If you used Brainwallet.org - MUST READ! - Security Breach!

[mechs]

hey guys,
   Sorry I just logged back on.  As I said, I was just fooling around so I did use a very short passphrase "stfu!" just to see how it works and I imported in into Bitcoin-qt using the importprivkey command.  I actually made two keys from this - one with Point Compression and one without Point Compression - only the uncompressed address was compromised.
    Anyway, newbie mistake - glad I learned it on  .178BTC as opposed to much more.  Though this experience has taught me a brain wallet not for me - any phrase I could remember would not be secure and if I added enough misspellings and character substitutions I would likely forget it eventually.  Will just stick to my paper wallets I generated offline using Ninja's script at bitcoinaddress.org
    I feel better actually, since even though all my trojan scans came back negative, I was still worried maybe somehow my computer was compromised.  The only compromise was my noobness! Hope others learn from me error.
mechs

[1714695241]

1714695241

[1714695241]

1714695241

[virtualmaster]

The owner of that site needs to shut it down. This kind of thing was inevitable and we warned about it from the start. Someone has calculated a rainbow table and the passphrase you chose is in it.

Which wallet software did you import the key into? Do we need to put a warning about this site into wallet apps? We need to find some way to kill this stupid and dangerous site asap.

I think we shouldn't make such of assertions without any evidence.
If someone calculated a rainbow table (and almost sure that have done more people) then it has nothing to do with the site owner.
It was the negligence of the user to use a simple password and the opportunism of a dishonest hacker which caused.
Is the Bank guilty if somebody take over your online account because you used 123456 as password ?
You shouldn't use something what you don't understand.

[J35st3r]

stfu! looks correct ...

Code:

pi@tvpi ~ $ python bitaddr_brain.py 
Enter keyphrase: stfu!
stfu!
keyphrase=[stfu!]
f8ec8429e5922a17fa3b8f2810949381bc921adef69e42dab30f579ddd5731e9  priv key HEX
5Khv1RwWj3jkJnewDYxdDXFwyJiBppER3t5c291G5pL4RuuxhMr  private key WIF
L5Zaxu5cCb5g9WWSJQ4WrGYydXAnn3UD9iTKa2L9aFu88xBCwgdV  private key WIF (comp)
041b35508e152d9470a5e94160a13647da0de4dc017fad205b0ee99ef8526c6f878509cf4908aceb8428f22e4b3bde67342ec4349b187f67c974b07f441a5711df  public key
318043492132656822b2cec2b5d2465c067889b5  uncompressed hash (pubkey)
15WjmFwpZ1mp3fG55JGoGv3p5y9jtehEB2  address
031b35508e152d9470a5e94160a13647da0de4dc017fad205b0ee99ef8526c6f87  comp pubkey
091a107374ffc6854910a469b96fe970674a8fa6  hash (compressed pubkey)
1q8JhnKe7LjBZjCrwfDYT5LkkGo9GuEEx  compressed address

I feel for your loss, but its a useful wakeup call for the rest of us. I think I'll stick with bitcoin_qt for now.

[mechs]

As I said, it was a small loss - the equivalent of $12.  Could have been worse and hopefully others will learn from my errors.  Still, a warning on the website about the need to use a strong passphrase would be a good idea.  Ninja's bitaddress generator will not even create codes for such short passphrases I see to protect newbs from themselves.

[mechs]

Btw, can someone expalin to me the difference between the compressed and uncompressed keys?  Seems both are accepted by Bitcoin-QT (though uncompressed priv key cannot be used to access compress public or vice-versa).  Is one type more secure than the other?  In my example, the stfu! compressed version was not compromised, only the uncompressed version was (I channeled the BTC through both bitcoin addresses).  The speed (seconds) with which the funds were redirected make it clear it was a bot.

[justusranvier]

The speed (seconds) with which the funds were redirected make it clear it was a bot.

I don't think you understand what a rainbow table is.

Somebody generated the exact same brainwallet you did, long before you ever thought of using that passphrase.

They've actually generated millions of brainwallets, and they're just waiting for someone naive enough to use the same weak passprases and deposit money into one of their addresses.

Anything less than 16 random words is too short as a passphrase. Not a 16 word phrase from your favourite work of literature, not some TV character's 16 word catchphrase with a few simple letter substitutions and random punctuation characters thrown in.

16 words that have never before been grouped together into the same context by any human that has ever lived.

If you can't generate and remember a random passphrase this long you shouldn't use brainwallets.

[J35st3r]

Btw, can someone expalin to me the difference between the compressed and uncompressed keys?

Since I'm here, I'll take a punt, but I'm no expert (and I expect a cross post will happen by the time I finish).

The public key is a 64 byte (512 bit) number derived by ECC algorithm from the private key. It consists of the X and Y coordinates of a point on the curve. However one of these coordinates is redundant, so the compressed key just uses the X coordinate which shortens the public key length by half. In practice both versions are hashed to 160bit hash value in the block chain. If you take a look at the script I linked above, you can see the procedure for generating both the uncompressed and compressed keys/addresses.

I assume they are equally secure (others may correct me). The reason that only the uncompressed stfu! was compromised is (I guess) that most people just use this one and the hacker did not bother to build the rainbow table for the compressed one (lazy hacker as the ECC is the expensive part, so the only cost of having both is storage space).

Hope this helps. (Yup, crosspost, but not on this topic so I'll post anyway)

[virtualmaster]

Somebody told me that he generated a keypair with the passphrase 'dog' one year ago when the bitcoin had a value of 10$ and deposited 0.01 BTC.
The amount was taken in a half an hour.
No human would make such an effort for 10 cents.
So it seems to be sure that some bots are scanning the network for  brainwallets.
But that doesn't mean that brainwallets are not secure if used correctly.

[mechs]

Thanks, it seems to me then compressed is more secure simply since less people use it so hackers less likely to include it in a rainbow table.  Clearly, though, that is not a replacement for a strong passphrase.

[giszmo]

OP: mind changing the topic? I find it quite offensive to the guy who runs brainwallet.org despite the above mentioned reservations.
You only make a fool of yourself if you use a weak password like you did and then blame the service of stealing your money.

[mechs]

I still think this thread is very useful - I know you feel people who are new and not tech savvy deserve to lose their bitcoins, but that is not an attitude that will lead to widespread adoption.  I would be okay changing it to:  "If you use Brainwallet.org - MUST READ! - Security Risk!" if you think that is more accurate.  My post was not meant to be libel in anyway, it seemed like a security breach to me at the time and it is a vulnerability with brain wallets more people need to be made aware.

[giszmo]

I still think this thread is very useful - I know you feel people who are new and not tech savvy deserve to lose their bitcoins, but that is not an attitude that will lead to widespread adoption.  I would be okay changing it to:  "If you use Brainwallet.org - MUST READ! - Security Risk!" if you think that is more accurate.  My post was not meant to be libel in anyway, it seemed like a security breach to me at the time and it is a vulnerability with brain wallets more people need to be made aware.

If you have no problem lying to people, implicitly calling others that set up services like brainwallet fraudsters, leave it as is. If honesty counts in your value system, maybe change it to the truth. This is not about saying that you didn't deserve better.

[Jan]

The block chain is a public vault. Anyone can use it. Access to specific funds is determined by the key used. The security of your money depends on your ability to protect your key. Creating a unique key from the start is an important step in protecting your key.

When you use a key that someone else already has...



...they can access any funds attached to that key.

The most important thing new users should learn before using Bitcoin is how to protect their key.

+1
Keep your private keys private

[🏰 TradeFortress 🏰]

Which is great if you know what you are doing, but people in life are not prepared to lose money if their hard drive crashes or such. It doesn't matter how loud you yell at users for them to back up their private keys - they usually don't.

[mechs]

Clearly a new solution for the security issues it required for mass adoption for laypeople - the hardware wallets, if they can be made very affordable, will certainly be a move in that direction.

[BurtW]

Btw, can someone expalin to me the difference between the compressed and uncompressed keys?  Seems both are accepted by Bitcoin-QT (though uncompressed priv key cannot be used to access compress public or vice-versa).  Is one type more secure than the other?  In my example, the stfu! compressed version was not compromised, only the uncompressed version was (I channeled the BTC through both bitcoin addresses).  The speed (seconds) with which the funds were redirected make it clear it was a bot.

Compressed or uncompressed only applies to public keys, not private keys.  All private keys are the same, there is no compressed form.  For every private key there is only one public key but the public key can be expressed in two different forms.  Each form maps to a different public key address.  So, every private key maps to two different public key addresses.

Not a bot, it was just that the address you generated was already set up to sweep to another address long before you generated it - as explained in other posts.

Btw, can someone expalin to me the difference between the compressed and uncompressed keys?

The public key is a 64 byte (512 bit) number derived by ECC algorithm from the private key. It consists of the X and Y coordinates of a point on the curve. However one of these coordinates is redundant, so the compressed key just uses the X coordinate which shortens the public key length by half. In practice both versions are hashed to 160bit hash value in the block chain. If you take a look at the script I linked above, you can see the procedure for generating both the uncompressed and compressed keys/addresses.

I assume they are equally secure (others may correct me). The reason that only the uncompressed stfu! was compromised is (I guess) that most people just use this one and the hacker did not bother to build the rainbow table for the compressed one (lazy hacker as the ECC is the expensive part, so the only cost of having both is storage space).

Hope this helps. (Yup, crosspost, but not on this topic so I'll post anyway)

Almost.  For completeness:
Since every X coordinate in the finite prime field corresponds to exactly two Y coordinates in the finite prime field, one positive and one negative, it is possible to define the exact X,Y coordinate of the public key by using the X coordinate and a sign indicator to tell you which of the two possible Y coordinates to use.

Both forms of the public key are equally secure in that a) they both describe exactly the same information and b) given the X,Y coordinates of a point in either form it is equally difficult to calculate the private key used to generate the public key point.

Yes the ECC is the "hard part" of the calculation but going from uncompressed to compressed public key form is trivial and then the extra hashes to calculate the two different public key addresses is also trivial.  I expect "lazy hacker" if the compressed form was not compromised.

Thanks, it seems to me then compressed is more secure simply since less people use it so hackers less likely to include it in a rainbow table.  Clearly, though, that is not a replacement for a strong passphrase.

Whether you use the compressed or uncompressed public key to generate the public key address does not matter at all since the issue here is the passphrase used to create the private key.

Given a very large numer of private keys generated from a very large number of common/simple pass phrases they will simply set up sweeps of both versions of the public key address generated from each private key.

I still think this thread is very useful - I know you feel people who are new and not tech savvy deserve to lose their bitcoins, but that is not an attitude that will lead to widespread adoption.  I would be okay changing it to:  "If you use Brainwallet.org - MUST READ! - Security Risk!" if you think that is more accurate.  My post was not meant to be libel in anyway, it seemed like a security breach to me at the time and it is a vulnerability with brain wallets more people need to be made aware.

Yes, I think that you should (please) change the title to "If you use any brain wallet - MUST READ! - Security Risk!"  as this issue of losing your BTC when using a common/simple pass phrase applies to any brain wallet, not just those from brainwallet.org.

The most important thing new users should learn before using Bitcoin is how to protect their key.

+1
Keep your private keys private

The issue here was that the passphrase for a brain wallet was too simple.  Not that the private key was not kept private.

[scintill]

I think we shouldn't make such of assertions without any evidence.
If someone calculated a rainbow table (and almost sure that have done more people) then it has nothing to do with the site owner.

He's just saying SHA256 brain private keys are a bad idea, and sites like Brainwallet.org should be taken down so that is not easy for misinformed people to create weak private keys.  How hard we should try to protect people from themselves, I guess that's a philosophical/ideological debate that is OT.

As for the evidence of a rainbow table, how about this:

I did a small investigation some time ago to see how widespread the problem was, and these were the results:

 - Sent 0.001 BTC to an address generated with a password you will find in any top 10 common password list. Taken immediately.
 - Sent 0.001 BTC to an address generated with a six digit password. Taken immediately.
 - Sent 0.001 BTC to an address generated with the same six digit password as above, but with Point Conversion set to "Compressed". Untouched.
 - Sent 0.001 BTC to an address generated with an upper/lower/digit six character randomly generated password, normal Point Conversion. Untouched.

Someone is definitely out there grabbing things from weak-passworded wallets, but even a six-character random password thwarts them.

The only thing slightly surprising to me is that mechs's password "stfu!" has punctuation, but I just checked and that verbatim string is in the Rockyou password dump, and anyway it's not much more creative than just "stfu" alone.

Yes, I think that you should (please) change the title to "If you use any brain wallet - MUST READ! - Security Risk!"  as this issue of losing your BTC when using a common/simple pass phrase applies to any brain wallet, not just those from brainwallet.org.

Agreed.  More accurate, less alarming, more applicable.

[AliceWonder]

and I meant maybe your brainwallet password was short not your wallet.dat password. It is probably a bot that instant created all private keys of a word list and then when a balance hit's it transfers it out.

What kind of idiot would write a bot like that?
You wait until it has at least half a coin in it before transfering it out.

Well I guess for really common words it has to be fast or someone else gets it.

-=-

I have two problems with brain wallets -

A) If I die, my survivors have no way to access it.

B) No matter how clever I think I am, if the pass phrase is something I can remember, it has a higher liklihood of being brute forced than a key that is high entropy random generated.

Paper wallets for me.

[AliceWonder]

The speed (seconds) with which the funds were redirected make it clear it was a bot.

I don't think you understand what a rainbow table is.

Somebody generated the exact same brainwallet you did, long before you ever thought of using that passphrase.

They've actually generated millions of brainwallets, and they're just waiting for someone naive enough to use the same weak passprases and deposit money into one of their addresses.

Anything less than 16 random words is too short as a passphrase. Not a 16 word phrase from your favourite work of literature, not some TV character's 16 word catchphrase with a few simple letter substitutions and random punctuation characters thrown in.

16 words that have never before been grouped together into the same context by any human that has ever lived.

If you can't generate and remember a random passphrase this long you shouldn't use brainwallets.

Another thing you can do is repeat hash hundreds and hundred of times. And use a salt - with the original phrase and added to each hash. You can even have a simple formula that changes the salt each hash.

57899@##$% as me salt.
"I like big butts" as my passphrase.

Each hash I change the salt according to the number performed and add it to the previous hash, changing the salt so it grows each time, resulting in a huge salt by last hash.

Reapeat, say, 722 times.

All I have to remember is the salt (write it down), the pass phrase, and the algorythm I used to alter the salt each iteration.

Try cracking that from a rainbow table.

But I still don't like brain wallets. Paper for me. Stored in a secure place.

KISS

[CurbsideProphet]

Compressed or uncompressed only applies to public keys, not private keys.  All private keys are the same, there is no compressed form.

Why is it then that under the details tab on bitaddress.org is there an option of "Private Key WIF (compressed, 52 characters base58, starts with a 'K' or 'L')?"