8, p=1, and # of bytes = 32.

Then copy and paste the output into the brainwallet generator at https://bitaddress.org.

You will arrive at the same private key.

@unchi

Is that "test_scrypt_browser" (js_scrypt_async) your project?

That's an interesting (in-browser) implementation!

[Financisto]

Tools like brainwallet.io and warpwallet are like giving clean needles to heroin addicts. Harm reduction. Heroin (brainwallet-like tools with user-generated passwords/passphrases) is bad, but we can at least make it slightly less bad...

Heorin, eh?  That's pretty extreme.  I'd say it's more like riding a motorcycle.  Most people take caution and pay attention to their surroundings.  But there's always those idiots who speed through traffic without wearing a helmet.

Very extreme indeed.

I see brainwallets with weak passwords/passphrases like a newcomer pilot that only had piloted tiny cessnas in his life and is gonna fly an airbus 380 for the first time without prior specific training. i.e. he doesn't know nothing about all the complexity surrounding that machine's operation.

[ryanc]

Heorin, eh?  That's pretty extreme.  I'd say it's more like riding a motorcycle.  Most people take caution and pay attention to their surroundings.  But there's always those idiots who speed through traffic without wearing a helmet.

I don't think most people - even people who think they're experts - really appreciate how good password cracking has gotten. I really didn't fully grasp what constitutes a good passphrase until I started attacking them. There is also a ton of bad advice in this space all over the internet, so we have lots of people who think they know what a good password/passphrase is, but don't really. I'm an expert and I don't even trust myself to come up with passwords or passphases any more. I use a password manager to randomly generate individual passwords, and diceware passphrases - generated with casino dice - for full disk encryption, master passwords, gpg, etc. Real entropy is way better than imaginary entropy. It just takes a little effort to memorize.

As to motorcycles - I have several friends who have gotten pretty badly hurt. One lost part of his small intestine, another had his hip destroyed and the last ended up with brain damage and was in intensive care for weeks, then in recovery for a few more months. This is all despite good motorcycle armor (a helmet is nowhere near sufficient protection). Being in the wrong place at the wrong time can still destroy you.

Anyway, the reason for the heroin analogy (which seems to have come across as a little more extreme than I had intended) is because the advice on heroin should always be "Don't do it.". Needle exchanges exist because some people will do it anyway, and there is value in making it somewhat safer.

I'm glad brainwallet.org is dead. Tools like WarpWallet and brainwallet.io are a lot better. Using them with randomly generated passphrases is safe against all plausible attacks, so long as they are sufficiently long. Some organically chosen passphrases may be safe against most attacks, but it is far more difficult to predict the effectiveness of attacks against those, so it's best to assume they are dangerously weak.

[lorylore]

A 0.5 BTC bounty has been created for brainwallet.io.

The passphrase is "hello world".

https://www.reddit.com/r/Bitcoin/comments/3jd5qe/05_btc_bounty_at_brainwalletio_the_passphrase_is/

There are 3 kinds of salt right? Which one did you choose?
login info - personal info - generic
I tried some but it's just impossible for me, too much room to guess the salt

[CIYAM]

I tried some but it's just impossible for me, too much room to guess the salt

Duh - that is the entire point.

Your post reminds me of when I used the algo for CIYAM Safe to safely lock away 10 BTC with a small password (was only 5 or 6 characters from memory).

I had a bunch of young idiots asking "how to work out the salt" not understanding that the "salt" was the very point of the exercise (i.e. you ain't going to get the coins by guessing).

Funnily enough with all their hashing power they were unable to crack such a small password without my help (I basically had to give them all but one of the password characters before they could crack it and that was after around a week of them trying having been given the first three characters of the small password).

Also - strictly speaking it is not "salt" as that would be known to you in plain text (the more correct term is perhaps "pepper").

[lorylore]

I tried some but it's just impossible for me, too much room to guess the salt

Duh - that is the entire point.

Your post reminds me of when I used the algo for CIYAM Safe to safely lock away 10 BTC with a small password (was only 5 or 6 characters from memory).

I had a bunch of young idiots asking "how to work out the salt" not understanding that the "salt" was the very point of the exercise (i.e. you ain't going to get the coins by guessing).

Funnily enough with all their hashing power they were unable to crack such a small password without my help (I basically had to give them all but one of the password characters before they could crack it and that was after around a week of them trying having been given the first three characters of the small password).

Also - strictly speaking it is not "salt" as that would be known to you in plain text (the more correct term is perhaps "pepper").

Yes, it's all about the idea what could the OP think what kind of words.
I tried some programming words as he was developing but none worked lol
unchi maybe should tell us more

[steveds]

i have tried many brain wallet puzzles and have had no luck

good luck to the competitors this one should be interesting to watch it get decoded

[ryanc]

A 0.5 BTC bounty has been created for brainwallet.io.

The passphrase is "hello world".

https://www.reddit.com/r/Bitcoin/comments/3jd5qe/05_btc_bounty_at_brainwalletio_the_passphrase_is/

For the value of the prize, one should be able to make about eight to nine million guesses (~23 bits) using a bunch of spot instances. If I want to use all the CPU on my computers at home for the rest of the month I can probably manage about a hundred million guesses (~27 bits) for about $50 worth of electricity (my marginal cost of electricity is about $0.35/kWh  ).

I am not going to attempt this challenge - seems like a waste of electricity/money. If you want people play, increase the bounty substantially and/or offer more information about the salt.

[lorylore]

Unchi Which one did you choose? login info or personal info or generic salt?
If it is the last one at least tell us how many words are in total.
Still unbreakable, do you have any statistic in your server if anyone is bruteforcing it?

[lorylore]

Unchi Which one did you choose? login info or personal info or generic salt?
If it is the last one at least tell us how many words are in total.
Still unbreakable, do you have any statistic in your server if anyone is bruteforcing it?

lorylore, there is no way for me to see who is attempting to brute force it. When you generate a brainwallet, whether you are using the website or running a script/program to brute force, no data is ever sent to my server.  The database that you are checking against is the blockchain.

I could tell you which salt I'm using, but the fact is that it still wouldn't matter.  The point of the bounty is to get people to think about the sheer magnitude of attempts that would be required to brute force it.  To give you an idea, if I had used just two words out of the dictionary, there would be 29,404,018,576 different combinations to go through.

Of course, it's still possible for it to be cracked, but you would have to be willing to spend an unreasonable amount of money, have a massive amount of CPU power available to you, or be incredibly lucky. 

To some people, it's obvious that this is impractical, and they think it's pointless.  To some people, they think it's a malicious way to trick people into wasting their time and money attempting to brute force it.  And to some people it's a learning experience, allowing them to understand the purpose and effect of having multiple salt options to chose from.  The latter is what I'm after.

I was thinking if the server cpu is loading to the maximum responding to the mass requests (if any)
Yes, i understand the point, maybe after a time you can help as i said before to find the salt
For me it is just impossible, good luck to others. Will keep time to time to check the address.

[ryanc]

I could tell you which salt I'm using, but the fact is that it still wouldn't matter.  The point of the bounty is to get people to think about the sheer magnitude of attempts that would be required to brute force it.

Not really possible to estimate that until we see what the salt was.

To give you an idea, if I had used just two words out of the dictionary, there would be 29,404,018,576 different combinations to go through.

Very few people pick two random words out of the entire 171,476 word dictionary. An adult native English speaker with average vocabulary probably knows only 10% of those words. If they actually picked them at random (with dice or a computerized random number generator) as you suggest, out of 100 times (on average), in 81 instance they would not know either word, in 18 instance they would only know one word, and only in one instance would they know both. Tools for picking random words tend to have a list of only around 2,000 words, with the exception of diceware which has nearly 8,000 but is often criticized for having too many obscure words.

Crackers know this, and they will optimize by trying more likely (less complicated) things first.

Of course, it's still possible for it to be cracked, but you would have to be willing to spend an unreasonable amount of money, have a massive amount of CPU power available to you, or be incredibly lucky.  

Probably true, see my previous comment.

To some people, it's obvious that this is impractical, and they think it's pointless.  To some people, they think it's a malicious way to trick people into wasting their time and money attempting to brute force it.  And to some people it's a learning experience, allowing them to understand the purpose and effect of having multiple salt options to chose from.  The latter is what I'm after.

The thing is, if your tool became popular, it'd be unlikely for any particular person's wallet to be drained by thieves. What a thief will do is pre-build tables of salt and password/passphrase combinations and watch the network for transactions to the matching addresses. If they suspect someone in particular of having used brainwallet.io (which is different from classic brainwallets which are egregiously insecure - brainwallet.io is only kinda risky in comparsion) they'll gather as much information as they can about that person and spend some time running a targeted attack based on what they know about them.

If you choose to use this tool, and do not generate a passphrase randomly, you are gambling against unknown odds. There will be an unknown number of attackers with an unknown amount of computing power at their disposal, and they'd love to take your money.

[Financisto]

Congratulations for this bounty challenge initiative!

It's an important tool for future security improvements and a good way to get more code auditing.

I'd suggest that you put half the prize in the brainwallet and expect contact from the winner. After that you can show and publish the cracker's brute-force technique and then the other half should be sent to him privately.

*edited

BTW here goes an interesting experiment: https://1209k.com/brainv2/

[ryanc]

BTW here goes an interesting experiment: https://1209k.com/brainv2/

Wow, the construction that uses is convoluted. Also, a challenge is mentioned - it was spent after about 10 days.

Edit: Ah, I see why it got taken so fast. This algorithm is very GPU friendly - computing the meaty part of it can be done in parallel with up to GPU 16384 cores with 8MiB of memory each, and the first and last pass can go up to 64 cores with 2MiB memory each.

[Financisto]

@unchi

How many characters are allowed at passphrase field? Is there a specific length limit?

I couldn't find that info while reading your code.

[lorylore]

@unchi

How many characters are allowed at passphrase field? Is there a specific length limit?

I couldn't find that info while reading your code.

I tried with 1,755,952 characters and it worked fine.
I think it is just enough for a passphrase ~2million characters.
It just freeze my browser copying and pasting these characters lol

[prodigy8]

One thing I haven't mentioned yet is that the passphrase text field supports multi-line text.  This provides a small amount of additional entropy to your passphrase.

So, this passphrase:

Code:

hello world

results in a different bitcoin address than this:

Code:

hello
world

This could also help make it easier to memorize a 12 word mnemonic, by splitting it into 4 lines, for example:

Code:

children park tight
especially blade odd
goal spider everything
slightly unless collapse

Let's search for a music lyrics (Eminem ) in youtube and paste it in the salt Isn't that a good idea , well protected.

[Financisto]

That was a real challenge...

I guess you need to take it easy next time...

[TheButterZone]

brainwallet.io 50,000 bit giveaway:

https://www.reddit.com/r/Bitcoin/comments/3nlfib/brainwalletio_50000_bit_giveaway/

Already taken.