If you used Brainwallet.org - MUST READ! - Security Breach!

[justusranvier]

I wouldn't be surprised if some federal agents are creating distrust and hate in brainwallet.

Actually you're just underestimating the amount of computing power and time available to an attacker and overestimating the amount of entropy the average untrained person can generate.

[Keldel]

Brainwallet.org is great!

You just need to:

1. Download it from github
2. Use a secure password

[DrGregMulhauser]

As several folks have alluded to already, the relevant aspect of the system's security (i.e., excluding any other potential problems) comes down to the properties of the passphrase relative to the capabilities of available cracking tools.

Unfortunately, our intuition is not always a good guide about the level of entropy in a given string, nor does it necessarily help much when trying to factor in the risk from dictionary attacks. If you'd like a quantitative evaluation of entropy for a given string, together with an approximation of crack time and the relevance of particular dictionaries, I'd encourage you to have a peek at zxcvbn.

Note that while this does offer a quantitative look, as is so often the case when Shannon-style entropy is involved, it is not by any means the only way of looking at the problem. See the original article (zxcvbn: realistic password strength estimation) for a comparison with a handful of other guessers of password strength.

[CIYAM]

See the original article (zxcvbn: realistic password strength estimation) for a comparison with a handful of other guessers of password strength.

Neat - is there a simple sample that can be used offline for testing?

(if not - perhaps let us know how does it handle hashes being used as passwords - e.g. what would the strength of the password 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 be?)

[virtualmaster]

OK
Lets make a try.
I used a passphrase composed from a known short male name and a 4 digit pin (which could be from your mobile or debit card) and I generated a keypair with it.
The passphrase was so short that my brainwallet generator don't even accept it. But brainwallet.org takes it. (however I also don't agree with this and I don't have any relation with this site)
To the corresponding address I deposited exactly 2 hours ago 100 mBTC.
Here it is:
https://blockchain.info/en/address/1uSDNberTDLZhA1zWB48qSpWQyYq6DFZd

In 1-2 months if the brainwallet is still not broken then I will publish the passphrase. I am also not sure if the passphrase was not to simple.
But if you can break it than the 100mBTCs are yours. You will wonder how easy is the passphrase.

[DrGregMulhauser]

Neat - is there a simple sample that can be used offline for testing?

Sure -- the source code is on github, linked from the top of the page I mentioned.

(if not - perhaps let us know how does it handle hashes being used as passwords - e.g. what would the strength of the password 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 be?)

The zxcvbn tool shows 185 bits of entropy and a crack time of centuries. It's very easy to type these in yourself and see. 

[CIYAM]

Sure -- the source code is on github, linked from the top of the page I mentioned.

Sorry - didn't notice the link - will look into that - thanks!

(if not - perhaps let us know how does it handle hashes being used as passwords - e.g. what would the strength of the password 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 be?)

The zxcvbn tool shows 185 bits of entropy and a crack time of centuries. It's very easy to type these in yourself and see. 

Maybe some future improvement could be made to the algo then (that hash is the hash of the word "password").

[BurtW]

What if the input to a brain wallet looked something like this:

Enter Passphrase: ___________
Enter Salt: ______________
Enter Number of hashing rounds:  ____________

This would be better than what is being done today, which is no salt and one round of hashing.

You would have to remember all three in order to reconstruct the private key.  The table becomes much more difficult to produce.

But as has been pointed out several times in this thread if you are going to have to write it down and keep it safe anyway why not just write down (print out) and keep safe a truely random private key anyway (paper wallet).

[virtualmaster]

What if the input to a brain wallet looked something like this:

Enter Passphrase: ___________
Enter Salt: ______________
Enter Number of hashing rounds:  ____________

This would be better than what is being done today, which is no salt and one round of hashing.

You would have to remember all three in order to reconstruct the private key.  The table becomes much more difficult to produce.

But as has been pointed out several times in this thread if you are going to have to write it down and keep it safe anyway why not just write down (print out) and keep safe a truely random private key anyway (paper wallet).

The idea is good and I am also thinking to implement it with small differences:
Instead of salt and passphrase should be used more suggestive expressions:
- personalization (your name or email):
- secret passphrase(nobody should know this):
The number of hashing rounds should be something standard, like 1.000 or 10.000 otherwise you have to remember it.

[CIYAM]

What if the input to a brain wallet looked something like this:

I think the problem is that if you are smart enough to think like this then you would have made sure that your password was already constructed in such a manner in the first place.

If you are not then you are probably likely to say "huh? I need to eat some salt first?".

[BurtW]

Sure to make it user friendly:

Secret phrase:                              (passphrase)
Email, phone number, SSN, etc:        (used for salt)
Four digit PIN number:                    (used for # of rounds)

You should let the user select the number of rounds as if you use a standard number of rounds the attack table can just use the same number of rounds once it is known.

[prof7bit]

You should let the user select the number of rounds as if you use a standard number of rounds the attack table can just use the same number of rounds once it is known.

And maybe also use a hash algorithm for which no optimized ASIC hardware exists to make producing these tables even harder.

[DrGregMulhauser]

Maybe some future improvement could be made to the algo then (that hash is the hash of the word "password").

Strictly speaking, it is not the hash, but just one of many possible hashes. It's always possible to come up with a hashing function to make a specific trivial password look complex from the standpoint of Shannon -- and, in the absence of information about what that hashing function actually was, there's a good argument for saying that it is complex. After all, the suggested string is also a hash of the word 'easy', and it is a hash of the word 'trivial', and it is a hash of the word 'oops'. However, if I don't tell you what the hash function actually is, it is unlikely that you would actually discover it.

The problem comes not from choosing a word like 'password' to run through a hashing function; it comes from choosing a well-known function with which to do it.

In principle, I suppose someone could translate all the common cracking dictionaries using all the common hashing functions in an attempt to provide a tool that could tell you not to use a word like 'password' run through one of those common hashing functions. But given the one-way nature of hashing functions, I suspect the exercise wouldn't tell you anything you didn't already know: if you're dropping a dictionary word into a hashing function and using the output, you already know what you have done, and a coming up with a tool to confirm that for you seems fairly pointless.

[CIYAM]

The problem comes not from choosing a word like 'password' to run through a hashing function; it comes from choosing a well-known function with which to do it.

Yes - agreed - but because SHA256( SHA256( random ) ) is *intrinsic* to Bitcoin (i.e. a "meme" that is likely to be used) does sort of imply that some basic hashing checks might be useful (to stop people thinking that just because they use a hash algo somehow magically makes a simple password impossible to guess).

Not trying to "take the piss" - btw - just trying to suggest some possible improvements to the basic algo (as I'm sure you'd agree it won't take someone 150 years to crack hash( 'password' ) with any well known hash algo).

The main point being that "fools can be ingenious" (so of course you'll never help them all but perhaps we can stop the most idiotic - and if we are not trying to stop fools then why bother rating their passwords at all?).

[virtualmaster]

You should let the user select the number of rounds as if you use a standard number of rounds the attack table can just use the same number of rounds once it is known.

And maybe also use a hash algorithm for which no optimized ASIC hardware exists to make producing these tables even harder.

The problem is with the key stretching that if you make it very particular then as user you are dependent from a specific website or provider and you also have to trust him.
So it is most better if you use something standard and widely used where you don't have to remember to much on the particularity of the key stretching and you have alternative key generation possibilities othervise may be it will be not stollen but you forget it or will be not available the generation method in 2 years.
PBKDF2 is the most widely used and they are some alternative sites where you can stretch the keys if your brainwallet generator is not available but it is ASIC friendly.
bcrypt is less used and less ASIC friendly, some web implementations
scrypt  is the most modern ASIC unfriendly key stretching but there is no web implementation and they are a lot of parameters to be configured

[DrGregMulhauser]

Yes - agreed - but because SHA256( SHA256( random ) ) is *intrinsic* to Bitcoin (i.e. a "meme" that is likely to be used) does sort of imply that some basic hashing checks might be useful (to stop people thinking that just because they use a hash algo somehow magically makes a simple password impossible to guess).

Not trying to "take the piss" - btw - just trying to suggest some possible improvements to the basic algo (as I'm sure you'd agree it won't take someone 150 years to crack hash( 'password' ) with any well known hash algo).

The main point being that "fools can be ingenious" (so of course you'll never help them all but perhaps we can stop the most idiotic - and if we are not trying to stop fools then why bother rating their passwords at all?).

Yep, I see what you mean. I think the person who wrote the zxcvbn checker works for Dropbox, and he just intended it to illustrate some of the pitfalls of common ways of measuring password strength, ways which could inadvertently give users bad advice. As you've just demonstrated, this seems like a case where it could do exactly that -- give bad advice.

As I understand it, this is the strength guesstimator which they are now using on the Dropbox registration page. (See his original article for more details.)

[ErebusBat]

See also:  https://www.grc.com/haystack.htm

[AliceWonder]

Unfortunately, our intuition is not always a good guide about the level of entropy in a given string, nor does it necessarily help much when trying to factor in the risk from dictionary attacks.

Yup, the very first password I ever created when I first got my own internet connection, little did I know it happened to be identical to a part number of a popular ham radio component. I never played with ham radios.

When I was playing around with cracking tools (I think it was jtr) and it was quickly cracked, I was shocked to see it was in the dictionary and when I investigated, the dictionary had been made from an electronic parts catalog.

Granted by today's standards it is way too short even without being in a dictionary (7 alphanumeric characters) but still.

[Jesse James]

I decided to mess around and make a brain wallet.  I used the website www.brainwallet.org.  Supposively, this javascript is client side only.  Anyway, I made a brain wallet and decided to test it.  I moved my spare change (I keep most of my BTC in cold storage) about 0.178 BTC to the new brain wallet I made "15WjmFwpZ1mp3fG55JGoGv3p5y9jtehEB2".  Literally within seconds, it was moved to a new bitcoin address not owned by me "1Lp3S4PajwhuFCyrAXSFdVGxLuqTsXtVQC" https://blockchain.info/address/15WjmFwpZ1mp3fG55JGoGv3p5y9jtehEB2

Mechs, the coins in question have been returned directly to the address in your sig:

https://blockchain.info/tx/8a91cca81bcb8ce4b9483e7d933b84b9363cd1dc0c40d37521f796403047e606

The brainwallet.org author is not the culprit, my bot is.  Since you don't come off as one of the people running a competing bot (and trust me there are lots), I'm fairly confident these coins are indeed yours and am happy to return them.

PSA: Picking a bad brainwallet password is like throwing your money on the sidewalk ... except instead of just the people around you scrambling to pick it up, the entire internet can and most of the internet has no interest in giving your money back.  Worse yet, it's actually impossible for someone wanting to give them back to do so with 100% confidence they are giving them to their rightful owner. 

I agree with the sentiment expressed in the thread that if it's memorable, it's eventually gonna find its way into someone's rainbow table and I leave all you brain wallet users with this to ponder: https://www.youtube.com/watch?v=a6iW-8xPw3k

[giszmo]

I decided to mess around and make a brain wallet.  I used the website www.brainwallet.org.  Supposively, this javascript is client side only.  Anyway, I made a brain wallet and decided to test it.  I moved my spare change (I keep most of my BTC in cold storage) about 0.178 BTC to the new brain wallet I made "15WjmFwpZ1mp3fG55JGoGv3p5y9jtehEB2".  Literally within seconds, it was moved to a new bitcoin address not owned by me "1Lp3S4PajwhuFCyrAXSFdVGxLuqTsXtVQC" https://blockchain.info/address/15WjmFwpZ1mp3fG55JGoGv3p5y9jtehEB2

Mechs, the coins in question have been returned directly to the address in your sig:

https://blockchain.info/tx/8a91cca81bcb8ce4b9483e7d933b84b9363cd1dc0c40d37521f796403047e606

The brainwallet.org author is not the culprit, my bot is.  Since you don't come off as one of the people running a competing bot (and trust me there are lots), I'm fairly confident these coins are indeed yours and am happy to return them.

PSA: Picking a bad brainwallet password is like throwing your money on the sidewalk ... except instead of just the people around you scrambling to pick it up, the entire internet can and most of the internet has no interest in giving your money back.  Worse yet, it's actually impossible for someone wanting to give them back to do so with 100% confidence they are giving them to their rightful owner. 

I agree with the sentiment expressed in the thread that if it's memorable, it's eventually gonna find its way into someone's rainbow table and I leave all you brain wallet users with this to ponder: https://www.youtube.com/watch?v=a6iW-8xPw3k

Oh, I'm impressed by this turn of events

So you defend the stupid so they can continue using weak passwords on brainwallets? Why not take a 50% recovery fee? The money moved again? Is the account in his sig the the brainwallet(WTF!) ?