Bitcoin Forum
December 12, 2017, 11:27:45 AM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 3 »  All
  Print  
Author Topic: (Successful) Dictionary Attack Against Private Keys  (Read 9062 times)
Sothh
Full Member
***
Offline Offline

Activity: 238



View Profile
September 04, 2013, 08:01:15 PM
 #1

Hey all,

Just wanted to post some interesting findings I am getting while running a sort of brute force against the blockchain.

Here is what I am doing:

Take a fairly long dictonary, get the sha256 of an entry, then calculate the bitcoin address using that hash as the private key.

So far I have found addresses for the following hashes:

love
test
fuckyou
password
1234
12345
123456

(I have not tried many.)

For example, the sha256 of "12345" is the address 18YXnSUCPDVNEpPGDFRVrdVye63RpH2MA4, which received a total of 0.11014424 BTC over its lifetime.

These addresses don't have any money in them currently, but have at some point.  In other words, if I had done the same thing when the address was in use I could have stole the bitcoins from the address.

I am unsure why these addresses exist, and why anyone would use them.  Some have been used fairly recently.
1513078065
Hero Member
*
Offline Offline

Posts: 1513078065

View Profile Personal Message (Offline)

Ignore
1513078065
Reply with quote  #2

1513078065
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
gmaxwell
Staff
Legendary
*
Offline Offline

Activity: 2366



View Profile
September 04, 2013, 08:14:16 PM
 #2

They exist because of brainwallet.org. Amusingly, the site's creator started down his path much as you have, but then decided that "password derived" keys were useful so he setup a website.

Humans are unconditionally a terrible source of entropy. Many people using keys they sincerely believed were secure have been robbed. Often complicated "schemes", and even common password advice produce worse passwords instead of better ones.  This baddness is multiplied by the face that using JS tools make the performance of reasonable KDFs unacceptable and because the application prevents the use of effective salting, so the attacker gets an enormous simultaneous attack multiplier.

But there is really nothing that can be done except to keep telling people: Do Not Use Human Derived "entropy" for private keys.

It may be worth pointing out to you that a prudent person doesn't try doing this:  What happens if you find a key with 1000 BTC and can't determine the owner?  Your choice will be to rob them yourself or to leave it be and hope they move the coin before someone else robs them. If you don't want to potentially be in that situation you shouldn't be attempting to crack other people's ignorantly produced keys.

Bitcoin will not be compromised
mindtomatter
Sr. Member
****
Offline Offline

Activity: 434


Editor-in-Chief of Let's Talk Bitcoin!


View Profile WWW
September 04, 2013, 08:39:01 PM
 #3

It may be worth pointing out to you that a prudent person doesn't try doing this:  What happens if you find a key with 1000 BTC and can't determine the owner?  Your choice will be to rob them yourself or to leave it be and hope they move the coin before someone else robs them. If you don't want to potentially be in that situation you shouldn't be attempting to crack other people's ignorantly produced keys.

Isn't it better to have a few large public failures based on this obvious weakness to inform and teach the community why this is a bad thing to do?   Pretending it's not a problem means more users will make the same dumb mistake because they haven't seen any negative repercussions derive from it.   I'd rather have good guys trying to break our money for the betterment of that money than rely on malicious actors who have all the incentives to maximize the value they extract and do it as covertly as possible to prevent exactly those lessons from being learned.   If security is an arms race, it always makes sense to have a red team of good guys.

Let's Talk Bitcoin! Interviews, News & Analysis released Tuesdays and Saturdays
http://www.LetsTalkBitcoin.com - Listener Mail -> adam@letstalkbitcoin.com
01BTC10
VIP
Hero Member
*
Offline Offline

Activity: 742



View Profile
September 04, 2013, 08:42:51 PM
 #4

It's been already done. Some peoples have huge amount of private keys already imported and a script that check if there is a balance. If there is a deposit then it's automatically transferred to another address. Try a small deposit of 0.01BTC to one of those address and see what happen Wink There is a thread about this somewhere.
gmaxwell
Staff
Legendary
*
Offline Offline

Activity: 2366



View Profile
September 04, 2013, 08:46:27 PM
 #5

Isn't it better to have a few large public failures based on this obvious weakness to inform and teach the community why this is a bad thing to do?   Pretending it's not a problem means more users will make the same dumb mistake because they haven't seen any negative repercussions derive from it.   I'd rather have good guys trying to break our money for the betterment of that money than rely on malicious actors who have all the incentives to maximize the value they extract and do it as covertly as possible to prevent exactly those lessons from being learned.   If security is an arms race, it always makes sense to have a red team of good guys.
People have been very loudly told not to do this and many people don't— sadly, many other people smugly think they are smart enough to do it safely (I would even bet that most posters in this thread are among them). People have been stolen from, those who needed that to learn already learned— many others just blame the victims "Oh, I wouldn't use a key that stupid", ... yes, yes you would.

In any case, you misunderstand my advice there.  I wasn't making that suggestion for the benefit of the victims— they're already doomed through their ignorance and actions.  I was making that suggestion for the benefit of Sothh. There is no good team here.  Once you embark down this path you potentially find keys and have to choose between becoming a thief yourself or sitting passively while some other thief takes the coin. If you don't want to find yourself in that situation, for sake of your own personal ethics, then you shouldn't be trying— you should instead work on educating people to behave more safely... and compromising bad coins appears to be ineffective, due to the aforementioned victim blaming.

Bitcoin will not be compromised
Sothh
Full Member
***
Offline Offline

Activity: 238



View Profile
September 04, 2013, 09:03:06 PM
 #6

I was just doing this out of curiosity.  If I do come across 1000 BTC I will try to find who it belongs to, and if I can't, I will take a small amount (like .5BTC or so) send it to an address I have posted on this forum, and then let it be.  The user will see money has been taken so his key is bad, and then he will google where it went to, and see it went to me.  I will give it back if he contacts me, or keep it if he does not, as a small tip for keeping his money safe.  Grin

EDIT:

Found these two with positive balances:

Prehash: chocolate
Balance: 5.46E-5 BTC
Address: 1DTqPEUuuTeCJAYDadDnoPDKGvqDVFLRJN
Total Received: 5460

Prehash: basketball
Balance: 5.46E-5 BTC
Address: 1PYckPfNVrMWepDBN6Mzb1QqaEWWB4t1bx
Total Received: 5460
Nigeria Prince
Newbie
*
Offline Offline

Activity: 28



View Profile
September 04, 2013, 09:59:26 PM
 #7

Ok. I sent chocolate and Basketball. Give some more.

CHINAVASION - CHINA PRICES, BEST QUALITY TO THE MAX!! MAXIMIZE YOUR COOLNESS!! (http://www.chinavasion.com/)
gmaxwell
Staff
Legendary
*
Offline Offline

Activity: 2366



View Profile
September 04, 2013, 10:14:24 PM
 #8

Ok. I sent chocolate and Basketball. Give some more.
Please don't crap up the utxo set keeping around more of these junk outputs.

When you redeem these things, send them to an OP_RETURN txout with a value of 0.  This will convert the output into fees and prevent a new output from being created in the txout set.

Bitcoin will not be compromised
marcus_of_augustus
Legendary
*
Offline Offline

Activity: 2464



View Profile
September 04, 2013, 11:03:58 PM
 #9

Quote
It may be worth pointing out to you that a prudent person doesn't try doing this:  What happens if you find a key with 1000 BTC and can't determine the owner?  Your choice will be to rob them yourself or to leave it be and hope they move the coin before someone else robs them. If you don't want to potentially be in that situation you shouldn't be attempting to crack other people's ignorantly produced keys.

You probably have a duty to move the bitcoins somewhere safer for them before someone nefarious does and to serve as a warning to others  Smiley

It is kind of like finding a stash of cash poorly hidden under a rock in a public park ... and then you could maybe donate them to a charity of your choice? Or if you can't find the owner you could use a finders keepers ethical reasoning to disburse them as you see fit ....

gmaxwell
Staff
Legendary
*
Offline Offline

Activity: 2366



View Profile
September 05, 2013, 12:07:33 AM
 #10

You probably have a duty to move the bitcoins somewhere safer for them before someone nefarious does and to serve as a warning to others  Smiley

It is kind of like finding a stash of cash poorly hidden under a rock in a public park ... and then you could maybe donate them to a charity of your choice? Or if you can't find the owner you could use a finders keepers ethical reasoning to disburse them as you see fit ....
Maybe. I mean, if the key was "password" then okay sure.  But if you threw three cpu months at it and the key was found as the product of some increasingly powerful analysis that you performed, some product of you and the victim being on a similar mental wavelength... it may reasonably be the case the the only people in the world who know the key are you and the victim.  But you don't know that.

Rather than stressing about it then, I suggest anyone considering doing this think ahead.

Besides, do you go around jiggling the neighbors doors and trying their windows? Why not? How is this different— beyond the possibility of getting caught being substantially reduced?

Bitcoin will not be compromised
TippingPoint
Legendary
*
Offline Offline

Activity: 905



View Profile
September 05, 2013, 12:51:23 AM
 #11

Besides, do you go around jiggling the neighbors doors and trying their windows? Why not? How is this different— beyond the possibility of getting caught being substantially reduced?


Good point ^

Sothh
Full Member
***
Offline Offline

Activity: 238



View Profile
September 05, 2013, 12:54:11 AM
 #12

I am no longer running the attack.  It was only to prove a point, for security awareness.  I have not taken a single uBtc from any account I found.
saddambitcoin
Legendary
*
Offline Offline

Activity: 1612



View Profile
September 05, 2013, 03:37:11 AM
 #13

i just found more goodies at "chocolates"

why would someone send such a small amount of BTC there?  i don't get it...

gmaxwell
Staff
Legendary
*
Offline Offline

Activity: 2366



View Profile
September 05, 2013, 05:32:23 AM
 #14

Ok. I sent chocolate and Basketball. Give some more.
No you didn't. Tongue

Bitcoin will not be compromised
J35st3r
Full Member
***
Offline Offline

Activity: 196



View Profile
September 05, 2013, 07:02:31 AM
 #15

There are also some transactions sent to addresses derived from raw hexadecimal private keys (this was the subject of my very first post, and yes I do now understand why it wraps), for instance ...

DEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEF

5KWMcKxLvqmxBP5u6GcycvpJUdcA8sxZjK8Nm5uKUZsHch6i5K3

https://blockchain.info/address/12XwKrWbrSppJXQuqLyyZ8vVCk2FgaH7DW

And no, I didn't create this myself  Wink

1Jest66T6Jw1gSVpvYpYLXR6qgnch6QYU1 NumberOfTheBeast ... go on, give it a try Grin
jackjack
Legendary
*
Offline Offline

Activity: 1134


May Bitcoin be touched by his Noodly Appendage


View Profile
September 05, 2013, 08:27:49 AM
 #16

Look at private key 0000000000000000000000000000000000000000000000000000000000000001

Own address: 19QkqAza7BHFTuoz9N8UQkryP4E9jHo4N3 - Pywallet support: 1AQDfx22pKGgXnUZFL1e4UKos3QqvRzNh5 - Bitcointalk++ script support: 1Pxeccscj1ygseTdSV1qUqQCanp2B2NMM2
Pywallet: instructions. Encrypted wallet support, export/import keys/addresses, backup wallets, export/import CSV data from/into wallet, merge wallets, delete/import addresses and transactions, recover altcoins sent to bitcoin addresses, sign/verify messages and files with Bitcoin addresses, recover deleted wallets, etc.
fpgaminer
Hero Member
*****
Offline Offline

Activity: 560



View Profile WWW
September 05, 2013, 08:41:38 AM
 #17

On a related note, I thought about a partial solution to this problem of weak password based private keys.  My specific use case was deriving the seed for a deterministic wallet from a password on a hardware wallet.  Though, it could certainly be applied elsewhere.  (NOTE: I don't plan to implement this without further thought and experimentation.)

Ask the user for their full name, DOB, and/or any other personal information.  Concat with their password.  Chuck into an unusually expensive KDF, one that could take minutes or more to run.  Save the seed in protected flash on the hardware wallet (inaccessible to the outside world).  Feel free to encrypt that seed with a wallet pin/password (use the usual second long KDF here), if the user desires (for extra protection, and to prevent physical theft of the wallet).

Benefits:  This adds extra entropy that the user already has and can easily remember.  Some information may be difficult for an attacker to acquire (Social Security number, driver's license number, etc).  It mimics existing security restrictions present in the banking system and elsewhere.  By storing the derived seed (securely), the user only needs to enter this information once.  Since this process occurs infrequently we can use a very expensive KDF to make brute forcing painful.  The personal information also helps to make the derived seed unique to each user, even if two users choose the same (stupid) password.

It should be great at mitigating the kind of drive-by thefts demonstrated in this thread.  But, if an attacker has access to some or all of the personal information, then we're back to depending on the user's password choice and the strength of the KDF.  In extreme cases, one could set-up the KDF to take a day.  Again, this happens infrequently for the user (certainly 24 hours is significantly better than the turn-around on a stolen credit card, for example).  But, it would make attackers squirm.  The top 10,000 passwords would take 10,000 CPU-days of effort (now imagine the attacker doesn't know the name of your first dog...).

Nigeria Prince
Newbie
*
Offline Offline

Activity: 28



View Profile
September 05, 2013, 08:57:41 AM
 #18

I have wallet.dat generated with 123000 most common keywords from wordlists.
USE FOR SCIENTIFIC RESEARCH ONLY!!

Buy here: http://satoshibox.com/5228477e4c347bc5590041a7

CHINAVASION - CHINA PRICES, BEST QUALITY TO THE MAX!! MAXIMIZE YOUR COOLNESS!! (http://www.chinavasion.com/)
jackjack
Legendary
*
Offline Offline

Activity: 1134


May Bitcoin be touched by his Noodly Appendage


View Profile
September 05, 2013, 09:14:03 AM
 #19

I have wallet.dat generated with 123000 most common keywords from wordlists.
USE FOR SCIENTIFIC RESEARCH ONLY!!

Buy here: http://satoshibox.com/5228477e4c347bc5590041a7
Go to service subforum ffs

Own address: 19QkqAza7BHFTuoz9N8UQkryP4E9jHo4N3 - Pywallet support: 1AQDfx22pKGgXnUZFL1e4UKos3QqvRzNh5 - Bitcointalk++ script support: 1Pxeccscj1ygseTdSV1qUqQCanp2B2NMM2
Pywallet: instructions. Encrypted wallet support, export/import keys/addresses, backup wallets, export/import CSV data from/into wallet, merge wallets, delete/import addresses and transactions, recover altcoins sent to bitcoin addresses, sign/verify messages and files with Bitcoin addresses, recover deleted wallets, etc.
Carlton Banks
Legendary
*
Offline Offline

Activity: 1848



View Profile
September 05, 2013, 09:52:33 AM
 #20

Besides, do you go around jiggling the neighbors doors and trying their windows? Why not? How is this different— beyond the possibility of getting caught being substantially reduced?


Good point ^



I disagree, it is not a very representative analogy.

Here's why: there is a very high probability that locked houses have valuables inside, and it is possible to make a well judged assessment as to how valuable the contents are to improve your luck even further. There is no way of knowing whether a brain wallet seed leads to funded addresses or how much is in those addresses, you are relying on the partially predictable behaviour of human actors.

Vires in numeris
Pages: [1] 2 3 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!