how sensitive is wallet.dat

[citb0in]

Hello everybody,

Assuming that someone manages to steal the wallet.dat (which is password-protected of 16 characters alphanumeric + special chars) of my computer, how (bad are my and how) good are his chances that he will gain full access to my coins? Is this something I have to worry about or nothing to worry about ? Let's assume in this example that he has gained absolutely no other information of me and even does not know anything about the owner/me so he couldn't construct a personalized brute-force attack on the wallet.dat

Looking forward to your comments.

[1715094434]

1715094434

[1715094434]

1715094434

[OmegaStarScream]

-snip-
Let's assume in this example that he has gained absolutely no other information of me and even does not know anything about the owner/me so he couldn't construct a personalized brute-force attack on the wallet.dat

In this case, no. There's nothing to be worried about. But if someone manages to remotely steal your wallet.dat (with malware) it would be safe to assume that he has your keystrokes too.

[PawGo]

16 characters (alphanumeric + special characters) are (IMHO) unbreakable, 8 is a quite easy task, anything more needs so much time and resources, that it is undoable - so you may sleep safe.
There is only one remark - that is correct reasoning if password is somehow “random”. If you used any dictionary word and then just added “123!” at the end, it is not safe at all. Even worst if you used any password which is on any list of used/leaked passwords.

[LoyceV]

I think your scenario isn't realistic: if someone gets their hands on your wallet.dat, they can probably install a keylogger too.
Brute-forcing 16 characters is going to take a while, but there are specialized services out there.

[citb0in]

Thanks for the helpful responses. I just wanted to understand if and how far the wallet.dat is protected by such a scenario. Of course the password should be cleverly chosen that it doesn't appear in any dictionary, isn't a common word or could be built from permutations of it. I know the process of brute-force cracking. But that there are special "services" out there that can crack 16-digit passwords of the type mentioned in reasonable time ... didn't know that. I always thought with 16 digits you were already on the safe side. But well, then I'll just raise it to 26 chars and then I'll sleep better 

[jackg]

It depends on whether the alphanumeric code is truly random or not. As long as you have 16 characters that are random then you should be fine for now..

If you happen to have words in there then the password might become solvable for an attacker.

[citb0in]

it's truly /dev/urandom 

[o_e_l_e_o]

If you have 16 random characters from the full set of 95 printable ASCII characters, then you have 95¹⁶ possibilities, which comes out to a little over 105 bits of entropy. The bitcoin network currently has a hashrate of around 250 EH/s. Given that each of those is two SHA256s, then that means it would take the entire bitcoin network around 2,800 years at current rates to perform 2¹⁰⁵ hashes. So your password is quite safe against random brute forcing.

But, as Loyce correctly points out, if someone has managed to steal your wallet.dat file from your computer, then your entire set up is now compromised either physically or electronically, and a secure password is no guarantee of safety.

[Sarah Azhari]

it's truly /dev/urandom 

so what can you do when you run out of entropy?