BIP 038 Bug

[Beliathon]

I didn't write down the exact PW, but wrote down a hint to it.

could this be the problem?

https://www.youtube.com/watch?v=b3_lVSrPB6w

[Abdussamad]

No, my brain wallets are much more complex. This was the kind of pw most websites would reject as too simple except for adding the salt. With BIP 38 you need the private encrypted key, so there wasn't the need for a tough pw. I am perplexed and befuddled. I still think it may have been a possible bug in which case I will need help someday.

BIP38 uses scrypt to hash the password. Scrypt ASICs have been out for a few months now and faster devices are released all the time. Soon scrypt hashing will be very fast and someone will be able to brute force your keys for you. In the meantime you would do well to get a notebook and write down everything you remember about your password. The more info you have the better the chances of cracking it.

The existence of ASICs for scrypt-mining has little to no effect on the strength of scrypt as a password-hashing-function. Mining ASICs perform a very specific operation on a very specific input-format and they can't be reconfigured to go password cracking. SHA-256 is being used to hash passwords across the globe, but we haven't seen the Bitcoin miners switch their equipment to crack some passwords. For the simple reason that it is impossible. You'd need a different device for it.

I see. I didn't know that. My mistake.

[cbeast]

U should also use the same os and browser version

If that were the case, then a lot of people will be surprised one day when their wallets won't open.

[cp1]

U should also use the same os and browser version

If that were the case, then a lot of people will be surprised one day when their wallets won't open.

There actually was a bug for a while where a version of Safari was giving different encryption than every other browser.

[cbeast]

Check out this commit: https://github.com/pointbiz/bitaddress.org/commit/4f11d4fb62eff5421f56b28dc9cbfd332a22a9c4

It implies that you used to be able to make a BIP038 wallet with an empty passphrase. Why don't you try removing the check for an empty passphrase and see if that works.

Thanks for the suggestion. I removed that bit of code, but still got the incorrect passphrase alert when I tried to decrypt. I've spent over 20 hours casually trying to manually brute force my simple pw. It was a keyboard peck type pw similar to qwerty only longer.

[jubalix]

This encryption feature should be removed from all software until the bugs are worked out. I created a set of wallets with an easy to remember password in January 2014 and now it doesn't work. I tested the password to decrypt one of the wallets before loading them. Now I cannot recover them. I have a feeling this will be a problem for a lot of people that think their BIP 038 wallets are secure.

Edit:
Win7
Either Chrome, Mozilla, or Explorer (can't recall which I used) but probably Chrome
It was Bitaddress.org saved to my drive either v2.8.1 or 2.5.1 but probably the newer
I didn't write down the exact PW, but wrote down a hint to it.

I hope this isn't a bug and is merely human error. It will be much easier to fix that way.

always make sure you have actual private keys and test them.

[DeathAndTaxes]

BIP38 uses scrypt to hash the password. Scrypt ASICs have been out for a few months now and faster devices are released all the time. Soon scrypt hashing will be very fast and someone will be able to brute force your keys for you.

That is completely wrong.

First Litecoin et al used an crippled version of scrypt making it many orders of magnitude less memory hard.   Before the history of Litecoin was revised it was designed to be anti-GPU because GPU farms were going to kill Bitcoin.   However it turns out the parameters chosen were "accidentally" too weak and it allowed GPU cache to be used very effectively.  BIP38 is designed to actually be memory hard.

Litecoin Scrypt paramters: n = 1024; p = 1; r = 1;
BIP38 Scrypt paramters: n = 16384; p = 8; r = 8;

Still even if BIP38 used the gimped parameters selected for Litecoin the ASICs would be next to useless.   Mining ASICs are heavily optimized to only be effective at mining.  They only hash block headers and the internally increment the nonce so that 4 billion hashes are computed for a given partial block header.   This makes them beyond useless for password cracking. 

BIP38 is the real deal.  Brute forcing is essentially impossible although in the OP case the fact that he may have a partial password means that a permutation attack may be effective but even that really depends on how different the remembered password and actual password are.  If it is a significant deviation it may be infeasible, Scrypt is that tough to crack (except when gimped to create a "CPU only POW which turns out it is GPU capable but turns out that is ok because ASICs are the real threat and ASIC Scrypts will never be possible except they are so it served no purpose except maybe to people who figured out it wasn't as memory hard as claimed early on").

[cbeast]

always make sure you have actual private keys and test them.

I am certain I tested it. The pw wasn't complex. I only wrote a hint because that's all I needed after testing it. We'll see someday if anyone else had this happen. Like I said though I may have been tricked into thinking I verified the pw because the older versions of bitaddress.org will sometimes just randomly pop up a bitcoin key pair. I should have double tested it but who does that? They usually ask you to enter the pw twice when you create them.

[QuantumQrack]

http://www.walletrecoveryservices.com/

If the amount is significant to you, give this guy a try.

[DeboraMeeks]

Fuck this could be big, i have some btc encrypted that way too.

[MegaHustlr]

http://www.walletrecoveryservices.com/

If the amount is significant to you, give this guy a try.

But if its a problem with the software than that guy cant help.

[DeathAndTaxes]

Fuck this could be big, i have some btc encrypted that way too.

Well while I respect cbeast I would say "Exceptional claims require exceptional proof".  So far this hasn't been replicated and thus the most likely explanation is user error.  That doesn't mean it is user error just that it is the most likely.  However it probably would be a good idea to verify your encrypted keys.  The more people that do that the more potential datapoints.

The potential issue however did make me think of a way web services like this could be improved.  Unit testing is a pretty common way to ensure code changes don't introduce bugs.  They usually are done prior to deployment but with browsers being open systems with potential incompatibilities and the fact that javascript is interpreted it might be a good idea for this (and other) projects to do some "inline unit testing" as a form of self check.  When the service loads (maybe just after collecting entropy) it could perform some keypair generation and encryption using known inputs and outputs.  If there is a browser javascript incompatibility that may catch it.  The code takes a known private key X and password P, generates PubKey Y, and encrypted key Z.  The computed Y & Z are compared against the known correct Y & Z.  Depending on execution time it may be possible to run multiple unit tests to provide a level of code coverage.

If nothing else a green "self check = OK" would provide a form of user feedback/assurance.  For the paranoid maybe provide an option a more extensive self check that may take multiple minutes to complete. 

[telepatheic]

Just as a sanity check, does your BIP38 address starts with 6PR or does it start with 6PY ?

[cbeast]

Just as a sanity check, does your BIP38 address starts with 6PR or does it start with 6PY ?

It starts with a 6Pf

[telepatheic]

6Pf is the correct format for bitaddress.org I was looking at something else.

6Pf means EC-multiplied keys without compression, I will look into the code and see if I can find anything unusual.

[cbeast]

6Pf is the correct format for bitaddress.org I was looking at something else.

6Pf means EC-multiplied keys without compression, I will look into the code and see if I can find anything unusual.

I appreciate that. It just seems impossible I could have erred in such a way while sober.

[BittBurger]

cbeast -

Probably totally irrelevant, but I ran into a similar situation with Bitcoin QT.  
Despite copying and pasting (versus manually typing) my private key passphrase every time, from a source document, I woke up one morning to a wallet that was rejecting that passphrase.
I had a lot.  And I mean a lot ... of Bitcoins in that wallet.  It was stored offline.
Different issue, but strange solution.
I went through every single character and tried its inverse.  Like this:
Known and quadruple verified passphrase which was copied and pasted:  

uPjKmN
Tried:
UPjKmN
then...
upjKmN
then...
uPjkmN
then...
uPjKmn

Switching the case of each character each time i re-tried.
and that worked.
It shouldn't have.

Immediately got rid of QT and put all my sh*t on paper wallets.

[telepatheic]

I've looked into the code: nothing has changed to it since October, and it seems to be doing the right thing, although I haven't looked at it in very close detail. It works now, so it should have worked when you generated it. The only thing I can really suggest right now is that you send me the BIP38 encoded address and I will see if I can work out if there is anything wrong with it (which is a small possibility).

[drrussellshane]

I've looked into the code: nothing has changed to it since October, and it seems to be doing the right thing, although I haven't looked at it in very close detail. It works now, so it should have worked when you generated it. The only thing I can really suggest right now is that you send me the BIP38 encoded address and I will see if I can work out if there is anything wrong with it (which is a small possibility).

Just tell him what it is, telepatheic! 


Also, I hope that cbeast recovers his funds, and finds that BIP38 is ok after all. Otherwise, this is pretty bad news.

[telepatheic]

BIP38 is still technically a draft. There hasn't been a huge amount of technical discussion about it. Personally I think there are some weird design decisions and it could be made a lot simpler. Unfortunately, it is being used so much in the wild that a change in protocol seems unlikely.