Researchers describe a way of hacking Brain Wallet

[honeysyd]

I am not an expert of encryption, so I do not fully understand the following article. However, it seems very interesting that some researchers demonstrated a way of hacking BTC private keys in a security conference in Las Vegas, US.

https://www.cryptocoinsnews.com/researchers-describe-easy-way-crack-bitcoin-wallet-passwords/

Any opinion on this? If it is true, the bitcoin price would plummet soon.

[Lauda]

Please change the thread title as this is FUD and misleading. Researcher have found a way to crack brain wallets with weak pass phrases. What an amazing revelation. You can compare this to the people who are using "123456" as a password for their accounts. Bitcoin private keys are not hackable at this date. The article is misleading, such a shame.
Keep in mind that the main Bitcoin implementation, Bitcoin Core does not have these kinds of wallets.

[watashi-kokoto]

The subject of this article is so called Brain Wallet. The use of Brain Wallet has never been recommended by Bitcoin project.

The users of Brain Wallet do it at their own risk and the security of the scheme inherently suffers because it is difficult for people to remember long enough passwords to guarantee same level security as a long password written on a piece of paper or stored in a computer memory.

The cryptography technologies that  need to be broken in order to Bitcoin to be broken are the following:

RIPEMD160
SHA256
ECDSA / KOBLITZ

As of today they are all unbroken and there is no vulnerability in the Bitcoin Core software.

[franky1]

quote from similar topic due to relevance

I don't see how it's possible to crack such a sophisticated password as what you say you used. You are talking about a 256 bit + password. This password cannot be cracked in any practical amount of time.

a brain wallet is where you choose the words(password).. and most of the time brain wallet users choose between 1-6 common words that are part of a known phrase..

a seed wallet is where 12-20 RANDOM and UNCOMMON words are used.

the article stated

checked a trillion passwords and recovered 18,000 brain wallets

that is a 0.0000018% success rate.

now although there are 171,000 words in the dictionary. its estimated that only 3500 words are used commonly.

so imagine the password is 1 common word.
thats a 1 in 3500 chance of a hit.

so imagine the password is 2 common words.
thats a 1 in 12,250,000 chance of a hit.(3500 x 3500)

so imagine the password is 3 common words.
thats a 1 in 42,875,000,000 chance of a hit.(12,250,000 x 3500)

som brute forcers know that even in the 3500 common words, some are not used, so they could get the odds down. they also know that when using more than 3 words its more likely that a sentance structure was used (phrase or quote) so they know what words naturally follow grammatical structure and what words dont naturally follow each other in a sentance.

so although the odds of having 12 common words can be upto:
1 in 3379220508056640000000000000000000000000000 chance.
brute forcers can reduce that down to:
1 in 1000000000000000000000000000000000000 chance.
just by employing some grammatical rules to cut down on the variations possible.

which is still extreme for 12 word sentence.. but. its highly important to not use sentances/quotes that follow grammatical rules. it is also important to not use the 3500 common words. that way 12 random non common words can be:
1 in 3138428376721000000000000000000000000000000000000000000000000 chance.

so in short a brain wallet of 3 common words is:
1 in 42875000000 chance

so a seed of 12 random and uncommon words is:
1 in 3138428376721000000000000000000000000000000000000000000000000 chance.

[bitbaby]

Cracking brain wallets with weak pass phrases is same as cracking online accounts such as email/social-media/etc, which is why brain wallets are not recommended. Who ever tells you that bitcoin private keys can be cracked, tell them to go ahead and do it, instead of telling you.

[mirana12345]

This is a very poor journalism at the best. I would not bother myself with trusting how it will have any affect on the price, or anything else for that matter.
If bitcoin private keys would to be easily crackable - don't you think someone would take satoshi's coins already ? It's just created to spread FUD , ignore it.

[n691309]

There are many ways to hack maybe the private keys but it will take tons of years until a result will come (bruteforcing)

[franky1]

This is a very poor journalism at the best. I would not bother myself with trusting how it will have any affect on the price, or anything else for that matter.
If bitcoin private keys would to be easily crackable - don't you think someone would take satoshi's coins already ? It's just created to spread FUD , ignore it.

the article was titled:

Researchers Describe an Easy Way to Crack Bitcoin Brain Wallet Passwords

NOT:
cracking ECDSA based private keys derived from random data.

but geeks know the difference. yet laymen / common folk that are just bitcoin users not computer geeks dont know the difference and will think bitcoin is broken

[ATguy]

This is a very poor journalism at the best. I would not bother myself with trusting how it will have any affect on the price, or anything else for that matter.
If bitcoin private keys would to be easily crackable - don't you think someone would take satoshi's coins already ? It's just created to spread FUD , ignore it.

I think it is standard practice to use eye catching sentences in journalism so people get initial interest in reading further. So its not created to spread FUD, but to get as much reads as possible. Pretty standard.

But it surprises me they were able to obtain 18 000  wallet access, seems brain wallets are popular even though everywhere not recommended to use with weak phrasses.

[Denker]

I am not an expert of encryption, so I do not fully understand the following article. However, it seems very interesting that some researchers demonstrated a way of hacking BTC private keys in a security conference in Las Vegas, US.

https://www.cryptocoinsnews.com/researchers-describe-easy-way-crack-bitcoin-wallet-passwords/

Any opinion on this? If it is true, the bitcoin price would plummet soon.

No no.Hacking a brain wallet with a weak password and trying to hack a private key are completely different things!!
Bitcoin is very secure.It's up to you what kind of wallets you use and how strong the password is.
Please don't mix these things up!!

[franky1]

This is a very poor journalism at the best. I would not bother myself with trusting how it will have any affect on the price, or anything else for that matter.
If bitcoin private keys would to be easily crackable - don't you think someone would take satoshi's coins already ? It's just created to spread FUD , ignore it.

I think it is standard practice to use eye catching sentences in journalism so people get initial interest in reading further. So its not created to spread FUD, but to get as much reads as possible. Pretty standard.

But it surprises me they were able to obtain 18 000  wallet access, seems brain wallets are popular even though everywhere not recommended to use with weak phrasses.

its because once there are millions of people using bitcoin and not everyone is a computer expert, alot of people want something as easy to use or understand as things like paypal.

wrong i know. but thats how the real world works.

some of the novices believe that if there is such thing as a brain wallet it must has some basic security otherwise its useless and not worth offering. so they overly trust that its secure because its available and popular.

its important to learn the fundementals

using the most basic small word sentences of 6 words
EG "using this and you will lose"
1 in 15625000000000000

using the most basic small word sentences of 12 words
"if you are using these words you will be hacked i promise"
1 in 244140625000000000000000000000000

using the standard common longer word sentences of 12 words
"suddenly increasing entropy should multiply security protection against bruteforce related hacking attempts"
1 in 1000000000000000000000000000000000000

using random and uncommon words with no sentence structure of 12 words
"amphibology prosopagnosia umbriferous doryphore breatharian criticaster martlet paludal labarum illywhacker gasconade etui"
1 in 3138428376721000000000000000000000000000000000000000000000000 chance
 

though the 18000 wallets were using far less than 12 words. and not as random and uncommon as they would think..
so 12-20 random/uncommon words is stronger. its important that its not small common words and important that its not a sentence structure/quote.

[odolvlobo]

One of the reasons it is so easy to crack brain wallets is that everyone uses SHA-256 to hash the phrase. SHA-256 is designed to be fast. You could make it a million times more difficult by using a more appropriate hash function such as bcrypt, which is designed for hashing passwords.

[bob123]

Private keys cant be "hacked" yet.
Weak passwords could always (and always be) easily hackable.

[Redrose]

This is a common practice to use misleading titles in articles if this is particularly "attractive", like this one in the press world.

[gkv9]

There was even a website that was called to be a directory where you can find a private key for any address and hack it...
Do you really think those addresses were real, or were ever put any coins in them???
Also, it would take a lot of computational power to even find a specific address if you go through a website analyzing process...

[Mickeyb]

There was even a website that was called to be a directory where you can find a private key for any address and hack it...
Do you really think those addresses were real, or were ever put any coins in them???
Also, it would take a lot of computational power to even find a specific address if you go through a website analyzing process...

The directory was real, along with the addresses the private keys were connected to, but did you view the number of those rows and pages? Now consider finding your address in one of those  

OP is either a ignorant fool, or someone who thinks he just discovered a new thing, that passwords can be hacked and they are somehow what private keys are made of   Seriously, even the link shows its brain wallet passwords

[BitcSeo]

I also believe is impossible to crack or hack Private Key but, for the sake of curiosity how do most hacker's manage to break into most btc exchange site to steal coins?


Thanks

[AliceWonderMiscreations]

This is why I use qwerty123 instead of just qwerty - the latter is too easy to guess.

For my brain wallets of high value I just add a 4 or maybe also a 5.

[Lauda]

I also believe is impossible to crack or hack Private Key  but, for the sake of curiosity how do most hacker's manage to break into most btc exchange site to steal coins?
Thanks

It is not possible to do so, stop posting nonsense. They break into the exchange itself via various methods (e.g. social engineering) and others are just operations from the inside.

For my brain wallets of high value I just add a 4 or maybe also a 5.

The best solution is to not use brain wallet at all if not necessary.

OP is either a ignorant fool, or someone who thinks he just discovered a new thing, that passwords can be hacked and they are somehow what private keys are made of  Seriously, even the link shows its brain wallet passwords

The article itself is misleading. I'm not even surprised though.

This is a common practice to use misleading titles in articles if this is particularly "attractive", like this one in the press world.

[franky1]

I also believe is impossible to crack or hack Private Key but, for the sake of curiosity how do most hacker's manage to break into most btc exchange site to steal coins?


Thanks

they dont.. ... often
the admin of the website is usually the culprit who then shifts the blame to someone else to hide his own ill intentions.

that said hackers do hack websites. but sometimes (especially in btc exchanges) its an inside job.

once your inside by either owning the service or hacking. its as simple as 'send to' to move the funds.. its not like you have to brute force the login and then brute force encryption and then brute force private keys.. some sites just need to get passed the login and then the world is your oyster