I am shocked. I cannot believe this. There is now way I will ever Bitaddress.org

[remotemass]

I am shocked. I cannot believe this. There is no way I will ever trust Bitaddress.org

I really, really, really no way I will trust bitdaddress.org again.

In the past months, I have been noticing that the random private key always started with capital L.
Today I tried more than 20 times to get a random private and I only get L and a few times "K".

I cannot believe it. I do it again and boom: random private key starts with "L".

No way. I am really shocked.

I am in shock. Don't know what to say.

Can anyone explain this?! Oh My God...

[Fredyy]

And all Public Keys start with 1, I feel there is some kind of conspiracy.
/end of sarcasm


Maybe its because Base58 encoded private keys always start with L or K. And there are no other valid private key start letters.

[pooya87]

there is nothing to explain! there is nothing dictating the first character of a private key encoded using base58 should be 50-50 L/K. it can be dozens of Ls in a row or dozens of Ks in a row. and nobody has found any problem in bitaddress.org's RNG methods (https://github.com/pointbiz/bitaddress.org) during all these years to make us believe there is anything wrong.

i am more shocked that an account created in 2012 is claiming to be shocked about something like this!

[remotemass]

I redeem myself for my surprising ignorance. I'm sorry. You seem to be right:
https://www.reddit.com/r/Bitcoin/comments/4br5ip/bitaddressorg_all_private_keys_starts_with_k_or_l/

No need to say more, I guess.

[eaLiTy]

I redeem myself for my surprising ignorance. I'm sorry. You seem to be right:
https://www.reddit.com/r/Bitcoin/comments/4br5ip/bitaddressorg_all_private_keys_starts_with_k_or_l/

No need to say more, I guess.

Sometimes a simple google search will kill that wow moment . You just learned about compressed private keys .

i am more shocked that an account created in 2012 is claiming to be shocked about something like this!

This statement will give the OP a shock   . Ignorance is not a punishable offence but he could have searched before crying out to God during COVID  .

@OP you can lock the topic.

[thesmallgod]

It is better you lock this thread now

[DeathAngel]

You have a 2012 registration date, I hope this is a joke. Educate yourself better OP, you should be clued up by now.

[webtricks]

Since you have created this thread, let me add some more details so that the matter becomes entirely clear to you. WIF or Wallet Import Format of Private Key either starts with '5' or 'K/L' depending upon how you encoded it using Base58. WIF Compressed starts with 'K/L' while WIF starts with '5'. You may be assuming that WIF Compressed is shorter than the WIF but no that's wrong. Also, if anyone tells you the term 'compressed private key', there is no meaning of such term. You can't compress Private Key. Actually, WIF Compressed is one byte longer than the WIF. It is known as 'WIF Compressed' because when you paste key in any wallet to import Bitcoin addresses, it signifies that the wallet should import Bitcoin Address generated from compressed public key associated with that Private Key.

[BrewMaster]

you can also go nuts testing base58 encoding (same thing that private keys use) with testnet addresses since they are also random (hash of each address is random) and can have 2 different starting characters (m or n).

here is an example i found by generating a couple of different mnemonics on https://iancoleman.io/bip39/ (change Coin to BTC - Bitcoin Testnet)

Code:

celery virtual response permit target document rebuild swarm step float provide mammal verb morning melody

addresses:

Code:

mzFWePBHJe8ZdAGYEET2QsTnURAhQEMT1W		
mv2tKhpWmrZh846oMVtwbpH8YoH1ntvwn6		
mkgG3cKnHFtbJ17gybWXqoaGxhTg3umEGB		
mo4HttGBpGLr7V9ZBmmMYWoECHtDCpun33		
mnzjo7tLqhHm7jqLaKpXwNvSFgaagiZFQ9		
n4dQCzespZcSXnQRqdRr3C3DbvDmx8MJh3		
mkgRQVLLTak7MuzW8j4E9XfAYQjQEoAKe3		
mwtsQZ6qKKkjqiNsqK6YsVghL9UHqkiXyU		
mrWW8vjmnZWeNr6aLNRLP1TLkUuXWmfgmw		
mu2WnA2xBYGqMzHzvXdUSkYAMFQ4BTMzER		
mpt9nxZBn5Yi5kxcXxFPMCK5mUyZ44hPmq		
mhpxcgwy3ForYvPrG9qXmuVWEMvFgsVikj		
mvMjQWTHQeSoL9oxjhxDA7SyCe4QjtKkVq		
mfoB6FoGFbhCSPpNSun3XeAMsCELScUJoe		
mhSC9LL3LG4z1DbuamPHzHDkAQfWrSCgYa		
mkagnaqSdfcjbsjsLCXNLQPB58n4o1szjg		
mwhT7HgtyjHTpyEJRw7NDZ5PF5puGYMJiJ		
mgxeyqXFzEYueDNEaFadZSz13mZva4DMBr		
mqvXctoNaRALm12QbydFWhouGCX456Pacs		
mrLPZ7P1Kd24dmawRYukvPqE742VRqheAL

note that i didn't change anything else like path,... it is all default values. and there is only 1 address that starts with n. the rest start with m!

[bob123]

And all Public Keys start with 1, I feel there is some kind of conspiracy.
/end of sarcasm

I guess you meant addresses ?
Note that a public key is not the same as an address. The public key is being hashed to retrieve the address (sha256 and ripemd160 + checksum).

@OP:
Regardless of the initial statement:
Do not use any website to create a paper wallet. Not even after downloading and running it offline.
The usability is not worth the risk.

[siajeen]

And all Public Keys start with 1, I feel there is some kind of conspiracy.
/end of sarcasm

I guess you meant addresses ?
Note that a public key is not the same as an address. The public key is being hashed to retrieve the address (sha256 and ripemd160 + checksum).

@OP:
Regardless of the initial statement:
Do not use any website to create a paper wallet. Not even after downloading and running it offline.
The usability is not worth the risk.

Why you dont recommend it?

[webtricks]

And all Public Keys start with 1, I feel there is some kind of conspiracy.
/end of sarcasm

I guess you meant addresses ?
Note that a public key is not the same as an address. The public key is being hashed to retrieve the address (sha256 and ripemd160 + checksum).

@OP:
Regardless of the initial statement:
Do not use any website to create a paper wallet. Not even after downloading and running it offline.
The usability is not worth the risk.

Why you dont recommend it?

Trails!

It is very easy for websites to log your generated keys with Javacript if you are connected to internet. Moreover, even if you download the webpage and try generating paper wallet in offline mode, there are still many risks. Website may keep the trail of your address in browser and when you are once again connected to internet, such trails may be extracted via cross-website cookies or other methods. One more risk is of wireless printer. Suppose you generated paper wallet in offline mode and printed it via wireless printer. In such case, printer's records will have trail of your paper wallet and it is easy to retrieve that by hacking your printer or other connected devices with printer can also see your printed data.

This information is as per my knowledge. Bob123 may have other reasons to discourage using websites for wallet generation.

[Clegive8V]

Why you dont recommend it?

You do not need to be online to generate addresses. The whole process takes place without an internet connection, and the blockchain know your address when you sent or received from that address.

offtopic:
I want to know how to check that those sites is generating addresses randomly enough? I have read about bitcoinpaperwallet[Dot]com back doors.

[bob123]

Why you dont recommend it?

On the one hand, because of this:

It is very easy for websites to log your generated keys with Javacript if you are connected to internet. Moreover, even if you download the webpage and try generating paper wallet in offline mode, there are still many risks. Website may keep the trail of your address in browser and when you are once again connected to internet, such trails may be extracted via cross-website cookies or other methods. One more risk is of wireless printer. Suppose you generated paper wallet in offline mode and printed it via wireless printer. In such case, printer's records will have trail of your paper wallet and it is easy to retrieve that by hacking your printer or other connected devices with printer can also see your printed data.

Roughly 2/3 of network connected printer can be hijacked through the internet. Even if the policy only allows printing within the local network.
This can lead to sending print jobs to the printer which execute Postscript or PJL commands. And this allows an attacker to extract previous printer jobs (if being captured). Accessing a malicious website is enough for that.

And on the other hand, the source code of the website could be manipulated. E.g. using a manipulated RNG, which won't create truly random private keys.
It is not hard to shrink the space to an amount too high for random collisions of different people generating the same private key, but at the same time low enough to be able to bruteforce them.

Additionally, i wouldn't trust any javascript library with sensitive crypto operations.