Bitcoin Forum
December 15, 2024, 12:24:21 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Fighting brainwallets... with brainwallets!  (Read 1230 times)
flatfly (OP)
Legendary
*
Offline Offline

Activity: 1120
Merit: 1016

090930


View Profile
December 05, 2013, 07:32:11 PM
Last edit: December 07, 2013, 12:23:32 AM by flatfly
 #1

I keep seeing brainwallets getting hacked every other week. I would like to start the following little campaign to discourage the use of weak passphrases in brainwallets:

If you currently own a brainwallet that matches the below criteria, you can qualify for a nice 0.1 BTC bounty (exact amount to be confirmed) simply by transferring your funds to a strong/randomly generated brainwallet (or any other robust form of storage), and then disclosing the old (weaker) passphrase in this thread.

- passphrase length 20 characters or less.
- consisting mostly (at least 75%) of English words. 
- only 25+ BTC brainwallets will be considered.

Example: "bitcoin is awesome"   
 
Also, the funds must have stayed in the weaker brainwallet for at least 10 days to qualify.

People willing to contribute to the bounty can do so by donating to:
 1337sfeChyyzZLzdHLewXzcaAaJSNTM893

I am planning to run this campaign for the long run.

Note: Since this is quite a new idea, I reserve the right to change some of the rules during the first few weeks.

So let's give this a try!

davout
Legendary
*
Offline Offline

Activity: 1372
Merit: 1008


1davout


View Profile WWW
December 05, 2013, 07:39:56 PM
 #2

So you want to make some money off of that big rainbow table you just generated ? :-)

takagari
Legendary
*
Offline Offline

Activity: 1050
Merit: 1000


View Profile
December 05, 2013, 07:45:38 PM
 #3

Great idea,

Kinda drives me nuts seeing this over and over, because some encypt's 20 grand of usd with the pass word (Myname1985) lol
flatfly (OP)
Legendary
*
Offline Offline

Activity: 1120
Merit: 1016

090930


View Profile
December 05, 2013, 08:04:19 PM
 #4

So you want to make some money off of that big rainbow table you just generated ? :-)

Smiley

This would be the slowest way to build a rainbow table ever!
davout
Legendary
*
Offline Offline

Activity: 1372
Merit: 1008


1davout


View Profile WWW
December 05, 2013, 08:08:08 PM
 #5

I just had a superficial look at your passphrase utility, it sounds pretty neat!

My passphrase was generated with diceware + raspberrypi + bitcoin-ruby + copying everything with pen and paper.

I think it's really nice to make this level of security accessible to noobs too

flatfly (OP)
Legendary
*
Offline Offline

Activity: 1120
Merit: 1016

090930


View Profile
December 06, 2013, 05:48:17 PM
 #6

I just had a superficial look at your passphrase utility, it sounds pretty neat!

My passphrase was generated with diceware + raspberrypi + bitcoin-ruby + copying everything with pen and paper.

I think it's really nice to make this level of security accessible to noobs too

Thanks for checking it out! IMO, raising awareness of the risks associated with brainwallets is really important.
12648430
Full Member
***
Offline Offline

Activity: 144
Merit: 100


View Profile
December 06, 2013, 07:17:05 PM
 #7

20 random characters typable on a regular keyboard have a little over 126 bits of entropy (electrum seeds have 128), so if you're going to do this you'll need to be strict about non-randomness of qualifying passwords.
davout
Legendary
*
Offline Offline

Activity: 1372
Merit: 1008


1davout


View Profile WWW
December 06, 2013, 07:46:08 PM
 #8

20 random characters typable on a regular keyboard have a little over 126 bits of entropy (electrum seeds have 128), so if you're going to do this you'll need to be strict about non-randomness of qualifying passwords.

Passwords suck, passphrases rock, they have a much better rememberability/entropy ratio.
With a 10 words passphrase you get approximately the same entropy as your 20 characters passwords and it's much easier for a human brain to remember, we're simply wired that way.
Like you said the quality of the generation process is of utmost importance.

malevolent
can into space
Legendary
*
Offline Offline

Activity: 3472
Merit: 1725



View Profile
December 06, 2013, 08:58:58 PM
 #9

I can see this being very easily gamed, someone can generate a secure albeit not-truly-random passphrase (without using a computer or dice, per your rules); how will you determine whether or not someone wasn't actually using a computer or dice? It is very easy to generate a passphrase that will "look" random but that won't actually be random according to your definition of randomness. You should ask people to submit a lot more data to be sufficiently sure, e.g. at least several hundred passphrases (most people being poor sources of randomness, patterns would emerge).


Signature space available for rent.
flatfly (OP)
Legendary
*
Offline Offline

Activity: 1120
Merit: 1016

090930


View Profile
December 06, 2013, 11:44:03 PM
 #10

I can see this being very easily gamed, someone can generate a secure albeit not-truly-random passphrase (without using a computer or dice, per your rules); how will you determine whether or not someone wasn't actually using a computer or dice? It is very easy to generate a passphrase that will "look" random but that won't actually be random according to your definition of randomness. You should ask people to submit a lot more data to be sufficiently sure, e.g. at least several hundred passphrases (most people being poor sources of randomness, patterns would emerge).



Thanks for your remarks. I was thinking of making the criteria a little bit stricter and better defined, while keeping this as simple as possible.

I will update the first post with some additional constraints.
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!