Collection of 18.509 found and used Brainwallets

[almightyruler]

Multiple seeds can be used, for example:

1. Seed #0, which is an internal seed that is not disclosed or stored. This must be brute forced when re-generating the private key, so it is quite weak. It is intended as some extra protection against an attack.
2. Seed #1 (stored in one location) which takes ~1 day to brute force if lost.
3. Seed #2 (stored in another location) which takes ~1 day to brute force if lost.

If the user has the passphrase, seed #1, and seed #2, all it takes is (say) 60 seconds to brute force the internal seed, and generate the correct privkey.

If the user loses either of the seeds, it takes 60 seconds + 1 day.

If the user loses both seeds, it takes 60 seconds + 1 day + 1 day.

Was thinking about this again today, and I've found a flaw in the above. I believe the total effort required to cover the search space is actually the product of the effort per seed, rather than the sum. This is because there's no way to know if you've correctly found a match for a single seed. The complete passphrase+seed+seed+seed combination is either matched, or not matched; there's no way to match a part of it.

In other words, if you lose both seeds, it will take 60 x 86400 x 86400 seconds (5,184,000 days) to brute force all possibilities, not 60 + 86400 + 86400 (2 days and 60 seconds).

To be able to independently crack a lost seed would require additional external validation, such as a hash of each seed stored in the blockchain.

Just wanted to update the above idea to point out that multiple seeds won't work as expected. A single seed would still work, since there's only one unknown part to force if it is lost.

[igordata]

If the user has the passphrase, seed #1, and seed #2, all it takes is (say) 60 seconds to brute force the internal seed, and generate the correct privkey.

why do we need #0 if it's so easy to brute force it then?

If the user loses either of the seeds, it takes 60 seconds + 1 day.

no, if you loses both seeds you die

Edit: yep, if I lose one of #1 or #2 seeds it gonna take a month to brute force it of a couple of weeks with 50% probability if I'm lucky guy.
If I lose both seeds I'm in the deep trouble even if I'm extremely lucky.

[almightyruler]

If the user has the passphrase, seed #1, and seed #2, all it takes is (say) 60 seconds to brute force the internal seed, and generate the correct privkey.

why do we need #0 if it's so easy to brute force it then?

Shrug. I guess as some extra protection if the two main seeds (which would need to be printed out or stored somewhere) are recovered by an attacker.

Without seed #0 the attacker would only need to bruteforce the passphrase, but by requiring the additional (unknown) seed the work is increased by a factor of at least a few million.

Disclaimer: I'm not a cryptographer, so I freely admit these ideas are probably a little crazy.

[igordata]

OK, you're right. We have a passphrase and without #0 it is just a millisecond to try. With #0 each passphrase will take a minute to try.

[odolvlobo]

Multiple seeds can be used, for example:

1. Seed #0, which is an internal seed that is not disclosed or stored. This must be brute forced when re-generating the private key, so it is quite weak. It is intended as some extra protection against an attack.
2. Seed #1 (stored in one location) which takes ~1 day to brute force if lost.
3. Seed #2 (stored in another location) which takes ~1 day to brute force if lost.

If the user has the passphrase, seed #1, and seed #2, all it takes is (say) 60 seconds to brute force the internal seed, and generate the correct privkey.

If the user loses either of the seeds, it takes 60 seconds + 1 day.

If the user loses both seeds, it takes 60 seconds + 1 day + 1 day.

I wold like to point out that your times are correct only if the user has a way to know that an individual seed has has been cracked. Otherwise, you must multiply the number of attempts rather than add them.

Edit: Oh, I see that you have already arrived at that conclusion.

[almightyruler]

[...] If the user loses both seeds, it takes 60 seconds + 1 day + 1 day.

I wold like to point out that your times are correct only if the user has a way to know that an individual seed has has been cracked. Otherwise, you must multiply the number of attempts rather than add them.

Edit: Oh, I see that you have already arrived at that conclusion.

You're the second person to point this out after I corrected myself.

You could store hash(passphrase+seedX) in the blockchain so that the brainwallet client can figure out when it has cracked the seed, but that means an attacker also has that clue. Not such a good idea: now an attacker can hunt for hash(passphrase+seedX) matches to discover seeds with weak passphrases, and once they find two different seeds with the same passphrase, they're less than 60 seconds away from finding a private key.

[igordata]

> hash(passphrase+seedX)

that operation reduces security due to attacker can brute force quicker with a single hash iteration

[TechPriest]

I've seen someone (I think ryanc) mention before using a combination of a passphrase plus a random (weakish) seed. The seed needs to be printed out and stored somewhere safely. The beauty of this arrangement is that the seed is weak enough to be expendable, but strong enough to add some extra protection against casual hunting. If the seed is lost, you can use a program to brute force it until it finds a match for your brainwallet address. The strength of the seed is chosen so that some time (say one to two days) of brute forcing would be required.

Interesting idea, while it's far less secure than CSPRNG/PRNG, it's acceptable assuming no one know you use this method.

No, that would be security through obscurity. It's fun to have some cool secret way to generate your key, but if it's too complex, you (or your benefactors, say if you suddenly die) could risk losing the funds.

The point is that if you must use a brainwallet, the random seed will at least make it more secure against untargeted privkey hunters. Remember that each ATTEMPT at brute forcing the passphrase+seed takes 2 days, so in theory, even a reasonably common dictionary word as your passphrase could take years to crack. (In practice, a cracker is going to be using multiple cores and possibly optimised cracking methods, so it will take less time.)

Multiple seeds can be used, for example:

1. Seed #0, which is an internal seed that is not disclosed or stored. This must be brute forced when re-generating the private key, so it is quite weak. It is intended as some extra protection against an attack.
2. Seed #1 (stored in one location) which takes ~1 day to brute force if lost.
3. Seed #2 (stored in another location) which takes ~1 day to brute force if lost.

If the user has the passphrase, seed #1, and seed #2, all it takes is (say) 60 seconds to brute force the internal seed, and generate the correct privkey.

If the user loses either of the seeds, it takes 60 seconds + 1 day.

If the user loses both seeds, it takes 60 seconds + 1 day + 1 day.

That is very compicated, really. Also, if noone doesn't know your passphrase you shouldn't afraid seed compomising. Because the fact of knowing your seed can't help to hacker.

If you afraid that your passphrase will be brute forced or social hacked (as we know, people's brain provides very low enthropy) , then i have some interesting algorithm for you:

1. Create easy master passphrase you always will remember.
2. Create your own algorithm of lower passphrase derivation. It can be like:

Code:

SHA2/RIPEMD-160(my-master-passphrase-that-I-always-remember + "1")
SHA2/RIPEMD-160(my-master-passphrase-that-I-always-remember + "2")
.......

3. Use result as passphrase (following BIP39) for specific wallet. (for wallet 1 - passphrase1 + 12/24 seed)
That's it. You can use different wallets for different purposes without fear your wallets being linked (like addresses in one wallet).
Also, while only you know derivation algorithm no one can get access to your wallets even seed or/and master-passphrase compomised.
You can store your seed without any protection, you can put it into the bank or write on paper.

To hack all your wallets, hacker needs to know your seed + master-passphrase + derivation algorithm. It's not so easy to hack such protection.

[almightyruler]

https://www.blockchain.com/btc/address/1d923c954d8901d559f1262fec66ed08fdac73cb

Value of around $USD 55 swept immediately.

At least one of the inputs in the funding transaction appears to be an exchange hot wallet (1NDyJtNTjmwk5xPNhjgAMu4HDHigtobu1s, which has nearly half a million transactions [edit: this is a Binance wallet -> https://twitter.com/binance/status/961666467325358081]). Are people still deliberately withdrawing funds to brainwallets?

The passphrase is "weadmittedwewerepowerlessoveralcoholthatourliveshadbecomeunmanageable" which appears to be the text (sans spaces) of the first step in the 12 step Alcoholics Anonymous program.

It amazes me how obscure passphrases are still swept away almost immediately. The cracking that I do for fun represents literally months of CPU time and trillions of candidate passphrases. At full tilt my i7 can push out about 43 billion passphrases per day, which would require over 1TB of storage per day if saved permanently.

People running stealer bots must have massive databases of pre-computed candidate passphrases.

[itod]

Are people still deliberately withdrawing funds to brainwallets?

Brainwallets were the worst idea from the beginning, but for some mysterious reason they are attractive to newbies. There s something in the human psychology, I guess the simplicity of the solution and the masochistic aspect torturing themselves to remember long passphrases and the risk they may forget it which has an allure off challenge. There is also an aspect they do not get the math and reasoning behind reliable alternatives, like Bitcoin Core wallet, that turns them away from better alternatives.

[LoyceV]

Brainwallets were the worst idea from the beginning

There are 2 problems:
1. Anyone can search all existing brainwallets at the same time
2. It doesn't require much CPU-power to test a password

Without promoting brainwallets, I could think of several solutions:
1. If you add something unique to you to a brainwallet, it's  much less likely to be found. Say I would add LoyceValenzuela to this:

"weadmittedwewerepowerlessoveralcoholthatourliveshadbecomeunmanageable"

That would make:
weadmittedwewerepowerlessoveralcoholthatourliveshadbecomeunmanageableLoyceValen zuela and instantly adds many more possibilities to the search space than "just" searching all available digital text on the planet. Or add your phone number.
It's not perfect, but it makes it several orders of magnitude less likely to be brute-forced.

2. The protocol should use CPU-intensive encryption like BIP38 uses. That reduces the number of tries per second from billions to dozens.

[Welsh]

Brainwallets were the worst idea from the beginning

They're flawed due to the fact that they're easy to bruteforce, and test different password combinations on without any sort of limit. However, a brainwallet is as secure as the user makes it. As LoyceV points out putting unique information within a sentence instantly makes it more difficult to crack. Common passwords for brainwallets used to be sentences from books, and I think there was a pretty famous one which used a random page in the Lord Of The Rings books. I've never used a brainwallet, and would recommend against them just for the sole reason that they can be attacked easier than most other ways of storing Bitcoin.

[itod]

Brainwallets were the worst idea from the beginning

...
1. If you add something unique to you to a brainwallet, it's  much less likely to be found. Say I would add LoyceValenzuela to this:

"weadmittedwewerepowerlessoveralcoholthatourliveshadbecomeunmanageable"

That would make:
weadmittedwewerepowerlessoveralcoholthatourliveshadbecomeunmanageableLoyceValen zuela and instantly adds many more possibilities to the search space than "just" searching all available digital text on the planet. Or add your phone number.
It's not perfect, but it makes it several orders of magnitude less likely to be brute-forced.
...

Don't do this, there is no need for it. Just use regular high quality wallet like Bitcoin Core wallet and you will get incomparably more secure private keys without the need for any mental gymnastics. The quality wallets get their entropy from the hardware layer beneath, not from something humans can think of.

[malevolent]

2. The protocol should use CPU-intensive encryption like BIP38 uses. That reduces the number of tries per second from billions to dozens.

Most commonly used brainwallets, i.e. single round unsalted SHA-256 are a terrible idea leading to loss of funds for many users, but something like a warpwallet isn't too bad if someone's really set on using a brainwallet:

https://keybase.io/warp

Using a salt should still be recommended though.

[almightyruler]

Now for something a little different:

https://www.blockchain.com/btc/address/674239f32cd4041965f3a9e1fdeb09356f07887a

Passphrase: ประวิตร วงษ์สุวรรณ

According to Google this is Thai, and translates to "Wittawong Suwan" but I think the correct (Westernised) translation is Prawit Wongsuwan, who is a General that became the Deputy Prime Minister after a 2014 coup. He seems to be fond of expensive watches.

[rosengold]

Don't let this list dies 

https://www.blockchain.com/btc/address/1KTtPr67kxRu1MTk5FyqQj1Q8xT95KCFMP

Bitcoin: A Peer-to-Peer Electronic Cash System

Thanks for that coffee 

[almightyruler]

Don't let this list dies 

https://www.blockchain.com/btc/address/1KTtPr67kxRu1MTk5FyqQj1Q8xT95KCFMP

Bitcoin: A Peer-to-Peer Electronic Cash System

Thanks for that coffee 

Some other variations:

Peer to Peer Electronic Cash System
Peer-to-Peer Electronic Cash (on testnet)

[almightyruler]

0.4995 BTC rested in this brainwallet for about a week:

https://www.blockchain.com/btc/address/1NibpGrUoUd9ywXm5Q2Zx5w12pZN3V3z8G

Since the transactions are so recent, I am not going to disclose the passphrase, but let's just say that it's the title of something. Not super weak, but not exactly secure, especially when you're sending half a Bitcoin to it. Don't know if the rightful owner took the funds, or they were stolen, but if I can find it, so can someone else.

The chain of transactions leading up to the one funding this address look interesting, can anyone better at exploring blockchains than I am offer an explanation?

[almightyruler]

This brain wallet hasn't been used for several years, but even back in 2013 it held a substantial amount of funds (USD $6k+), protected by a weak passphrase:

https://www.blockchain.com/btc/address/16jLdtAxgXVwcG93MyPcNALXMCv3D6dyDB

The passphrase is "arretonprimaryschool"

[almightyruler]

An idea I came up with today: using a standard wallet file (must be encrypted) to create a hidden "brainwallet" private key.

These help protect the hidden key:

1. You need access to the wallet file; an attack would need to be targeted.
2. You need the password to unlock the wallet; that's the brain part.
3. There is no external indication that the hidden key exists.

To create the hidden key:

1. Combine all unencrypted private keys in the wallet in some way (eg SHA256 hash of concatenated keys)
2. For additional bruteforce protection, stretch the new key.

But here's the cool part: the wallet can be completely cleared of all funds, either before or after you create the new key. This means that if anyone does gain access to the wallet file, all they see is a wallet with no balance (this can be seen without needing the wallet password). Even if they suspect you may be using a hidden key, they cannot regenerate it unless they know the password to decrypt the wallet.

tl;dr you can create a hidden key from a wallet with zero balance that anyone poking around your file system will probably ignore.

Thoughts?