10 BTC 4 U 2 STEAL - Protected by a weak 5-letter password - crack & it's yours!

[casascius]

No joke - see the BTC at http://blockchain.info/address/1BBBvd9G5YThYVVMSGSxJzQvQiQm3WxJC2

Not a gimmick

First person to brute-force this encrypted private key and take the funds gets them, no strings attached.

The password is five letters (no joke, no gimmick, not a riddle, example "AAAAA" and "zzzzz" are the lowest and highest candidates)

Given the obvious weakness of the password, these 10 BTC WILL get taken... it might as well be by you.

Private key is encrypted using methodology in BIP 38: https://en.bitcoin.it/wiki/BIP_0038

Working encryption/decryption code for Windows/.NET (as well as generator of these paper wallets) can be found at:

github: https://github.com/casascius/Bitcoin-Address-Utility
or download binary and source: https://casascius.com/btcaddress-alpha.zip



My interest in running this contest of sorts is to generate discussion and measure interest in password-protected paper wallets, and I am simply curious how long it might take somebody to crack one of these knowing the password is weak.  The password will be revealed to everyone once it is clear the money has been taken.

[casascius]

Did anyone read http://www.wired.com/gadgetlab/2012/11/ff-mat-honan-password-hacker/all/ and what did you think of it?

Yeah, in fact, I am surprised it's 2012 and there isn't a popular standardized hardware security module meant for people to carry and log into websites.

That's part of my purpose of bringing password protected paper wallets to the Bitcoin community.  That constitutes simple two-factor Bitcoin storage usable by anybody: something you have and something you know.

My expectation is that weak passwords, with their obvious shortcomings, will still provide a "bicycle lock" level of security: they're still crackable, but would give the average user enough time to move their coins elsewhere in the event of loss or theft assuming they prepared themselves to do so.

It would be blasphemous for someone to use such a password for their savings wallet, but for protection of a single bitcoin from the casual thief, they have the same level of utility as a four-digit iPhone lock: a measure of protection from 99% of the population likely to steal it.

[hazek]

Well we do have two hardware wallets being developed so I think this problem will soon be reasonably addressed.

[wachtwoord]

Damn nice timing, just as I am heading out ..

Pretty sure this will be gone tomorrow because this is pretty straightforward. Fun contest though

[Meni Rosenfeld]

Modified your software into a script that tries all combinations...

Then realized it will take 36 years to run.

So a much more efficient calculation method would be needed.

[casascius]

Modified your software into a script that tries all combinations...

Then realized it will take 36 years to run.

So a much more efficient calculation method would be needed.

It would take 36 years to run on the slow C# crappy implementation of scrypt that I have bundled with my app.  Simply feeding the same input to a more efficient implementation should chop this figure down by orders of magnitude.

[casascius]

By the way, this money is going to get taken one way or another, even if I have to start leaking bits of the password to speed up the process.

[Yuhfhrh]

By the way, this money is going to get taken one way or another, even if I have to start leaking bits of the password to speed up the process.

Tell me the first 4 bits and I'll get it in no time. 

[casascius]

By the way, this money is going to get taken one way or another, even if I have to start leaking bits of the password to speed up the process.

Tell me the first 4 bits and I'll get it in no time.  

That means if I don't tell you the first 4 bits, you'll get it in 16 * (no time).

But if you know some way where just 4 bits would give you more than a 16x advantage, please share!

[Yuhfhrh]

By the way, this money is going to get taken one way or another, even if I have to start leaking bits of the password to speed up the process.

Tell me the first 4 bits and I'll get it in no time.  

That means if I don't tell you the first 4 bits, you'll get it in 16 * (no time).

But if you know some way where just 4 bits would give you more than a 16x advantage, please share!

No time≠0, it would be the time it takes to manually guess the password.

[Elxiliath]

Maybe it's just me but I'm having trouble running the application to decrypt any phrase.  Maybe i'm not put the codes in the right fields?

[casascius]

Maybe it's just me but I'm having trouble running the application to decrypt any phrase.  Maybe i'm not put the codes in the right fields?

Here is an example to decrypt.

Run the program, choose Tools - Address Utility.

Here is a test encrypted private key, paste it into the "Private Key (WIF)" box.
6PRJpenX5x4NffBK4dGxXgh1bLqwpSQBwhMXwCdg5k85d7PnPGMCaVdgGk

To decrypt it, fill in the password (which for this test key is "AAAAA") and then click the "down arrow" next to the password box.  The resulting bitcoin address is 1MfxvPTcpnVNU4bi2xs7XcZnsHqFZVKKEn and the corresponding private key should show.

Now on the other hand, to create a batch of encrypted keys, instead of doing Tools - Address Utility, simply do Address - Generate Addresses.  Specify that you want encrypted keys, put in a passphrase, and it will generate a boatload of keys (or rather, the number you asked for).  If you want them printed on paper wallets like the one in the OP, then just choose Selection - Print Banknote Vouchers, pick a color and a printer, voila.  Notably, it's very fast to generate lots of keys with the same password, since the slow step of hashing the password is done once and then the resulting work can be reused for all of the keys.

[kokojie]

I don't think this test can provide any useful information, once your paper bitcoin become wide spread, someone will develop a more efficient cracker. Though right now, it is pretty difficult to crack this 5 letter password because of slow scrypt performance in c#.

[pc]

I decided to see if I could guess the password directly, but the first few words I thought to try haven't worked out…

I had been meaning for a while to see if Casascius's utilities would work under Mono on Mac, and so this contest gave me the incentive to actually try downloading Mono and see if it'd work. So, out of putting this 10 BTC he at least got another user of his program. It does seem to mostly work, though I see boxes where I'm assuming I'm supposed to see arrows, and the menus don't really work when I have it on my left monitor.

If I were to guess the password, is there a button to convert the private key to the standard unencrypted WIF "5" version so that I could import it into a wallet (or maybe generate a raw transaction, if I'm feeling lucky)?

And can you hint if I'm likely to get anywhere with a dictionary attack, or was it made up of 5 random letters? Or will you not say yet?

Thanks!

[casascius]

I had been meaning for a while to see if Casascius's utilities would work under Mono on Mac, and so this contest gave me the incentive to actually try downloading Mono and see if it'd work. So, out of putting this 10 BTC he at least got another user of his program. It does seem to mostly work, though I see boxes where I'm assuming I'm supposed to see arrows, and the menus don't really work when I have it on my left monitor.

Thanks for the helpful info.  I never knew Mono worked on Mac.  I am guessing the font it uses doesn't contain the Unicode arrow code points I'm using.

If I were to guess the password, is there a button to convert the private key to the standard unencrypted WIF "5" version so that I could import it into a wallet (or maybe generate a raw transaction, if I'm feeling lucky)?

The decryption would yield the hex private key.  Then you'd just blank out the password and push the "up arrow" (I guess you see boxes, but it's on the left) and it will convert back to WIF without encryption.

And can you hint if I'm likely to get anywhere with a dictionary attack, or was it made up of 5 random letters? Or will you not say yet?

I will wait a while, and then I will pick a time and the amount of password information I plan to reveal, and then reveal it at the specified time.  Assuming it's not cracked first.  For example I may reveal the casing of the letters, cutting the difficulty by a factor of 32 (assuming they're random - something I'm not revealing at this point).

[Elxiliath]

I have to say your documentation is very good in your application, also, it's quite difficult inserting a loop and array to generate the password properly.  I'll continue my work at trying. 

[Elwar]

password is BBBBB or BBBBTC

on an android tablet or I would try it myself

[runlinux]

I have a loop in place, but ungh... its slow! i'll step this up to a beefier machine...

[hardcore-fs]

K... I think there may be a weakness!!!!, if I understand the code correctly...

HC

[pc]

I did try BBBBB, BBBbb, BBBtc, and BBBTC, figuring that the address starting with 1BBB might not be a coincidence. No luck so far, though.