Bitcoin Forum
April 01, 2015, 04:34:27 PM *
News: Latest stable version of Bitcoin Core: 0.10.0 [Torrent]
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Passphrase utility  (Read 1509 times)
theymos
Administrator
Legendary
*
expert
Online Online

Activity: 1890


View Profile
March 03, 2013, 05:42:27 AM
 #1

I've written a little Python utility for securely creating keys (private keys, encryption keys, deterministic wallet seeds, etc.) from passphrases. It asks you for some impossible-to-forget info about yourself for use as seed to prevent hash precomputation attacks, and it hashes your passphrase over one million times to make brute-force attacks very slow.

I created this because several tools seem to be handling passphrases wrongly. brainwallet.org just does one unsalted sha256 hash of passphrases, which is terribly insecure. Electrum wants you to memorize 12 words, which is unnecessarily long. With this tool, a totally random and unique 6-word or 11-character passphrase should be secure.

I tried to make it so non-ASCII characters are hashed the same across all platforms, but I'm not sure whether I got it right. I'd be careful about using non-ASCII characters.

1427906067
Hero Member
*
Offline Offline

Posts: 1427906067

View Profile Personal Message (Offline)

Ignore
1427906067
Reply with quote  #2

1427906067
Report to moderator
1427906067
Hero Member
*
Offline Offline

Posts: 1427906067

View Profile Personal Message (Offline)

Ignore
1427906067
Reply with quote  #2

1427906067
Report to moderator
1427906067
Hero Member
*
Offline Offline

Posts: 1427906067

View Profile Personal Message (Offline)

Ignore
1427906067
Reply with quote  #2

1427906067
Report to moderator
NO BITCOIN? NO PROBLEM! GET $6,888 FREE BONUS! BetCoin™
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1427906067
Hero Member
*
Offline Offline

Posts: 1427906067

View Profile Personal Message (Offline)

Ignore
1427906067
Reply with quote  #2

1427906067
Report to moderator
1427906067
Hero Member
*
Offline Offline

Posts: 1427906067

View Profile Personal Message (Offline)

Ignore
1427906067
Reply with quote  #2

1427906067
Report to moderator
1427906067
Hero Member
*
Offline Offline

Posts: 1427906067

View Profile Personal Message (Offline)

Ignore
1427906067
Reply with quote  #2

1427906067
Report to moderator
1427906067
Hero Member
*
Offline Offline

Posts: 1427906067

View Profile Personal Message (Offline)

Ignore
1427906067
Reply with quote  #2

1427906067
Report to moderator
btcusr
Sr. Member
****
Offline Offline

Activity: 397


@_vjy


View Profile

Ignore
March 03, 2013, 01:56:08 PM
 #2

good one.  Smiley

I had similar idea of passphrase utility which would generate passphrase from constant webpage content, like this. I am just using wikipedia article at point of time (date / version), but it can be anything like, even a image / photo, from national geographic, picasa, or google drive, or youtube video, etc.

Stephen Gornick
Legendary
*
Offline Offline

Activity: 1568



View Profile WWW

Ignore
March 04, 2013, 02:49:58 AM
 #3

I've written a little Python utility

Y U NO use GitHub (or gitorius or whatever ...)?

misterbigg
Hero Member
*****
Offline Offline

Activity: 616



View Profile WWW

Ignore
March 04, 2013, 03:13:51 AM
 #4

This would be great if it was in javascript...how am I supposed to run Python? I don't have that installed on my Windows 7 machine.

nimda
Hero Member
*****
Offline Offline

Activity: 770


1Nimda | FB0D8D1534241423


View Profile WWW

Ignore
March 04, 2013, 03:36:11 AM
 #5

Why not use python 3?

I recommend asking me for a signature from my firstbits or GPG key before doing a trade. I will NEVER deny such a request.
theymos
Administrator
Legendary
*
expert
Online Online

Activity: 1890


View Profile
March 04, 2013, 04:23:09 AM
 #6

I don't have that installed on my Windows 7 machine.

Then install it...

Why not use python 3?

I was originally writing this as an patch to Electrum, but it seemed like it'd take too much time to integrate so I decided to make a standalone utility. This is also why I wrote it in Python at all (which I'm not a big fan of).

theymos
Administrator
Legendary
*
expert
Online Online

Activity: 1890


View Profile
March 04, 2013, 04:38:16 AM
 #7

Y U NO use GitHub (or gitorius or whatever ...)?

https://github.com/theymos/passphrase

ThomasV
Legendary
*
Offline Offline

Activity: 1344



View Profile WWW

Ignore
March 19, 2013, 09:12:15 AM
 #8

I was originally writing this as an patch to Electrum, but it seemed like it'd take too much time to integrate so I decided to make a standalone utility. This is also why I wrote it in Python at all (which I'm not a big fan of).

please read my answer here: https://bitcointalk.org/index.php?topic=153990.msg1641145#msg1641145
I do not know how much entropy you get from those 6 words, but that really is the only question you should ask yourself.

Electrum: the convenience of a web wallet, without the risks
Technologov
Full Member
***
Offline Offline

Activity: 149


View Profile

Ignore
July 14, 2014, 03:32:35 PM
 #9

1. Where can I get your utility?
2. Which license is it ? (needs to be open-source, preferably BSD-style, so it can be integrated into Android and FreeBSD later on)
TimS
Full Member
***
Offline Offline

Activity: 237


View Profile WWW

Ignore
July 14, 2014, 03:53:17 PM
 #10

1. Where can I get your utility?
2. Which license is it ? (needs to be open-source, preferably BSD-style, so it can be integrated into Android and FreeBSD later on)
1. Two posts above yours is: https://github.com/theymos/passphrase
2. The source at the above link says "Public domain"

I would highly recommend that nobody use this to create a wallet. This is highly insecure. Practically anyone who knows you could get in based on what they already know, or with a tiny amount of work (e.g. researching you on Facebook). People who don't know you would first need to identify you, and then get in with a tiny amount of work. And "but the attackers wouldn't know I'm using that algorithm!" is not a good assumption or argument. "A cryptosystem should be secure even if everything about the system, except the key, is public knowledge." (Kerckhoffs's principle)
Someone could also brute-force randomly-generated names/birth dates/cities.
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1190


Gerald Davis


View Profile

Ignore
July 14, 2014, 04:22:54 PM
 #11

Agreed with Tim.  Please let this post die.  It is a horribly insecure method.

Lets assume that it can only be brute forced (in reality many of your friends you steal your coins on the first attempt).   If we consider all possible birthdates in the last century that is 16 bits of entropy.  However we can shave 2 bits off by looking at only likely birthdates (say between ages of 16 and 66).  The US census provides name lists which cover 90% of the population and that consists of only ~887K last names and ~3K first names.  In the US there are only 30,000 recognized cities, towns, and unincorporated areas.  Put all together you could cover ~90% of all possible permutations of US Bitcoiners with 9.7 * 10^16 attempts.  This might sound like a lot until you consider that the Bitcoin network to date has made 1.2*10^24 hashing attempts (12,433,044x as much). 
theymos
Administrator
Legendary
*
expert
Online Online

Activity: 1890


View Profile
July 14, 2014, 04:29:26 PM
 #12

You seem to think that this generates keys based only on personal info, but that's just the salt used to prevent pre-computation attacks. You also need a strong passphrase.

I wouldn't use this code for large sums of money because it doesn't have much review, but I think that the basic principle is very solid if the user can make a decent passphrase (which is maybe not a good assumption in general).

DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1190


Gerald Davis


View Profile

Ignore
July 14, 2014, 04:33:53 PM
 #13

56 bits is pretty weak for a salt and worse they would be heavily biased.  Due to non-random distribution an attacker could choose to start from the most probable values and expand on the precomputation tables as time permits.  Taking a ballpark guess the majority (51%) of Americans would have less than 20 bits of salt.  Granted if your name is Olef-Olef-Olefz WashingFrankenburg and you were born in Greater Bumfuck, Uganda in 1999 you probably are safe.  On the other hand if you are John Smith born in 1980 in New York well you just have a false sense of security.  I would advocate against using this type of system but if you absolutely felt the need to use such a system it should involve more questions and ones with a flatter distribution and that are less likely to be known through casual contact:
What is the name of the street where you first lived (enter just the base word excluding any prefixes or suffixes "Main" vs "E Main St")?

What is your mothers maiden name?
What is your grandmother's middle name?
On what date did your grandparent who died the youngest die?
etc

Quote
if the user can make a decent passphrase (which is maybe not a good assumption in general)
I agree this is better than just a single hash brain wallet but the implicit zero factor nature of brainwallets means that better is probably still going to result in lost funds.  The difficulty is that humans are both BAD at entropy and BAD at recognizing low entropy values.  Most users simply fail at picking a strong password.  However in most applications there is a second factor.  To steal a desktop wallet requires the passphrase (probably weak) AND the actual file.  To break into a website (which hopefully disables logins after failed attempts) requires the weak passphrase AND the hashed password table.  Brian Wallets don't have that luxury.
intron
Sr. Member
****
Offline Offline

Activity: 415


- electronics design|embedded software|verilog -


View Profile

Ignore
July 15, 2014, 06:04:08 PM
 #14


Thanks, very useful.

bits can go here: 1intronttqV6J1PLLeQ3X5i4PxyhpE1fP
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!