Bitcoin Forum
August 18, 2018, 12:27:40 PM *
News: Latest stable version of Bitcoin Core: 0.16.2  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 »  All
  Print  
Author Topic: I'm running an interesting brain wallet security test  (Read 7198 times)
linjaaho
Newbie
*
Offline Offline

Activity: 2
Merit: 0


View Profile
March 06, 2013, 06:25:47 AM
 #1

Two weeks ago I started to run a little security test on brain wallets. I created five brain wallets, and deposited one bitcoin to each of them. The password for every wallet is ridiculously easy (a kind of password that security professionals would kill me if they knew  Cool).

Currently, only one of the five wallets has been ripped. I think the "problem" with my test is that no one assumes that someone is storing his/her coins behind a stupid password. Prove me I'm wrong  Cool.

And no, I'm not trolling. After one month has passed, I'll reveal the passwords here and everyone can check with Blockchain.info that I was not kidding. Meanwhile, you can follow me on Twitter.
1534595260
Hero Member
*
Offline Offline

Posts: 1534595260

View Profile Personal Message (Offline)

Ignore
1534595260
Reply with quote  #2

1534595260
Report to moderator
1534595260
Hero Member
*
Offline Offline

Posts: 1534595260

View Profile Personal Message (Offline)

Ignore
1534595260
Reply with quote  #2

1534595260
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1534595260
Hero Member
*
Offline Offline

Posts: 1534595260

View Profile Personal Message (Offline)

Ignore
1534595260
Reply with quote  #2

1534595260
Report to moderator
1534595260
Hero Member
*
Offline Offline

Posts: 1534595260

View Profile Personal Message (Offline)

Ignore
1534595260
Reply with quote  #2

1534595260
Report to moderator
1534595260
Hero Member
*
Offline Offline

Posts: 1534595260

View Profile Personal Message (Offline)

Ignore
1534595260
Reply with quote  #2

1534595260
Report to moderator
drb
Newbie
*
Offline Offline

Activity: 6
Merit: 0


View Profile
March 06, 2013, 12:05:39 PM
 #2

Slightly related: I just tried the wallet with passphrase: 'bitcoin is awesome'

Some dude had 500 BTC on that wallet. WTF!
mintymark
Sr. Member
****
Offline Offline

Activity: 279
Merit: 250


View Profile
March 06, 2013, 12:21:31 PM
 #3

True, but ony briefly, for 30 seconds in Nov 2012.

[[ All Tips gratefully received!!  ]]
15ta5d1N8mKkgC47SRWmnZABEFyP55RrqD
Herodes
Hero Member
*****
Offline Offline

Activity: 868
Merit: 1000


View Profile
March 06, 2013, 12:41:58 PM
 #4

Interessant historie. Smiley
Nicolai
Jr. Member
*
Offline Offline

Activity: 39
Merit: 0


hey


View Profile
March 06, 2013, 07:07:35 PM
 #5

haha nice :-)

I haven't found any of your addresses (yet Wink ), but here are some addresses I found, that previously have had bitcoins on them:
Quote
The Times 03/Jan/2009 Chancellor on brink of second bailout for banks
correct horse battery staple
Satoshi Nakamoto
investr
Full Member
***
Offline Offline

Activity: 222
Merit: 100


View Profile
March 06, 2013, 07:31:41 PM
 #6

Another failed one: Setec Astronomy

This is a ridiculously hard request considering the possibility of punctuation permutations. How about a hint letting us know if there is any punctuation or capitalization?

Successful transactions: http://pastebin.com/GM27Ju59
baumberg
Newbie
*
Offline Offline

Activity: 10
Merit: 0


View Profile
March 06, 2013, 08:32:35 PM
 #7

First I thought that I had found your address, but then I was thinking they: "Hey... who stores 1000 BTC with such an easy pwd?"  Wink
linjaaho
Newbie
*
Offline Offline

Activity: 2
Merit: 0


View Profile
March 07, 2013, 09:18:13 PM
 #8

Well the good news about brain wallets is that they are still hard to guess even if they are "easy" pass-phrases.

I think you are right - here are some hints to make the competition easier:
http://linja-aho.blogspot.fi/2013/03/small-contest-hack-my-bitcoins-and-keep.html
stdset
Hero Member
*****
Offline Offline

Activity: 573
Merit: 500



View Profile
March 08, 2013, 01:23:58 AM
 #9

May be your passwords are not so stupid.

Let's estimate how difficult it is to rip your addresses.
Min length is 15 chars. Bruteforsing such passphrase char by char is hopeless, since we have about 3*10^21 combinations for the shortest password.
So let's try to use a dictionary. Let's say it contains 20000 words (it should contain more, but we want to make conservative estimation). Passphrase contains at least 3 of such words, what gives us 8*10^12 combinations. And this is the easyest case. Also it was assumed, that we know algorithm used to generate all those keys from passphrases. But one could md5 them first, or do whatever else. For somebody who isn't a hacker it is obvously pointless to try. Even if you are a hacker, it is most likely still pointless, since reward is too small and task probably isn't that easy.
And, btw, how many combinations could decent bruteforsing application try a second?

SIGNW
Jr. Member
*
Offline Offline

Activity: 41
Merit: 0


View Profile
March 08, 2013, 01:34:03 AM
 #10

Well the good news about brain wallets is that they are still hard to guess even if they are "easy" pass-phrases.

I think you are right - here are some hints to make the competition easier:
http://linja-aho.blogspot.fi/2013/03/small-contest-hack-my-bitcoins-and-keep.html

Thanks! I've been trolling lurking here for a while, but came from the Redditsphere asking for some passphrase formatting hints. Time to get guessing!
mokahless
Sr. Member
****
Offline Offline

Activity: 470
Merit: 250



View Profile
March 08, 2013, 04:11:42 AM
 #11

This is an interesting challenge. Let's spread it around and see how long it takes.
I spent about 10-20 minutes randomly guessing phrases and found only one address from a phrase I had come up with myself: "may the force be with you". It once contained a single satoshi probably a long time ago.
I think your level of easy may boil down to if someone knows what kind of personality and person you are. If they don't know this, a dictionary attack might work faster since we know they are all lowercase English letters with spaces.


aside: @SIGNW - I don't think trolling means what you think it does.

TheButterZone
Legendary
*
Offline Offline

Activity: 2226
Merit: 1008


Pay with SegWit!


View Profile WWW
March 08, 2013, 05:46:02 AM
 #12

I spent about 10-20 minutes randomly guessing phrases and found only one address from a phrase I had come up with myself: "may the force be with you". It once contained a single satoshi probably a long time ago.
... in a Galaxy Far Far Away?

NBA Store coupons here!
Saying that you don't trust someone because of their behavior is completely valid.
gapthemind
Jr. Member
*
Offline Offline

Activity: 35
Merit: 0


View Profile
March 08, 2013, 11:03:27 AM
 #13

Dude where is my car Smiley

I will give him an offer he cant refuse


But tbh I think it would be hard to guess a password like that, its not like guessing a password from people using
12345678987654321 or qwertyuioplkjhgfdsa, that can be the case.
SIGNW
Jr. Member
*
Offline Offline

Activity: 41
Merit: 0


View Profile
March 08, 2013, 04:04:59 PM
 #14

aside: @SIGNW - I don't think trolling means what you think it does.

haha whoops. I was tired from guessing brainwallets. I *knew* it didn't sound right, but entered it anyways.

*tired
hathmill
Full Member
***
Offline Offline

Activity: 186
Merit: 100



View Profile
March 20, 2013, 08:16:45 PM
 #15

1. http://lmgtfy.com/?q=most+used+passwords&l=1
2. http://brainwallet.org/
3. http://blockchain.info/address/16ga2uqnF1NqpAuQeeg7sTCAdtDUwDyJav
4. http://coderedd.net/r/Bitcoin/comments/xgpw1/could_somebody_steal_bitcoin_by_guessing/
hashcode
Newbie
*
Offline Offline

Activity: 13
Merit: 0


View Profile
March 20, 2013, 09:05:45 PM
 #16

I had fun following this over on r/bitcoin/ , but I don't think you have much to worry about people guessing these brain wallets. Everyone on there, myself included, needed a LOT of hints before the last 4 passes were cracked Smiley

If you're running another experiment anytime soon, let me know  Wink
TheButterZone
Legendary
*
Offline Offline

Activity: 2226
Merit: 1008


Pay with SegWit!


View Profile WWW
March 20, 2013, 09:20:55 PM
 #17

But because I'm impatient, here is a hint for passphrases:
...
only allowed characters are small letters (a-z) and spaces

in the four unhacked passwords, there are no spaces, just words after words


NBA Store coupons here!
Saying that you don't trust someone because of their behavior is completely valid.
infested999
Hero Member
*****
Offline Offline

Activity: 770
Merit: 500



View Profile
July 02, 2014, 07:09:52 PM
 #18

Two weeks ago I started to run a little security test on brain wallets. I created five brain wallets, and deposited one bitcoin to each of them. The password for every wallet is ridiculously easy (a kind of password that security professionals would kill me if they knew  Cool).

Currently, only one of the five wallets has been ripped. I think the "problem" with my test is that no one assumes that someone is storing his/her coins behind a stupid password. Prove me I'm wrong  Cool.

And no, I'm not trolling. After one month has passed, I'll reveal the passwords here and everyone can check with Blockchain.info that I was not kidding. Meanwhile, you can follow me on Twitter.


Looking back at this, the Bitcoin price when OP started this experiment was $30 on February 20, 2013 (2 weeks before March 6, 2013).

Apparently four wallets are still open, that leaves $4,000 in this thread.

EDIT: I found the follow-up Tweet here: https://twitter.com/linjaaho/statuses/311041344330153985

The password was "fuckfuckfuckfuck"

              ▄███▄   ▄███▄
              █████   █████
      ▄███▄    ▀▀▀     ▀▀▀    ▄███▄
      █████     ▄██▄ ▄██▄     █████
       ▀▀▀ ▄██▄ ▀██▀ ▀██▀ ▄██▄ ▀▀▀
 ▄███▄     ▀██▀           ▀██▀     ▄███▄
 █████ ▄██▄                   ▄██▄ █████
  ▀▀▀  ▀██▀                   ▀██▀  ▀▀▀
                       ▄█
▄███▄ ▄██▄            ███ ███  ▄██▄ ▄███▄
█████ ▀██▀  ████      █████    ▀██▀ █████
 ▀▀▀         ▀███▄    ████           ▀▀▀
       ▄██▄    ████   ███     ▄██▄
 ▄███▄ ▀██▀     ▀███  ███     ▀██▀ ▄███▄
 █████            ███▄██           █████
  ▀▀▀              ▀████            ▀▀▀
                     ███
                     ███
                     ██
                   ███

████    ██
  ████    ██
    ████    ██
      ████    ██
        ████    ██
          ████    ██
          ████    ██
        ████    ██
      ████    ██
    ████    ██
  ████    ██
████    ██










White Paper
Yellow Paper
Pitch Deck
Telegram
LinkedIn
Twitter
nabeton
Full Member
***
Offline Offline

Activity: 137
Merit: 100


View Profile
July 02, 2014, 09:10:59 PM
 #19

hey, now I am bit confused  Huh  how come you can reach bitcoins in that wallet without knowing its private key.
are you saying that anybody can just spent time creating new wallets with random passphrase and if he hits one already used it generates same address again?

Then why I need paper wallet with "root key", if knowing passphrase is enough.

I thought passphrase in armory is just to encrypt dat file, or you are talking about different passphrase.

sorry for stupid query, but I'm starting to worry about my BTC.

edit: first google link and I don't worry anymore. armory is not brain wallet.



boumalo
Legendary
*
Offline Offline

Activity: 1274
Merit: 1000


View Profile
July 02, 2014, 09:29:08 PM
 #20

hey, now I am bit confused  Huh  how come you can reach bitcoins in that wallet without knowing its private key.
are you saying that anybody can just spent time creating new wallets with random passphrase and if he hits one already used it generates same address again?

Then why I need paper wallet with "root key", if knowing passphrase is enough.

I thought passphrase in armory is just to encrypt dat file, or you are talking about different passphrase.

sorry for stupid query, but I'm starting to worry about my BTC.

edit: fist google link and I don't worry anymore. armory is not brain wallet.





You can get the private key from the passphrase because the private key was generated from the passphrase

https://brainwallet.github.io/
https://en.bitcoin.it/wiki/Brainwallet

The passphrase must have a good entropy, if you use a paper wallet you don't need a passphrase but you can encrypt your wallet for additional safety

Pages: [1] 2 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!