Financisto
|
|
November 09, 2013, 03:29:33 AM |
|
an appropiate thread title might be:
"If you used Brainwallet.org - MUST READ! - weak passphrases!"
|
|
|
|
Anon136
Legendary
Offline
Activity: 1722
Merit: 1217
|
|
November 09, 2013, 03:37:28 AM |
|
Is your passphrase just too simple?
Any passphrase you can memorize is almost too simple by definition. na not really. you just combine a long low entropy password with a short high entropy password plus something in the public record. you can remember the former because it uses real words and sentences and the latter because it isn't too long and the public record element adds security for almost no cost (in terms of effort to memorize remember it since all you have to remember is its location). combined you get the best of both worlds. they arnt going to crack it with a dictionary attack or a brute force and some sort of hybrid technique would not be very effective.
|
Rep Thread: https://bitcointalk.org/index.php?topic=381041If one can not confer upon another a right which he does not himself first possess, by what means does the state derive the right to engage in behaviors from which the public is prohibited?
|
|
|
foo
|
|
November 09, 2013, 05:39:22 AM |
|
I agree with what others have posted already, add a "rounds" parameter to the site. Asking the site owner to do this is much more productive than trying to burn him at the stake... People can use their birth year as the rounds number and they will easily remember it. The rainbow table computers will have to do much more work, if they compute all rounds from 1900 to 2000 they will have to do 196,950 hashes per password instead of 1! ( http://www.wolframalpha.com/input/?i=1900%2B...%2B2000)
|
I know this because Tyler knows this.
|
|
|
MayDee
Member
Offline
Activity: 84
Merit: 10
|
|
November 12, 2013, 04:26:39 PM |
|
Does anyone know how difficult it is to find your passphrase if they know your private key?
|
|
|
|
Rampion
Legendary
Offline
Activity: 1148
Merit: 1018
|
|
November 12, 2013, 04:31:26 PM |
|
Does anyone know how difficult it is to find your passphrase if they know your private key?
It depends on the passphrase
|
|
|
|
CIYAM
Legendary
Offline
Activity: 1890
Merit: 1086
Ian Knowles - CIYAM Lead Developer
|
|
November 12, 2013, 04:35:07 PM |
|
Does anyone know how difficult it is to find your passphrase if they know your private key?
Why would anyone care about your passphrase if they have already got your bitcoins?
|
|
|
|
MayDee
Member
Offline
Activity: 84
Merit: 10
|
|
November 12, 2013, 04:36:12 PM |
|
Does anyone know how difficult it is to find your passphrase if they know your private key?
It depends on the passphrase LOL Let's say it is a supa dupa hard one
|
|
|
|
BurtW
Legendary
Offline
Activity: 2646
Merit: 1137
All paid signature campaigns should be banned.
|
|
November 12, 2013, 04:40:06 PM |
|
Does anyone know how difficult it is to find your passphrase if they know your private key?
Why would anyone care about your passphrase if they have already got your bitcoins? This ^^^ But assuming they have the private key to your standard brain wallet and have already taken all of the BTC in that wallet they might think to themselves "Self, if we can get this bozo's passphrase we may be able to clear out his MtGox, Bitstamp and other accounts if he used the same passphrase." So there is some reason to do this. Now in a standard brain wallet the private key is the SHA256 of the passphrase and it is basically impossible to go from the hash back to the passphrase. So, although all of the BTC in your brain wallet have been lost, your other accounts using the same passphrase are probably safe in this hypothetical scenario.
|
Our family was terrorized by Homeland Security. Read all about it here: http://www.jmwagner.com/ and http://www.burtw.com/ Any donations to help us recover from the $300,000 in legal fees and forced donations to the Federal Asset Forfeiture slush fund are greatly appreciated!
|
|
|
LiteCoinGuy
Legendary
Offline
Activity: 1148
Merit: 1014
In Satoshi I Trust
|
|
November 12, 2013, 04:42:55 PM |
|
I don't think you can download the script from the site. Regardless, whether it is the website author or a hacker, the site is compromised. I don't think it had anything to do with my wallet.dat password being compromised - it is a very long, secure password and I do not believe there are any trojans on my system.
I think the same. Never use a third party for security.
|
|
|
|
MayDee
Member
Offline
Activity: 84
Merit: 10
|
|
November 12, 2013, 04:43:41 PM |
|
But assuming they have the private key to your standard brain wallet and have already taken all of the BTC in that wallet they might think to themselves "Self, if we can get this bozo's passphrase we may be able to clear out his MtGox, Bitstamp and other accounts if he used the same passphrase."
So there is some reason to do this. Now in a standard brain wallet the private key is the SHA256 of the passphrase and it is basically impossible to go from the hash back to the passphrase.
So, although all of the BTC in your brain wallet have been lost your other accounts using the same passphrase are probably safe in this hypothetical scenario.
Thank you
|
|
|
|
BurtW
Legendary
Offline
Activity: 2646
Merit: 1137
All paid signature campaigns should be banned.
|
|
November 12, 2013, 04:45:07 PM |
|
I don't think you can download the script from the site. Regardless, whether it is the website author or a hacker, the site is compromised. I don't think it had anything to do with my wallet.dat password being compromised - it is a very long, secure password and I do not believe there are any trojans on my system.
I think the same. Never use a third party for security. Dude, you are quoting the third post in this thread and your response is totally out of context. Are you a posting bot? EDIT: reported as possible posting bot.
|
Our family was terrorized by Homeland Security. Read all about it here: http://www.jmwagner.com/ and http://www.burtw.com/ Any donations to help us recover from the $300,000 in legal fees and forced donations to the Federal Asset Forfeiture slush fund are greatly appreciated!
|
|
|
MayDee
Member
Offline
Activity: 84
Merit: 10
|
|
November 12, 2013, 04:55:56 PM |
|
Why would anyone care about your passphrase if they have already got your bitcoins?
Also usefull to know if you are planning to make 10 brainwallets with strong passphrases by themselves, but with very similar passphrases that can link them together.
|
|
|
|
proudhon
Legendary
Offline
Activity: 2198
Merit: 1311
|
|
November 12, 2013, 08:04:58 PM |
|
I know I'm late to the party, but you know what's really annoying...when people post about how this or that service is compromised, but then don't post the password they used. That's all I have to say.
|
Bitcoin Fact: the price of bitcoin will not be greater than $70k for more than 25 consecutive days at any point in the rest of recorded human history.
|
|
|
BurtW
Legendary
Offline
Activity: 2646
Merit: 1137
All paid signature campaigns should be banned.
|
|
November 12, 2013, 08:08:11 PM |
|
I know I'm late to the party, but you know what's really annoying...when people post about how this or that service is compromised, but then don't post the password they used. That's all I have to say.
They used "stfu!", see here: https://bitcointalk.org/index.php?topic=251037.msg2668158#msg2668158
|
Our family was terrorized by Homeland Security. Read all about it here: http://www.jmwagner.com/ and http://www.burtw.com/ Any donations to help us recover from the $300,000 in legal fees and forced donations to the Federal Asset Forfeiture slush fund are greatly appreciated!
|
|
|
proudhon
Legendary
Offline
Activity: 2198
Merit: 1311
|
|
November 12, 2013, 08:23:42 PM |
|
|
Bitcoin Fact: the price of bitcoin will not be greater than $70k for more than 25 consecutive days at any point in the rest of recorded human history.
|
|
|
btcdrak
Legendary
Offline
Activity: 1064
Merit: 1000
|
|
November 25, 2013, 09:43:21 AM |
|
The speed (seconds) with which the funds were redirected make it clear it was a bot. I don't think you understand what a rainbow table is. Somebody generated the exact same brainwallet you did, long before you ever thought of using that passphrase. They've actually generated millions of brainwallets, and they're just waiting for someone naive enough to use the same weak passprases and deposit money into one of their addresses. Anything less than 16 random words is too short as a passphrase. Not a 16 word phrase from your favourite work of literature, not some TV character's 16 word catchphrase with a few simple letter substitutions and random punctuation characters thrown in. 16 words that have never before been grouped together into the same context by any human that has ever lived. If you can't generate and remember a random passphrase this long you shouldn't use brainwallets. Diceware: http://world.std.com/~reinhold/diceware.html
|
|
|
|
RoxxR
|
|
November 25, 2013, 10:07:02 AM |
|
The speed (seconds) with which the funds were redirected make it clear it was a bot. I don't think you understand what a rainbow table is. Somebody generated the exact same brainwallet you did, long before you ever thought of using that passphrase. They've actually generated millions of brainwallets, and they're just waiting for someone naive enough to use the same weak passprases and deposit money into one of their addresses. Anything less than 16 random words is too short as a passphrase. Not a 16 word phrase from your favourite work of literature, not some TV character's 16 word catchphrase with a few simple letter substitutions and random punctuation characters thrown in. 16 words that have never before been grouped together into the same context by any human that has ever lived. If you can't generate and remember a random passphrase this long you shouldn't use brainwallets. Diceware: http://world.std.com/~reinhold/diceware.htmlThis. And there are a couple of nice tools on this forum that easily convert dice rolls into passphrases and bitcoin addresses.
|
|
|
|
btcdrak
Legendary
Offline
Activity: 1064
Merit: 1000
|
|
November 25, 2013, 10:08:37 AM |
|
The speed (seconds) with which the funds were redirected make it clear it was a bot. I don't think you understand what a rainbow table is. Somebody generated the exact same brainwallet you did, long before you ever thought of using that passphrase. They've actually generated millions of brainwallets, and they're just waiting for someone naive enough to use the same weak passprases and deposit money into one of their addresses. Anything less than 16 random words is too short as a passphrase. Not a 16 word phrase from your favourite work of literature, not some TV character's 16 word catchphrase with a few simple letter substitutions and random punctuation characters thrown in. 16 words that have never before been grouped together into the same context by any human that has ever lived. If you can't generate and remember a random passphrase this long you shouldn't use brainwallets. Diceware: http://world.std.com/~reinhold/diceware.htmlThis. And there are a couple of nice tools on this forum that easily convert dice rolls into passphrases and bitcoin addresses. Diceware SHOULD NOT be used with anything other than dice: the entropy is not the same otherwise.
|
|
|
|
RoxxR
|
|
November 25, 2013, 10:20:12 AM |
|
The speed (seconds) with which the funds were redirected make it clear it was a bot. I don't think you understand what a rainbow table is. Somebody generated the exact same brainwallet you did, long before you ever thought of using that passphrase. They've actually generated millions of brainwallets, and they're just waiting for someone naive enough to use the same weak passprases and deposit money into one of their addresses. Anything less than 16 random words is too short as a passphrase. Not a 16 word phrase from your favourite work of literature, not some TV character's 16 word catchphrase with a few simple letter substitutions and random punctuation characters thrown in. 16 words that have never before been grouped together into the same context by any human that has ever lived. If you can't generate and remember a random passphrase this long you shouldn't use brainwallets. Diceware: http://world.std.com/~reinhold/diceware.htmlThis. And there are a couple of nice tools on this forum that easily convert dice rolls into passphrases and bitcoin addresses. Diceware SHOULD NOT be used with anything other than dice: the entropy is not the same otherwise. Read my post again. The tools I saw WORK WITH DICE. So, full entropy.
|
|
|
|
franky1
Legendary
Offline
Activity: 4382
Merit: 4752
|
|
November 25, 2013, 10:59:42 AM |
|
you could always use a sha256 generator first my - 038468518ad8122e13112743f890c7ba96ac5665b71de548eceb23e9ef237805 m0m5 - f4b4dff4af48415ce1883a01d5589022fb11b1adb2c9b53aa9439cabd9273d5c c00k135 - c092a98000322afadf557a9754f1fac6d97d21e8c0432e518edd1b5dc7e3c67f 4r3 - 9a55b85547d8d71b45fbd1000d7053fbb254571d11fe3c230592e41531bf6413 n1ce - 781d42e75cbf8d87d48dcbb54a20fdb1d9e70f02d6759124d1a3c7e68d5c9f92
combine the results to become 038468518ad8122e13112743f890c7ba96ac5665b71de548eceb23e9ef237805 f4b4dff4af48415ce1883a01d5589022fb11b1adb2c9b53aa9439cabd9273d5c c092a98000322afadf557a9754f1fac6d97d21e8c0432e518edd1b5dc7e3c67f 9a55b85547d8d71b45fbd1000d7053fbb254571d11fe3c230592e41531bf6413 781d42e75cbf8d87d48dcbb54a20fdb1d9e70f02d6759124d1a3c7e68d5c9f92
then put that into the brain wallet to add further randomness to the words.
or ofcourse run it through a sha256 again (without spaces) to give you f9640de45673cc0baacef1b9d4c407f06c453d72d06c99cf8870d19114d42d51. make your own checksum code to make it a private key more direct without using third party services.
|
I DO NOT TRADE OR ACT AS ESCROW ON THIS FORUM EVER. Please do your own research & respect what is written here as both opinion & information gleaned from experience. many people replying with insults but no on-topic content substance, automatically are 'facepalmed' and yawned at
|
|
|
|