Bitcoin Forum
March 19, 2024, 03:38:54 AM *
News: Latest Bitcoin Core release: 26.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 3 4 5 6 7 8 9 10 11 12 13 14 15 »  All
  Print  
Author Topic: Collection of 18.509 found and used Brainwallets  (Read 30891 times)
TheArchaeologist (OP)
Sr. Member
****
Offline Offline

Activity: 306
Merit: 727


---------> 1231006505


View Profile WWW
July 29, 2018, 08:32:57 AM
Merited by ABCbits (11), LoyceV (6), malevolent (5), Welsh (5), pooya87 (4), friends1980 (3), El duderino_ (2), anthonytcm (2), OgNasty (1), vapourminer (1), LFC_Bitcoin (1), bitbollo (1), HeRetiK (1), o_e_l_e_o (1), Husna QA (1), dragonvslinux (1), jacktheking (1), DaCryptoRaccoon (1), Financisto (1), TechPriest (1), spirali (1)
 #1

Hi,

As been discussed many times before using a Brainwallet is a bad idea. I ran some test myself and found 18.509 BTC-addresses based on a brainwallet which also has been used in the blockchain before.

I tried to compare my results with the results of other researchers but could not find any lists online at all. I found some examples but not a comprehensive list. So I published my own results over here: https://eli5.eu/brainwallet

Please note: all published addresses have a balance of 0 so this is not a list for robbers Smiley. There are also a lot of extra datasets I haven't used this far so I expect the numbers to go up once I use them as well (I'm in the middle of perfecting my own tooling and blockchain parser so this will take some more time first).

I love to get some feedback and if you have results to share which I missed in this round I'm more than happy to hear from you and include them.

TA

Sooner or later you're going to realize, just as I did, that there's a difference between knowing the path and walking the path
"Governments are good at cutting off the heads of a centrally controlled networks like Napster, but pure P2P networks like Gnutella and Tor seem to be holding their own." -- Satoshi
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
keychainX
Member
**
Offline Offline

Activity: 372
Merit: 52

Telegram @keychainX


View Profile WWW
July 29, 2018, 09:22:20 AM
 #2

Which dictionary did you use?

One word or multi word attack?

TheArchaeologist (OP)
Sr. Member
****
Offline Offline

Activity: 306
Merit: 727


---------> 1231006505


View Profile WWW
July 29, 2018, 10:12:18 AM
 #3

I mainly used single words from dictionaries and used passwords from published password dumps.

Sooner or later you're going to realize, just as I did, that there's a difference between knowing the path and walking the path
keychainX
Member
**
Offline Offline

Activity: 372
Merit: 52

Telegram @keychainX


View Profile WWW
July 29, 2018, 10:20:21 AM
 #4

Did you use block parser to create the list?

TheArchaeologist (OP)
Sr. Member
****
Offline Offline

Activity: 306
Merit: 727


---------> 1231006505


View Profile WWW
July 29, 2018, 10:32:09 AM
 #5

No, I used my own parser but since it wasn;t/isn't finished yet I got the transactions and balance from using the Blockchain API.

The steps involved for creating such a list:
  • Perform a SHA-256 on the input (word/phrase)
  • Check the generated private key (compressed/uncompressed) against my own databases with successes
  • If Private key is not in database create BTC-address from the key(s)
  • Check if BTC address exists on blockchain based on my own database with all BTC-addresses
  • If address is found store the private key and passphrase in the database and get info on number of transactions and balance from Blockchain API

That's about it.

Sooner or later you're going to realize, just as I did, that there's a difference between knowing the path and walking the path
HeRetiK
Legendary
*
Offline Offline

Activity: 2870
Merit: 2056



View Profile
July 29, 2018, 10:40:12 AM
 #6

Oh wow... more than 18k BTC addresses having used single word passphrases is pretty bad. At least most of them don't seem to have been used since 2013.

Did you look into Brainflayer [1] or did you feel more comfortable using a custom made solution?

[1] https://github.com/ryancdotorg/brainflayer

█▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

█          ▄         ▄      ▄▄▄▄▄
█       ▄███      ▄███      █████
█        ████      ████     ▀▀▀▀▀
█         ████      ████
█          ████▄▄▄▄▄▄████▄▄▄▄▄▄▄▄
█           █████████████████████
█            ▀█████▄   ▀█████▄
█              ▀█████▀   ▀█████▀
█                 ▀▀        ▀▀

█▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
.....Your private Bitcoin wallet for desktop.....█▀▀▀▀▀▀











█▄▄▄▄▄▄
▀▀▀▀▀▀█











▄▄▄▄▄▄█
TheArchaeologist (OP)
Sr. Member
****
Offline Offline

Activity: 306
Merit: 727


---------> 1231006505


View Profile WWW
July 29, 2018, 11:18:05 AM
 #7

I did look into Brainflayer and also used it in the process. But you got to keep in mind Brainflayer is not a standalone solution. It depends on creating a Bloom filter based upon all addresses used in the BTC-Blokchain. So you first need to come up with such a list: this is where I used my own parser to create the list. In 2015 when Brainflayer was released there were about 80 Million unique addresses on the blockchain which lead to a lot less false positives than when used on the 400 Million plus unique addresses currently in use. And finally Brainflayer just reports if a match was found it doesn't do any looking into transactions or balances used.

So what I did was make use of Brainflayer to do a very fast scan using a Bloomfilter and I processed the results from there within my own tooling to filter out false positives, duplicates and add extra information on transactions and balances.

Sooner or later you're going to realize, just as I did, that there's a difference between knowing the path and walking the path
philipma1957
Legendary
*
Offline Offline

Activity: 4060
Merit: 7553


'The right to privacy matters'


View Profile WWW
July 29, 2018, 11:39:37 AM
 #8

most of the ones you found  have a 0.00005460 deposit and withdrawal

ie 2 transactions.  so I would adjust the 18,509  down to under 2,000

as it is obvious those addresses where designed and used  to receive then send 0.00005460

0.0000546 seems to start at 899 and end at 18036   that is more then 17,000  where security was basically an

" I don't care do you? "  plan.   But it does interest me  that the first 899  on the list were not like that and used often.

▄▄███████▄▄
▄██████████████▄
▄██████████████████▄
▄████▀▀▀▀███▀▀▀▀█████▄
▄█████████████▄█▀████▄
███████████▄███████████
██████████▄█▀███████████
██████████▀████████████
▀█████▄█▀█████████████▀
▀████▄▄▄▄███▄▄▄▄████▀
▀██████████████████▀
▀███████████████▀
▀▀███████▀▀
.
 MΞTAWIN  THE FIRST WEB3 CASINO   
.
.. PLAY NOW ..
TheArchaeologist (OP)
Sr. Member
****
Offline Offline

Activity: 306
Merit: 727


---------> 1231006505


View Profile WWW
July 29, 2018, 01:20:03 PM
 #9

I personally believe most of the ones with a 0.00005460 deposit and withdrawal are in there because of some experiment in the past where simple dictionary words were used to see how long it would take for an attacker to grab the funds. I do agree with you the ones with the most transactions are the ones most interesting that's why I sorted the list by number of transactions. I still think the other ones are interesting as well when trying to compose a list of brainwallets which have been used in the past.

Sooner or later you're going to realize, just as I did, that there's a difference between knowing the path and walking the path
keychainX
Member
**
Offline Offline

Activity: 372
Merit: 52

Telegram @keychainX


View Profile WWW
July 29, 2018, 01:47:33 PM
 #10

What is the biggest transaction on those? Anyone above 10BTC?

TheArchaeologist (OP)
Sr. Member
****
Offline Offline

Activity: 306
Merit: 727


---------> 1231006505


View Profile WWW
July 29, 2018, 03:36:29 PM
Merited by ABCbits (1), El duderino_ (1)
 #11

Biggest is over 500 BTC. As stated on the site (https://eli5.eu/brainwallet/detail/14NWDXkQwcGN1Pd9fboL8npVynD5SfyJAE.html):

General Information
The passhrase below was used as a Brainwallet to generate the given address.

BTC Address: 14NWDXkQwcGN1Pd9fboL8npVynD5SfyJAE
Used passphrase: bitcoin is awesome
Total transactions: 19
Amount received: 501.06500863 BTC
Amount spent: 501.06500863 BTC

Proof
You can check the private key is indeed known by verifying the following signed message when running your own node:

Code:
bitcoin-cli verifymessage "14NWDXkQwcGN1Pd9fboL8npVynD5SfyJAE" "HBi3IJsPku4lbbxJo3KAbghdPUKkpcCkg0E6VqHBDLGoEXvzdcUqI3MLA1bvoe4IcTcB5V4IL+l5XB7YLIchg7E=" "By using a weak brainwallet the private key for address 14NWDXkQwcGN1Pd9fboL8npVynD5SfyJAE has been compromised."

Sooner or later you're going to realize, just as I did, that there's a difference between knowing the path and walking the path
keychainX
Member
**
Offline Offline

Activity: 372
Merit: 52

Telegram @keychainX


View Profile WWW
July 29, 2018, 04:25:09 PM
 #12

Cool, thanks!  Wink

o_e_l_e_o
Legendary
*
Offline Offline

Activity: 2268
Merit: 18493


View Profile
July 29, 2018, 07:38:57 PM
 #13

Very interesting data, and proof that we are inherently awful at privacy. I think my personal favorite is number 72, "how much wood could a woodchuck chuck if a woodchuck could chuck wood", which has held over 500 BTC.

You've missed a decimal point at entry 266 - it currently says it has held over 2 billion BTC.  Cheesy
TheArchaeologist (OP)
Sr. Member
****
Offline Offline

Activity: 306
Merit: 727


---------> 1231006505


View Profile WWW
July 29, 2018, 08:47:46 PM
 #14

Thanks for pointing out the 2 Billion mistake! I will look into it tomorrow.

Sooner or later you're going to realize, just as I did, that there's a difference between knowing the path and walking the path
f3tus
Sr. Member
****
Offline Offline

Activity: 317
Merit: 275


View Profile
July 30, 2018, 07:17:33 AM
 #15

This thread might be of interest to you: https://bitcointalk.org/index.php?topic=2488493.0

And I did something similar with Ethereum (only used some ~10,000 most common passwords): https://bitcointalk.org/index.php?topic=2488493.msg42291616#msg42291616
TheArchaeologist (OP)
Sr. Member
****
Offline Offline

Activity: 306
Merit: 727


---------> 1231006505


View Profile WWW
July 30, 2018, 10:14:55 AM
 #16

Thanks for pointing out those posts. I was aware of the first one (from Pastebin) but haven't yet made my own dataset with the kind of data decscribed in there like BTC-addresses, transaction-id's, merkleroots, etc.

I will read up on your post about Ethereum brainwallets. I'm focussing on BTC for now but it's always nice to read about other experiences!

Sooner or later you're going to realize, just as I did, that there's a difference between knowing the path and walking the path
TheArchaeologist (OP)
Sr. Member
****
Offline Offline

Activity: 306
Merit: 727


---------> 1231006505


View Profile WWW
July 30, 2018, 10:41:47 AM
 #17

Very interesting data, and proof that we are inherently awful at privacy. I think my personal favorite is number 72, "how much wood could a woodchuck chuck if a woodchuck could chuck wood", which has held over 500 BTC.

You've missed a decimal point at entry 266 - it currently says it has held over 2 billion BTC.  Cheesy

Fixed some nasty bugs which caused some addresses to stay blank on the overview-pages and fixed some wrong amounts_in and amounts_out which were not properly converted in some cases.

I also added another 60 new entries to the list based on a small sweep I just completed so the list currently contains 18.569 entries.

Finally: I'm always interested in new datasets to try and/or results from other people who conducted this kind of Research. I aim to let this list grow to the best source for compromised brainwallets.

Sooner or later you're going to realize, just as I did, that there's a difference between knowing the path and walking the path
Evil-Knievel
Legendary
*
Offline Offline

Activity: 1260
Merit: 1168



View Profile
July 30, 2018, 10:50:08 AM
 #18

As been discussed many times before using a Brainwallet is a bad idea.

I disagree, I have never lost anything from a brain wallet but I have lost quite a few coins from failing hardware wallets and dying hard drives.
amaclin1
Sr. Member
****
Offline Offline

Activity: 770
Merit: 305


View Profile
July 30, 2018, 10:54:30 AM
 #19

Is there there a list of addresses in plain text?
I want to compare your list with mine Smiley

Bitcoin SV GUI client for Windows and Linux
https://github.com/AlisterMaclin/bitcoin-sv/releases
TheArchaeologist (OP)
Sr. Member
****
Offline Offline

Activity: 306
Merit: 727


---------> 1231006505


View Profile WWW
July 30, 2018, 10:59:35 AM
 #20

As been discussed many times before using a Brainwallet is a bad idea.

I disagree, I have never lost anything from a brain wallet but I have lost quite a few coins from failing hardware wallets and dying hard drives.
I get you stand on this and maybe the introduction was a bit too short on the subject. As always there are exceptions to the rule and if you manage to remember a brainwallet with high entropy and also using some personal knowledge (like a salt) it becomes a lot more secure. Let's just hope you want suffer from a dying brain instead of a dying hard drive! Smiley

Sooner or later you're going to realize, just as I did, that there's a difference between knowing the path and walking the path
Pages: [1] 2 3 4 5 6 7 8 9 10 11 12 13 14 15 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!