flatfly (OP)
Legendary
 Offline
Activity: 1078
Merit: 1011
760930
|
 |
December 05, 2013, 07:32:11 PM
Last edit: December 07, 2013, 12:23:32 AM by flatfly |
|
I keep seeing brainwallets getting hacked every other week. I would like to start the following little campaign to discourage the use of weak passphrases in brainwallets:
If you currently own a brainwallet that matches the below criteria, you can qualify for a nice 0.1 BTC bounty (exact amount to be confirmed) simply by transferring your funds to a strong/randomly generated brainwallet (or any other robust form of storage), and then disclosing the old (weaker) passphrase in this thread.
- passphrase length 20 characters or less.
- consisting mostly (at least 75%) of English words.
- only 25+ BTC brainwallets will be considered.
Example: "bitcoin is awesome"
Also, the funds must have stayed in the weaker brainwallet for at least 10 days to qualify.
People willing to contribute to the bounty can do so by donating to:
1337sfeChyyzZLzdHLewXzcaAaJSNTM893
I am planning to run this campaign for the long run.
Note: Since this is quite a new idea, I reserve the right to change some of the rules during the first few weeks.
So let's give this a try!
|
|
|
|
|
|
|
|
|
|
|
|
There are several different types of Bitcoin clients. The most secure are full nodes like Bitcoin Core, but full nodes are more resource-heavy, and they must do a lengthy initial syncing process. As a result, lightweight clients with somewhat less security are commonly used.
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
davout
Legendary
Offline
Activity: 1372
Merit: 1007
1davout
|
|
December 05, 2013, 07:39:56 PM |
|
So you want to make some money off of that big rainbow table you just generated ? :-)
|
|
|
|
takagari
Legendary
Offline
Activity: 1050
Merit: 1000
|
|
December 05, 2013, 07:45:38 PM |
|
Great idea,
Kinda drives me nuts seeing this over and over, because some encypt's 20 grand of usd with the pass word (Myname1985) lol
|
|
|
|
|
flatfly (OP)
Legendary
Offline
Activity: 1078
Merit: 1011
760930
|
|
December 05, 2013, 08:04:19 PM |
|
So you want to make some money off of that big rainbow table you just generated ? :-)
 This would be the slowest way to build a rainbow table ever! |
|
|
|
|
davout
Legendary
Offline
Activity: 1372
Merit: 1007
1davout
|
|
December 05, 2013, 08:08:08 PM |
|
I just had a superficial look at your passphrase utility, it sounds pretty neat!
My passphrase was generated with diceware + raspberrypi + bitcoin-ruby + copying everything with pen and paper.
I think it's really nice to make this level of security accessible to noobs too
|
|
|
|
flatfly (OP)
Legendary
Offline
Activity: 1078
Merit: 1011
760930
|
|
December 06, 2013, 05:48:17 PM |
|
I just had a superficial look at your passphrase utility, it sounds pretty neat!
My passphrase was generated with diceware + raspberrypi + bitcoin-ruby + copying everything with pen and paper.
I think it's really nice to make this level of security accessible to noobs too
Thanks for checking it out! IMO, raising awareness of the risks associated with brainwallets is really important. |
|
|
|
|
|
12648430
|
|
December 06, 2013, 07:17:05 PM |
|
20 random characters typable on a regular keyboard have a little over 126 bits of entropy (electrum seeds have 128), so if you're going to do this you'll need to be strict about non-randomness of qualifying passwords.
|
|
|
|
|
davout
Legendary
Offline
Activity: 1372
Merit: 1007
1davout
|
|
December 06, 2013, 07:46:08 PM |
|
20 random characters typable on a regular keyboard have a little over 126 bits of entropy (electrum seeds have 128), so if you're going to do this you'll need to be strict about non-randomness of qualifying passwords.
Passwords suck, passphrases rock, they have a much better rememberability/entropy ratio. With a 10 words passphrase you get approximately the same entropy as your 20 characters passwords and it's much easier for a human brain to remember, we're simply wired that way. Like you said the quality of the generation process is of utmost importance. |
|
|
|
malevolent
can into space
Legendary
Offline
Activity: 3472
Merit: 1721
|
|
December 06, 2013, 08:58:58 PM |
|
I can see this being very easily gamed, someone can generate a secure albeit not-truly-random passphrase (without using a computer or dice, per your rules); how will you determine whether or not someone wasn't actually using a computer or dice? It is very easy to generate a passphrase that will "look" random but that won't actually be random according to your definition of randomness. You should ask people to submit a lot more data to be sufficiently sure, e.g. at least several hundred passphrases (most people being poor sources of randomness, patterns would emerge).
|
Signature space available for rent.
|
|
|
flatfly (OP)
Legendary
Offline
Activity: 1078
Merit: 1011
760930
|
|
December 06, 2013, 11:44:03 PM |
|
I can see this being very easily gamed, someone can generate a secure albeit not-truly-random passphrase (without using a computer or dice, per your rules); how will you determine whether or not someone wasn't actually using a computer or dice? It is very easy to generate a passphrase that will "look" random but that won't actually be random according to your definition of randomness. You should ask people to submit a lot more data to be sufficiently sure, e.g. at least several hundred passphrases (most people being poor sources of randomness, patterns would emerge).
Thanks for your remarks. I was thinking of making the criteria a little bit stricter and better defined, while keeping this as simple as possible. I will update the first post with some additional constraints. |
|
|
|
|
|
