Bitcoin Forum
November 13, 2024, 07:35:54 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Is BIP38 encryption of private keys bruteforcable?  (Read 561 times)
lukaexpl (OP)
Full Member
***
Offline Offline

Activity: 148
Merit: 106


View Profile
August 28, 2017, 07:30:22 AM
Merited by ABCbits (1)
 #1

I watched the following video on Youtube and it is scary how weak any passphrase is as a seed for brainwallet:

https://www.youtube.com/watch?v=foil0hzl4Pg

That makes me wonder if by the creation of paperwallets and encryption of privatekeys with a "weak" passphrase (I have no idea what would constitute a strong passphrase) we run the risk of accidentally found paper wallets with encrypted private keys being brute forced by the knowledgable finder of such a paper wallet?
ranochigo
Legendary
*
Offline Offline

Activity: 3038
Merit: 4420


Crypto Swap Exchange


View Profile
August 28, 2017, 08:32:30 AM
Merited by ABCbits (2)
 #2

I watched the following video on Youtube and it is scary how weak any passphrase is as a seed for brainwallet:

https://www.youtube.com/watch?v=foil0hzl4Pg
Brainwallet.org uses SHA256 to derive the keys and it is very easy to bruteforce at a decent speed.
That makes me wonder if by the creation of paperwallets and encryption of privatekeys with a "weak" passphrase (I have no idea what would constitute a strong passphrase) we run the risk of accidentally found paper wallets with encrypted private keys being brute forced by the knowledgable finder of such a paper wallet?
BIP38 uses AES to encrypt the BIP38 key. The key derivation is scrypt. Scrypt is very resource intensive and it takes a long time for someone to be able to decrypt the key for even once. For a normal desktop computer, it may be possible for a key to be bruteforced at a rate of 1 key per second. As long as you use a decent password that is not common or is not guessable by others, it is very safe.

Ultimately, the strength of your password is what that matters. Your password is not secure if you think it can be bruteforced.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
lukaexpl (OP)
Full Member
***
Offline Offline

Activity: 148
Merit: 106


View Profile
August 28, 2017, 09:03:24 AM
 #3

Thanks for the answer.

So if I use something like Diceware and generate a radnom list of say 7 words sucha a passphrase should be easy to memorise but impossible to bruteforce at a rate of 1 key/second.
ranochigo
Legendary
*
Offline Offline

Activity: 3038
Merit: 4420


Crypto Swap Exchange


View Profile
August 28, 2017, 11:40:40 AM
 #4

Thanks for the answer.

So if I use something like Diceware and generate a radnom list of say 7 words sucha a passphrase should be easy to memorise but impossible to bruteforce at a rate of 1 key/second.
I'm not sure about diceware and I've never used it.
Is the password predictable? Is the password common? Is the password in a dictionary? Does the password only contain letters and/or numbers?

If you answer yes to anything above, it can be rather insecure. The point here is that the ability of guessing password at a slow rate does not matter if your password is weak. They can still employ botnets or large array of computers to bruteforce your password if its sufficiently weak. It is just so that it is not feasible for them to bruteforce it if your password is relatively strong.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
mocacinno
Legendary
*
Offline Offline

Activity: 3570
Merit: 5233


https://merel.mobi => buy facemasks with BTC/LTC


View Profile WWW
August 28, 2017, 11:44:36 AM
Merited by ABCbits (1)
 #5

I watched the following video on Youtube and it is scary how weak any passphrase is as a seed for brainwallet:

https://www.youtube.com/watch?v=foil0hzl4Pg

That makes me wonder if by the creation of paperwallets and encryption of privatekeys with a "weak" passphrase (I have no idea what would constitute a strong passphrase) we run the risk of accidentally found paper wallets with encrypted private keys being brute forced by the knowledgable finder of such a paper wallet?

This thread should satisfy your curiosity: https://bitcointalk.org/index.php?topic=1014202

If you found it TL;DR, here's the bottom line:
A member put 1 BTC onto an addres whose private key was bip38 encrypted, he posted the encrypted private key + the fact that the password was only 6 letters. Later on he even gave a couple of clues about the password.
Two years later, he closed the contest and disclosed the password to be "zLwMiR", the price remained unclaimed (nobody succesfully bruteforced the password in 2 years, even with the prior knowledge the password was only 6 letters long).

So, if you pick a reasonably strong, completely random password, you should be relatively secure... Offcourse, if you're going to load your paper wallet with 1000's of BTC, you're giving a brute forcer a very big incentive to crack your passphrase...


█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
lukaexpl (OP)
Full Member
***
Offline Offline

Activity: 148
Merit: 106


View Profile
August 28, 2017, 12:21:17 PM
 #6

Thanks a ton moccacino. Just the answer I was looking for.

Mod please feel free to delete the other thread started by me that asks exactly the question that was answered here.
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!