Assessing the security risk of sharing your wallet "hash"

[CryptoJ0hn]

Is it a security risk to sharing only the "hash" from my old wallet to the password recovery service?

I mean the hash obtained using bitcoin2john.py ($bitcoin$<hash>) or ethereum2john.py ($ethereum$s*<hash>) scripts from JtR.

Disclosing my password does not matter, since it is specific and has not been used anywhere else (and will not be).

[mcdouglasx]

Is it a security risk to sharing only the "hash" from my old wallet to the password recovery service?

I mean the hash obtained using bitcoin2john.py ($bitcoin$<hash>) or ethereum2john.py ($ethereum$s*<hash>) scripts from JtR.

Disclosing my password does not matter, since it is specific and has not been used anywhere else (and will not be).

  As long as you always use secure software and do not share the wallet.dat. An attacker successfully cracks the hash, they obtain the password. With this password, they can access the wallet ONLY if they have the wallet file.

[CryptoJ0hn]

Is it a security risk to sharing only the "hash" from my old wallet to the password recovery service?

I mean the hash obtained using bitcoin2john.py ($bitcoin$<hash>) or ethereum2john.py ($ethereum$s*<hash>) scripts from JtR.

Disclosing my password does not matter, since it is specific and has not been used anywhere else (and will not be).

  As long as you always use secure software and do not share the wallet.dat. An attacker successfully cracks the hash, they obtain the password. With this password, they can access the wallet ONLY if they have the wallet file.

This also applies to the UTC-Keystore Ethereum wallet, right?

[mcdouglasx]

Is it a security risk to sharing only the "hash" from my old wallet to the password recovery service?

I mean the hash obtained using bitcoin2john.py ($bitcoin$<hash>) or ethereum2john.py ($ethereum$s*<hash>) scripts from JtR.

Disclosing my password does not matter, since it is specific and has not been used anywhere else (and will not be).

  As long as you always use secure software and do not share the wallet.dat. An attacker successfully cracks the hash, they obtain the password. With this password, they can access the wallet ONLY if they have the wallet file.

This also applies to the UTC-Keystore Ethereum wallet, right?

Yes, in both cases, without the wallet.dat and Keystore file, they can’t do anything by obtaining your password cracking the hash.

[Faisal2202]

Is it a security risk to sharing only the "hash" from my old wallet to the password recovery service?

I mean the hash obtained using bitcoin2john.py ($bitcoin$<hash>) or ethereum2john.py ($ethereum$s*<hash>) scripts from JtR.

Disclosing my password does not matter, since it is specific and has not been used anywhere else (and will not be).

I don't think sharing the hash only is a risk to the wallet. Because hash is a one-way thing, hashing is a procedure in which a hash is made from the public key because the public key is very long and it takes a lot of storage, not good as size matters, so hashing converts the public key into a hash by hashing.

What is the difference between public key and public key hash. This thread will be of great help to you because I also came to know what's the importance of hash and public key and private key and what's the difference between them. I am sure if you will read some replies, you will know if it's okay to share the hash or not.

I think it's not wise to share the hash to a service you don't trust or don't have good feedback on. I mean, the tool you are using, John the Ripper (jtr) I don't know much about it but the hash is here in the discussion and can be used by the jtr to crack the password.

[CryptoJ0hn]

Is it a security risk to sharing only the "hash" from my old wallet to the password recovery service?

I mean the hash obtained using bitcoin2john.py ($bitcoin$<hash>) or ethereum2john.py ($ethereum$s*<hash>) scripts from JtR.

Disclosing my password does not matter, since it is specific and has not been used anywhere else (and will not be).

I don't think sharing the hash only is a risk to the wallet. Because hash is a one-way thing, hashing is a procedure in which a hash is made from the public key because the public key is very long and it takes a lot of storage, not good as size matters, so hashing converts the public key into a hash by hashing.

What is the difference between public key and public key hash. This thread will be of great help to you because I also came to know what's the importance of hash and public key and private key and what's the difference between them. I am sure if you will read some replies, you will know if it's okay to share the hash or not.

I think it's not wise to share the hash to a service you don't trust or don't have good feedback on. I mean, the tool you are using, John the Ripper (jtr) I don't know much about it but the hash is here in the discussion and can be used by the jtr to crack the password.

This is not exactly a hash in the usual sense. These scripts extract some data from the wallet that is needed to check the correct password.

[Faisal2202]

This is not exactly a hash in the usual sense. These scripts extract some data from the wallet that is needed to check the correct password.

Hmm so I checked how jtr works and it works when you give it the type of encryption to decrypt when it won't automatically pick one like there are many. So far, I think it's not bad to use it because the software is a trusted one but lacks in performance when compared with hashcat but to be specific, I think the hash data it will extract will be used to apply brute force attacks or any other attack to predict the password, and you aren't giving it, it will automatically extract it.

So in order to open the wallet, you need a password and in order to get the password, you have to provide access to the jtr so it can get the hash, but you doubt if it will give you the password, and you are risking giving it a hash. I think jtr won't do anything bad to you. Until then, let's hear what other members have to say about it.

[CryptoJ0hn]

So in order to open the wallet, you need a password and in order to get the password, you have to provide access to the jtr so it can get the hash, but you doubt if it will give you the password, and you are risking giving it a hash. I think jtr won't do anything bad to you.

The scripts are used separately from jtr, they have open source code (python).
The question was whether it was possible to transfer the received "hash" to someone else in order to find the password and not be left without funds.

[achow101]

Is it a security risk to sharing only the "hash" from my old wallet to the password recovery service?

I mean the hash obtained using bitcoin2john.py ($bitcoin$<hash>) or ethereum2john.py ($ethereum$s*<hash>) scripts from JtR.

Disclosing my password does not matter, since it is specific and has not been used anywhere else (and will not be).

The "hash" is the encrypted encryption key, not actually a hash. This key is used only to encrypt the private keys stored in the wallet.dat file. It is not used for private key derivation and there is no relationship between that key and your private keys.

If the service can brute force the password, they will only know the password and having possession of that encryption key. However, unless they have the wallet.dat file itself, there is no risk to funds.

[mcdouglasx]

Is it a security risk to sharing only the "hash" from my old wallet to the password recovery service?

I mean the hash obtained using bitcoin2john.py ($bitcoin$<hash>) or ethereum2john.py ($ethereum$s*<hash>) scripts from JtR.

Disclosing my password does not matter, since it is specific and has not been used anywhere else (and will not be).

I don't think sharing the hash only is a risk to the wallet. Because hash is a one-way thing, hashing is a procedure in which a hash is made from the public key because the public key is very long and it takes a lot of storage, not good as size matters, so hashing converts the public key into a hash by hashing.

What is the difference between public key and public key hash. This thread will be of great help to you because I also came to know what's the importance of hash and public key and private key and what's the difference between them. I am sure if you will read some replies, you will know if it's okay to share the hash or not.

I think it's not wise to share the hash to a service you don't trust or don't have good feedback on. I mean, the tool you are using, John the Ripper (jtr) I don't know much about it but the hash is here in the discussion and can be used by the jtr to crack the password.

so, bruteforce same hash using hashcat

Code:

hashcat -m 11300 -a 0 hash.txt wordlist.txt

[Faisal2202]

The scripts are used separately from jtr, they have open source code (python).
The question was whether it was possible to transfer the received "hash" to someone else in order to find the password and not be left without funds.

Hmm, I can't actually answer it because in the first place you are sharing a hash with someone so they could unlock or crack the password for you, and on the other side you are asking if they can crack the password and I, not be left without funds. I mean, if they could crack your password for the wallet by using Hash, that's awesome at one point, but I can't really tell if they will scam you or not. The main question here is should you trust them or not, even if it turns out to be a success or failure.

I think you should avoid sharing hash with anyone else, even if it is a one-way function and no one can really reverse the hash back into the key due to the complexity and many other factors but I'm not a hacker or cracker so I can't really say for sure that they won't open your wallet with Hash because there are ways to crack the wallet and by using Hash it's possible IMO.

[CryptoJ0hn]

The scripts are used separately from jtr, they have open source code (python).
The question was whether it was possible to transfer the received "hash" to someone else in order to find the password and not be left without funds.

Hmm, I can't actually answer it because in the first place you are sharing a hash with someone so they could unlock or crack the password for you, and on the other side you are asking if they can crack the password and I, not be left without funds. I mean, if they could crack your password for the wallet by using Hash, that's awesome at one point, but I can't really tell if they will scam you or not. The main question here is should you trust them or not, even if it turns out to be a success or failure.

I think you should avoid sharing hash with anyone else, even if it is a one-way function and no one can really reverse the hash back into the key due to the complexity and many other factors but I'm not a hacker or cracker so I can't really say for sure that they won't open your wallet with Hash because there are ways to crack the wallet and by using Hash it's possible IMO.

Just check out the answer above from the Moderator (and not only him):

The "hash" is the encrypted encryption key, not actually a hash. This key is used only to encrypt the private keys stored in the wallet.dat file. It is not used for private key derivation and there is no relationship between that key and your private keys.

If the service can brute force the password, they will only know the password and having possession of that encryption key. However, unless they have the wallet.dat file itself, there is no risk to funds.

This is also true for Ethereum UTC-Keystore.

Yes, in both cases, without the wallet.dat and Keystore file, they can’t do anything by obtaining your password cracking the hash.

I just needed confirmation from a competent persons that this does not pose a security risk.

So, without the full wallet file, it is impossible to obtain the private key and steal funds.
From the hash obtained from these scripts, you can only check the correctness of the password for this wallet, and that's all.

[nc50lc]

Hmm, I can't actually answer it because in the first place you are sharing a hash with someone so they could unlock or crack the password for you, and on the other side you are asking if they can crack the password and I, not be left without funds. I mean, if they could crack your password for the wallet by using Hash, that's awesome at one point, but I can't really tell if they will scam you or not. The main question here is should you trust them or not, even if it turns out to be a success or failure.

I think you should avoid sharing hash with anyone else

It's okay to share the "hash" as long as he keep the wallet.dat safe offline where it can't be accessed by anyone.

Here's how it works:

• Your wallet's secrets (e.g.: private keys) are encrypted with a "master key" (mkey) which is generated randomly.
• That mkey is encrypted with the hash of your wallet's password, then the encrypted mkey is stored in the wallet.dat file together with the information to correctly derive the hash of your possible passwords.
• Scripts like "bitcoin2john.py" can extract that encrypted mkey and those other info (salt, number of iterations for the password hash) from the wallet.dat file.
• With those info alone, that encrypted mkey can be decrypted if they can bruteforce the correct password.
  Then it's as the reply above you said: since it's only the mkey that a 'recovery service' can decrypt from the wallet dump, there's no way that they can use it to decrypt the wallet's secrets without having access to the actual wallet.dat file where the secrets it encrypted are saved.

[Faisal2202]

I just needed confirmation from a competent persons that this does not pose a security risk.

So, without the full wallet file, it is impossible to obtain the private key and steal funds.
From the hash obtained from these scripts, you can only check the correctness of the password for this wallet, and that's all.

💔💔 ah competent word was a little harsh why I am feeling it haha. Just kidding bro I know my answers were not upto the standards of what you were seeking because I was being careful with my words I don't want to say something that I don't understand better but I knew there are people here like the ones you mentioned personally to me haha they are competent and you must follow them.

I also learned the same thing that without the dat file, you would face no harm, so chill and share the hash.

[Reatim]

Is it a security risk to sharing only the "hash" from my old wallet to the password recovery service?
Disclosing my password does not matter, since it is specific and has not been used anywhere else (and will not be).

Yes. There’s always a risk involved even if it’s just the hash that you will be sharing and this password has not been used nor will be used again somewhere else. You need to consider the reputation and reliability of this service.

Even if you’ve only used this password once, the service can still use your password to be able to gain access to other data of yours. It is wise though to not use the same passwords to ensure that even if one wallet or account is compromised, not all of your data will be in danger.