How secure is BIP38?

[Nathan047]

I have a bunch of paper wallets and naturally I would like to have a bunch of copies of them distributed as backups. They all have BIP38 encryption but I was wondering: how secure is a BIP38 password protected wallet? So, say somebody gets a copy of a paper wallet protected by BIP38; how plausible is it for them to crack the BIP38 (assuming a long password that isn’t in the dictionary) and get the private key? I’m asking because if it is secure I may end up having some copies put in places that other people may be able to get.

Edit: Grammar

[TryNinja]

You would need to crack the password with brute force, which will always take a lot of time if you choose a strong password. And it's safe enought, so if you are going to store multiple paper wallets in several places, you should definitely encrypt it with a password as an extra security measure.

[DannyHamilton]

how secure is a BIP38 password?

That depends on how good you are at choosing passwords.

So, say somebody gets a copy of a paper wallet protected by BIP38; how plausible is it for them to crack the BIP38 (assuming a long password that isn’t in the dictionary) and get the private key? I’m asking because if it is secure I may end up having some copies put in places that other people may be able to get.

BIP38 uses AES256 encryption.

It is always possible that there may new weaknesses discovered in AES256 encryption in the future. As such, if you leave copies where others can get them, you may want to keep aware of any new developments in cryptography especially regarding AES256.

Given what is currently publicly known about AES256, your private keys will be secure as long as you choose a sufficiently secure password.

[TechPriest]

I have a bunch of paper wallets and naturally I would like to have a bunch of copies of them distributed as backups. They all have BIP38 encryption but I was wondering: how secure is a BIP38 password? So, say somebody gets a copy of a paper wallet protected by BIP38; how plausible is it for them to crack the BIP38 (assuming a long password that isn’t in the dictionary) and get the private key? I’m asking because if it is secure I may end up having some copies put in places that other people may be able to get.

It's so bad that you asked on English 
In short: as you can understand, it depends on how "strong" is your passphrase.
BUT! It's easy to notice that every passphrase generated by human can't be enough strong (sorry, very hard to explain in english. I've read only russian cryptography books  ). You must use good PRNG for your passphrase.

Algorythm without elliptic curve point.

Code:

Encryption steps:

1. Compute the Bitcoin address (ASCII), and take the first four bytes of SHA256(SHA256()) of it. Let's call this "addresshash".
2. Derive a key from the passphrase using scrypt
- Parameters: passphrase is the passphrase itself encoded in UTF-8 and normalized using Unicode Normalization Form C (NFC). salt is addresshash from the earlier step, n=16384, r=8, p=8, length=64 (n, r, p are provisional and subject to consensus)
- Let's split the resulting 64 bytes in half, and call them derivedhalf1 and derivedhalf2.
3. Do AES256Encrypt(block = bitcoinprivkey[0...15] xor derivedhalf1[0...15], key = derivedhalf2), call the 16-byte result encryptedhalf1
4. Do AES256Encrypt(block = bitcoinprivkey[16...31] xor derivedhalf1[16...31], key = derivedhalf2), call the 16-byte result encryptedhalf2

[Nathan047]

how secure is a BIP38 password?

That depends on how good you are at choosing passwords.

First of all, I meant to say “...how strong is a bip38 password protected wallet,” that quote makes me look like I know nothing about encryption.

Second, how about 24 character passwords containing upper case letters, lower case letters, special characters, numbers, and not a single word? And yes, I can remember them.

BIP38 uses AES256 encryption.

It is always possible that there may new weaknesses discovered in AES256 encryption in the future. As such, if you leave copies where others can get them, you may want to keep aware of any new developments in cryptography especially regarding AES256.

Given what is currently publicly known about AES256, your private keys will be secure as long as you choose a sufficiently secure password.

Okay, good to know. My concern was that the encryption was too weak to protect against brute force techniques.

[DannyHamilton]

Second, how about 24 character passwords containing upper case letters, lower case letters, special characters, numbers, and not a single word? And yes, I can remember them.

Again, that depends on how good you are at picking passwords.

If your 24 character password is something like:
Cm1.$ya--nmhlp--hl0nm1mp

Then it is not secure AT ALL (even though it contains "upper case letters, lower case letters, special characters, numbers, and not a single word").

You don't need to tell me your process. I really don't care. Just be aware that the biggest vulnerabilities you are going to encounter with BIP38 for the near future will be your ability to choose, and secure your password.

[Nathan047]

If your 24 character password is something like:
Cm1.$ya--nmhlp--hl0nm1mp
Then it is not secure AT ALL (even though it contains "upper case letters, lower case letters, special characters, numbers, and not a single word").

Wait, what makes that vulnerable? If it is something easy to guess that I just haven't caught on to (like “pAssw()rd”) then I would understand, but to me that just looks like random text making it very hard to brute force/guess.

[jackg]

If your 24 character password is something like:
Cm1.$ya--nmhlp--hl0nm1mp
Then it is not secure AT ALL (even though it contains "upper case letters, lower case letters, special characters, numbers, and not a single word").

Wait, what makes that vulnerable? If it is something easy to guess that I just haven't caught on to (like “pAssw()rd”) then I would understand, but to me that just looks like random text making it very hard to brute force/guess.

To me, that weirdly doesn't look like a random set of characters (it might just be me though). It's still difficult to brute force but not exactly impossible also, try not to repeat characters in the password. Also, I'd suggest you make the password as random as possible (I can make a script either Python or Windows executable that will produce it for you but you might find a tool for that online anyway).

[DannyHamilton]

to me that just looks like random text making it very hard to brute force/guess.

And that's the point I was trying to make.

Humans aren't good at being "random", and things that humans look at and think "that's very random" often aren't.

You might think you've come up with the perfect way to create a memorable, random, 24 character password.  If you are correct, you'll be fine.  If you are incorrect, then you will be taking a risk without realizing it.

As to why my example password isn't very good.

It uses VERY common substitutions:

• Substitute every 's' or 'S' with '$'
• Substitute every 'i' or 'I' with '1'
• Substitute every 'o' or 'O' with '0'

Then, it is built by keeping any original punctuation and using the first character of each word from the first paragraph of a widely published work until it is 24 characters long:

Call me Ishmael. Some years ago—never mind how long precisely—having little or no money in my purse, and nothing particular to interest me on shore, I thought I would sail about a little and see the watery part of the world.

If you recognize the source, then it should be clear that this "system" for choosing a memorable, but random looking password is a bad idea.  If you don't recognize the source, then it is even more evidence that something that you think is obscure, might not be as obscure as you think.

I'm not suggesting that your method of choosing and memorizing a password is as bad as this, I'm just suggesting that your method of choosing and memorizing a password might not be as safe as you might think it is.

In the end:
The biggest vulnerabilities you are going to encounter with BIP38 for the near future will be your ability to choose, and secure your password.  If you have actually perfected a method of doing those two things, then you'll be fine.  If you somehow lose or forget your password, or create a situation where someone else can gain access to your password, or choose a password that someone else has a chance of figuring out, or a chance of finding by stumbling on to the correct algorithm, then you could potentially lose access to your bitcoins.

[Cereberus]

A strong password is one which only you remember and is some random characters which are not in dictionaries but to you it is a sentence with a few words backwards which you can remember easily, add some capital letters to the first letter of the words you love most and add a few special characters in the end of the password which you can remember easily. 65 characters password and boom you are pretty far ahead of the game even against major threats.

If you put such password to it even if the most skillful hacker founds your paper wallets he cannot brute force such password for a good trillion years.

Danny can help you better with a mathematical example if you want to see why I am correct. I am not that good at math

[Frosten]

From my understanding, the length of the password is crucial, when talking crack/brute force time.

Example :

"The dog took me for a walk two times today. But I couldn't see the bird behind the tree"

[jackg]

From my understanding, the length of the password is crucial, when talking crack/brute force time.

Example :

"The dog took me for a walk two times today. But I couldn't see the bird behind the tree"

That is a fairly strong password. However you might want to look at using random characters for generating the password if you want to make it more secure (but that might be too excessive for what is needed).

-Danny explains this much better above.

[Frosten]

jackg, thanks. Yes but from what I could understand, it's more important to have a long password than special characters. It's better to remember a long sentence (a uncommon sentence, just jibberish).

The difficulty will be incremental by every added character, it's easier to remember a long sentence, the password example I gave is a 88 char password. It will take a couple of quadragintillion years to crack.

[achow101]

jackg, thanks. Yes but from what I could understand, it's more important to have a long password than special characters. It's better to remember a long sentence (a uncommon sentence, just jibberish).

The difficulty will be incremental by every added character, it's easier to remember a long sentence, the password example I gave is a 88 char password. It will take a couple of quadragintillion years to crack.

No, that is incorrect. Long does not necessarily mean secure. Password crackers are not stupid, they aren't going to just brute force your password one character at a time; they are going to use dictionaries, lists of previous passwords, sentences and phrases from common books, etc. Humans are predictable and password crackers use that predictability in order to better crack passwords. While your password is probably secure, it can be cracked much much sooner than the majority of password cracking calculation sites tell you.

[jackg]

jackg, thanks. Yes but from what I could understand, it's more important to have a long password than special characters. It's better to remember a long sentence (a uncommon sentence, just jibberish).

The difficulty will be incremental by every added character, it's easier to remember a long sentence, the password example I gave is a 88 char password. It will take a couple of quadragintillion years to crack.

No, that is incorrect. Long does not necessarily mean secure. Password crackers are not stupid, they aren't going to just brute force your password one character at a time; they are going to use dictionaries, lists of previous passwords, sentences and phrases from common books, etc. Humans are predictable and password crackers use that predictability in order to better crack passwords. While your password is probably secure, it can be cracked much much sooner than the majority of password cracking calculation sites tell you.

Exactly.
Your password has 19 words in it.
If we say there are 19*3=57 different combinations of 19 words that can be used (capitals and full stops included).
And testing up to 20 words sets gives 184756 number of possibliliies (approx).
According to this there are about 750000 words in the English dictionary.

So that's 57*200000*750000=8.55x10¹² possililities that they need to test.

Running an algorithm like vanitygen on my old computer does about 300 operations per second (on 1GHz). If you get a higher power computer, it'd be not too difficult to get in if there's enough at stake. (To clarify, seed cracking with 13 words wouldn't work this way as it'd require internet connection/rpc responses of scans of the entie blockchain which has a convenient limit to the rate even on fast computers). If someone has access to a petahertz super computer, it'd take 8550 seconds to crack your password - under 3 hours.

It'd be even easier to crack as those two sentences are actual setences and not like SEEDS with random characters.

I'm not sure how AES encryption works but other encryption types would allow you get parts of the password out i you now certain information about it as there are similarities between different private keys.

[LoyceV]

First of all, I meant to say “...how strong is a bip38 password protected wallet,” that quote makes me look like I know nothing about encryption.

Unless a vulnerability is found, BIP38 is a very strong protection. Check this thread: I'm BIP38 curious, please help me out! , in which minimalB offered several rewards for brute-forcing some BIP38 wallets. The last one, with a 1 Bitcoin reward, used password "zLwMiR" and didn't get cracked before the experiment ended.

The shorter password got cracked quickly:

It took ~20 hours on three n1-highcpu-16 machines on Google Compute. Each one did ~50 passwords per second, 150 total.
It cost around $38 overall.

So yes, cracking 5-char passwords is definitely feasible for relatively cheap. Would be way cheaper if I had used my own hardware.

6 random characters was/is just too expensive to brute-force.

Second, how about 24 character passwords containing upper case letters, lower case letters, special characters, numbers, and not a single word? And yes, I can remember them.

How sure are you to still remember them after 20 years? The biggest problem I have with basically all Bitcoin wallets is that I have to remember something, or write it down somewhere. It's either a passphrase or a list of seed words, and long-term both my memory and any written storage risk either forgetting it or someone finding it.

[Nathan047]

Second, how about 24 character passwords containing upper case letters, lower case letters, special characters, numbers, and not a single word? And yes, I can remember them.

How sure are you to still remember them after 20 years? The biggest problem I have with basically all Bitcoin wallets is that I have to remember something, or write it down somewhere. It's either a passphrase or a list of seed words, and long-term both my memory and any written storage risk either forgetting it or someone finding it.

I do write them down, so if I do forget I can just read them off the paper (I store the paper in a different location from the wallets as to make it harder to get the password and the wallet). I also do a good job at remembering them, so I don't expect to forget.