Bitcoin Forum
December 11, 2016, 12:10:21 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 [3] 4 5 »  All
  Print  
Author Topic: Brain Wallet standardization  (Read 14407 times)
flipperfish
Sr. Member
****
Offline Offline

Activity: 312


Dolphie Selfie


View Profile
July 31, 2012, 01:13:35 PM
 #41

You are right, I thought only of entropy of single characters. What i meant was: Entropy of single characters is not everything.
Nevertheless, it maybe easy to remember 4 words, but to reach entropy levels of 128+ bits you would have to remember at least 12 words (assuming an alphabet of 2000 words). Remembering 12 words (randomly chosen, without grammar) is far more difficult.

Maybe instead of using 10000 rounds of SHA256 it would be better to use something like scrypt, to slow down the attack.
1481458221
Hero Member
*
Offline Offline

Posts: 1481458221

View Profile Personal Message (Offline)

Ignore
1481458221
Reply with quote  #2

1481458221
Report to moderator
1481458221
Hero Member
*
Offline Offline

Posts: 1481458221

View Profile Personal Message (Offline)

Ignore
1481458221
Reply with quote  #2

1481458221
Report to moderator
1481458221
Hero Member
*
Offline Offline

Posts: 1481458221

View Profile Personal Message (Offline)

Ignore
1481458221
Reply with quote  #2

1481458221
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481458221
Hero Member
*
Offline Offline

Posts: 1481458221

View Profile Personal Message (Offline)

Ignore
1481458221
Reply with quote  #2

1481458221
Report to moderator
1481458221
Hero Member
*
Offline Offline

Posts: 1481458221

View Profile Personal Message (Offline)

Ignore
1481458221
Reply with quote  #2

1481458221
Report to moderator
1481458221
Hero Member
*
Offline Offline

Posts: 1481458221

View Profile Personal Message (Offline)

Ignore
1481458221
Reply with quote  #2

1481458221
Report to moderator
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218


Gerald Davis


View Profile
July 31, 2012, 01:34:34 PM
 #42

agreed however even a 6,000 word list has pretty common words.  Increases the size of the word list decreases the number of words required for a given strength.  I would also point out that key hardening can be used.  Most passwords have only 30 bits of entropy. 

60 bits of entropy in a 6,000 word list requires 5 words.    Using a chained iterative function (like PBKDF2) one can make it computationally in-feasible to brute force that 60 bit passphrase.  The downside (yes there is no free lunch) is the need to use salt to prevent precomputation attacks.  This will have to be recorded by the user.  Remember salt isn't a secret so it doesn't need to be safeguarded (use could email it to himself, print a copy and put it in a safe, put it in his drop box, and leave it in plaintext on his computer) but it does need to be recorded.

nevafuse
Sr. Member
****
Offline Offline

Activity: 248


View Profile
July 31, 2012, 01:36:28 PM
 #43

One good little piece of standardization I'm seeing that has developed is that both brainwallet.org and bitaddress.org use SHA256(passphrase) for their single address generation. Now we just could use some standardization for the deterministic wallet idea. I really don't like how Electrum won't let you make your own passphrase.

I haven't tried importing private keys into bitcoind(-qt) yet, but its pretty easy to sha256sum a phrase & feed it into brainwallet or bitaddress to get the private & public keys.  There's also a few transaction makers out there that will even give you the raw transaction (most only support sending the full balance tho - be careful or you might end up giving the miner a huge fee).  Now I just need to figure out how to send that transaction out.  I think bitcoind(-qt) is working on it since I saw they have a sendrawtransaction method.  I also heard electrum will do it.  I think blockchain will send it for a fee.  Then you don't even ever have to import or create a wallet & the private key can be stored on an offline computer the whole time.

The only reason to limit the block size is to subsidize non-Bitcoin currencies
Ente
Legendary
*
Offline Offline

Activity: 1834



View Profile
July 31, 2012, 04:10:07 PM
 #44

One good little piece of standardization I'm seeing that has developed is that both brainwallet.org and bitaddress.org use SHA256(passphrase) for their single address generation. Now we just could use some standardization for the deterministic wallet idea. I really don't like how Electrum won't let you make your own passphrase.

I haven't tried importing private keys into bitcoind(-qt) yet, but its pretty easy to sha256sum a phrase & feed it into brainwallet or bitaddress to get the private & public keys.  There's also a few transaction makers out there that will even give you the raw transaction (most only support sending the full balance tho - be careful or you might end up giving the miner a huge fee).  Now I just need to figure out how to send that transaction out.  I think bitcoind(-qt) is working on it since I saw they have a sendrawtransaction method.  I also heard electrum will do it.  I think blockchain will send it for a fee.  Then you don't even ever have to import or create a wallet & the private key can be stored on an offline computer the whole time.

All that stuff is bread&butter of Armory! :-)

Ente
mb300sd
Legendary
*
Offline Offline

Activity: 1232

Drunk Posts


View Profile WWW
July 31, 2012, 04:18:16 PM
 #45

My approach:

PrivKey1: sha256 x5 "my long passphrase"
PrivKey2: sha256 x6 "my long passphrase"
PrivKey3: sha256 x7 "my long passphrase"
PrivKey4: sha256 x8 "my long passphrase"
etc.

I might forget that I started at x5 at some point, but it doesn't matter much.

This is probably a bad solution, because as soon as sha256 x5 "passphrase" is known to the attacker, he gains knowledge of the other private keys, too.


Didn't think about that, but not too worried. I only use this for a cold storage/long term savings wallet that I don't plan on spending from any time soon, and the passphrase was hashed and bitcoind addresses generated on a livecd. I'll probably switch to this approach some day.


PrivKey1: sha256("my long passphrase1")
PrivKey2: sha256("my long passphrase2")
PrivKey3: sha256("my long passphrase3")
PrivKey4: sha256("my long passphrase4")

anything wrong with that?

1D7FJWRzeKa4SLmTznd3JpeNU13L1ErEco
Topazan
Sr. Member
****
Offline Offline

Activity: 354


View Profile
August 01, 2012, 12:42:50 AM
 #46

My approach:

PrivKey1: sha256 x5 "my long passphrase"
PrivKey2: sha256 x6 "my long passphrase"
PrivKey3: sha256 x7 "my long passphrase"
PrivKey4: sha256 x8 "my long passphrase"
etc.

I might forget that I started at x5 at some point, but it doesn't matter much.
This sounds pretty good.  I might use a variant on that at one point.

To address the criticism that using one passphrase means the whole wallet is lost once the passphrase is gained, there's no reason you can't have multiple passphrases.  It seems to me that any deterministic wallet generation scheme is vulnerable if the seed is compromised.

Is there a tool that can be used offline that generates a public key from a sha256?  Preferably in javascript or shell script?

Save the last bitcoin for me!
mb300sd
Legendary
*
Offline Offline

Activity: 1232

Drunk Posts


View Profile WWW
August 01, 2012, 12:47:35 AM
 #47

My approach:

PrivKey1: sha256 x5 "my long passphrase"
PrivKey2: sha256 x6 "my long passphrase"
PrivKey3: sha256 x7 "my long passphrase"
PrivKey4: sha256 x8 "my long passphrase"
etc.

I might forget that I started at x5 at some point, but it doesn't matter much.
This sounds pretty good.  I might use a variant on that at one point.

To address the criticism that using one passphrase means the whole wallet is lost once the passphrase is gained, there's no reason you can't have multiple passphrases.  It seems to me that any deterministic wallet generation scheme is vulnerable if the seed is compromised.

Is there a tool that can be used offline that generates a public key from a sha256?  Preferably in javascript or shell script?

Bitaddress.org

1D7FJWRzeKa4SLmTznd3JpeNU13L1ErEco
paraipan
Legendary
*
Offline Offline

Activity: 924


Firstbits: 1pirata


View Profile WWW
August 01, 2012, 12:58:38 AM
 #48

My approach:

PrivKey1: sha256 x5 "my long passphrase"
PrivKey2: sha256 x6 "my long passphrase"
PrivKey3: sha256 x7 "my long passphrase"
PrivKey4: sha256 x8 "my long passphrase"
etc.

I might forget that I started at x5 at some point, but it doesn't matter much.
This sounds pretty good.  I might use a variant on that at one point.

To address the criticism that using one passphrase means the whole wallet is lost once the passphrase is gained, there's no reason you can't have multiple passphrases.  It seems to me that any deterministic wallet generation scheme is vulnerable if the seed is compromised.

Is there a tool that can be used offline that generates a public key from a sha256?  Preferably in javascript or shell script?

You have the javascript from bitaddress.org available, offline if you save the page to your pc


The Bitcoin-Address-Utility
https://github.com/casascius/Bitcoin-Address-Utility


Or Casascius-compatible address tool for Android
https://bitcointalk.org/index.php?topic=86128
http://codinginmysleep.com/apps/
https://play.google.com/store/apps/details?id=com.CIMS.BitcoinAddress


BTCitcoin: An Idea Worth Saving - Q&A with bitcoins on rugatu.com - Check my rep
molecular
Donator
Legendary
*
Offline Offline

Activity: 2142



View Profile
August 01, 2012, 09:30:20 AM
 #49

My approach:

PrivKey1: sha256 x5 "my long passphrase"
PrivKey2: sha256 x6 "my long passphrase"
PrivKey3: sha256 x7 "my long passphrase"
PrivKey4: sha256 x8 "my long passphrase"
etc.

I might forget that I started at x5 at some point, but it doesn't matter much.
This sounds pretty good.  I might use a variant on that at one point.

To address the criticism that using one passphrase means the whole wallet is lost once the passphrase is gained, there's no reason you can't have multiple passphrases.  It seems to me that any deterministic wallet generation scheme is vulnerable if the seed is compromised.

Is there a tool that can be used offline that generates a public key from a sha256?  Preferably in javascript or shell script?

check out the strongcoin offline tx stuff, which is in js.

PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0  3F39 FC49 2362 F9B7 0769
anu
Legendary
*
Offline Offline

Activity: 938


P2P Everything


View Profile WWW
August 01, 2012, 10:32:46 AM
 #50

Btw.: Entropy is not everything. If you generate your password from many words, which occur in a dictionary and the attacker knows that, all the entropy of single characters is worthless, because the attacker can guess your password with a wordlist.

BTW entropy is everything you are just calculating it wrong.   If the passphrases comes from a dictionary list (and the person designing it will ASSSUME the attacker knows it) the entropy is (words in list)^(number of words)

i.e. if you have a word list of 5,000 words and generate a passphrase which consists of 10 of them randomly it would have

5000^10 ~= 2^122 or 122 bits of entropy.  (that assumes selection with replacement, too lazy to did the more common selection w/o replacement).

Why are people so obsessed with dictionary attacks. It's so easy add something into the passphrase which is not in a dictionary. Just missspell a word. If you speak a local dialect, use some words from that. I doubt it is easy to run a dictionary attack on a passphrase containing bits of Bavarian, Southern Thai or Islay Gaelic.

Zero Reserve - A distributed Bitcoin Exchange

Install - Getting Started - BitcoinTalk Thread - Github Source
cbeast
Donator
Legendary
*
Offline Offline

Activity: 1722

Let's talk governance, lipstick, and pigs.


View Profile
August 01, 2012, 01:15:01 PM
 #51

Why are people so obsessed with dictionary attacks. It's so easy add something into the passphrase which is not in a dictionary. Just missspell a word. If you speak a local dialect, use some words from that. I doubt it is easy to run a dictionary attack on a passphrase containing bits of Bavarian, Southern Thai or Islay Gaelic.
Or Igpay Atinlay  Grin

Any significantly advanced cryptocurrency is indistinguishable from Ponzi Tulips.
pointbiz
Sr. Member
****
Offline Offline

Activity: 426

1ninja


View Profile
August 02, 2012, 02:35:39 AM
 #52

The Brain Wallet tab on bitaddress.org v1.6 uses SHA256(passphrase) as the algorithm.

I've kept it simple for the reason others have stated:
SHA256(SHA256("a")) is easier to brute force than SHA256("a2")

I'd like to make a FAQ with advise on choosing a good passphrase. But I don't know what IS the best advice. There are two threats that can cause loss of bitcoins with respect to Brain Wallets.
1) Hacker brute forcing the passphrase
2) Forgetting the passphrase

Does anyone have good advise?

I acknowledge what gmaxwell and others have said about the challenge of choosing a passphrase with sufficient entropy. However, there are valid use cases for Brain Wallets and I received bounties and requests for these features.

Coder of: https://www.bitaddress.org      Thread
Open Source JavaScript Client-Side Bitcoin Wallet Generator
Donations: 1NiNja1bUmhSoTXozBRBEtR8LeF9TGbZBN   PGP
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218


Gerald Davis


View Profile
August 02, 2012, 03:25:33 AM
 #53

Why are people so obsessed with dictionary attacks. It's so easy add something into the passphrase which is not in a dictionary. Just missspell a word. If you speak a local dialect, use some words from that. I doubt it is easy to run a dictionary attack on a passphrase containing bits of Bavarian, Southern Thai or Islay Gaelic.

I think you misunderstand.   When we talk about dictionary attack we aren't talking about Webster's English dictionary.  We are talking about lists of passwords which have been collected over the years via a variety of methods (stolen password list, old brute forced password hash tables, major hacks, social engineering, keyloggers, phishing sites, etc).  I would provide some links but not sure if the mods would approve.  A password cracker will use a database of 2 to 14 million passwords which includes misspellings, brands/names, slang, common substitutions (p@ssword), prefixes/suffixes (password123).
anu
Legendary
*
Offline Offline

Activity: 938


P2P Everything


View Profile WWW
August 02, 2012, 08:49:49 AM
 #54

Why are people so obsessed with dictionary attacks. It's so easy add something into the passphrase which is not in a dictionary. Just missspell a word. If you speak a local dialect, use some words from that. I doubt it is easy to run a dictionary attack on a passphrase containing bits of Bavarian, Southern Thai or Islay Gaelic.

I think you misunderstand.   When we talk about dictionary attack we aren't talking about Webster's English dictionary.  We are talking about lists of passwords which have been collected over the years via a variety of methods (stolen password list, old brute forced password hash tables, major hacks, social engineering, keyloggers, phishing sites, etc).  I would provide some links but not sure if the mods would approve.  A password cracker will use a database of 2 to 14 million passwords which includes misspellings, brands/names, slang, common substitutions (p@ssword), prefixes/suffixes (password123).

14 Million is not nearly enough to cover even a few languages. I think your 14 million words pw cracker will not even crack something as ridiculously trivial as
"Casascius says: `vires in numer1s`"

Now do the  sha256 * YYMMDD hash of that to make it a bit of a computational challenge. (YYMMDD) being a date of significance for you.

Zero Reserve - A distributed Bitcoin Exchange

Install - Getting Started - BitcoinTalk Thread - Github Source
anu
Legendary
*
Offline Offline

Activity: 938


P2P Everything


View Profile WWW
August 02, 2012, 09:13:41 AM
 #55

Now do the  sha256 * YYMMDD hash of that to make it a bit of a computational challenge. (YYMMDD) being a date of significance for you.

In fact I think something like this is the best protection of even weak pass phrases: Going through an unknown, but very large number of re-hashes.

Zero Reserve - A distributed Bitcoin Exchange

Install - Getting Started - BitcoinTalk Thread - Github Source
molecular
Donator
Legendary
*
Offline Offline

Activity: 2142



View Profile
August 02, 2012, 09:24:59 AM
 #56

like trying to misuse a secret salt to add entropy, I think using multiple rounds of sha is just an excuse for (fear of) low entropy in the passphrase.

Just put enough entropy into your passphrase and all is good. Easiest way to do it: make it very long. Even a gramatically valid sentence constructed from 10 webster dictionary words wont be bruteforced easily (1E5^10 = 1E50). Even if the cracker uses grammar rules (unlikely), I bet there's still 1E40 gramatically valid sentences with 10 webster words.

PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0  3F39 FC49 2362 F9B7 0769
anu
Legendary
*
Offline Offline

Activity: 938


P2P Everything


View Profile WWW
August 02, 2012, 09:55:33 AM
 #57

like trying to misuse a secret salt to add entropy, I think using multiple rounds of sha is just an excuse for (fear of) low entropy in the passphrase.

The moment you put something personal into the passphrase, an attack that can crack your passphrase becomes an attack on *your passphrase exclusively*. Unless you have a very well funded brain wallet, the whole cracking enterprise is no longer economical. [EDIT:] using many rounds of hashing plus conditionals after each round pulls the teeth of SIMD & friends to an extend.

But I think a passphrase should not only be long, it should also force the attacker to use a vast dictionary of many Billion entries to even have a chance to crack it. I think most dictionary attacks completely loose their teeth if you mix languages like ລາວ, 中文, ไทย, or even Ελληνικά, particularly if the passphrase contains local slang in these languages.

So if everyone just makes good use of their native language this only leaves those out in the rain who speak only English. Fine.

Zero Reserve - A distributed Bitcoin Exchange

Install - Getting Started - BitcoinTalk Thread - Github Source
paraipan
Legendary
*
Offline Offline

Activity: 924


Firstbits: 1pirata


View Profile WWW
August 02, 2012, 11:08:39 AM
 #58

like trying to misuse a secret salt to add entropy, I think using multiple rounds of sha is just an excuse for (fear of) low entropy in the passphrase.

The moment you put something personal into the passphrase, an attack that can crack your passphrase becomes an attack on *your passphrase exclusively*. Unless you have a very well funded brain wallet, the whole cracking enterprise is no longer economical. [EDIT:] using many rounds of hashing plus conditionals after each round pulls the teeth of SIMD & friends to an extend.

But I think a passphrase should not only be long, it should also force the attacker to use a vast dictionary of many Billion entries to even have a chance to crack it. I think most dictionary attacks completely loose their teeth if you mix languages like ລາວ, 中文, ไทย, or even Ελληνικά, particularly if the passphrase contains local slang in these languages.

So if everyone just makes good use of their native language this only leaves those out in the rain who speak only English. Fine.

+1 totally agree to this, using local slang with my passwords since 2000

BTCitcoin: An Idea Worth Saving - Q&A with bitcoins on rugatu.com - Check my rep
anu
Legendary
*
Offline Offline

Activity: 938


P2P Everything


View Profile WWW
August 02, 2012, 11:34:50 AM
 #59

Just downloaded some of these dreaded dictionaries. None of them would crack "Vires in Numeris",  even. Even if you use the very first sentence of a piece of world literature like:

"Uns ist in alten Mæren wunders vil geseit
von Helden lobebæren, von grôzer arebeit"

you're safe. Seems like dictionary designers have no knowledge that other languages exist.

Zero Reserve - A distributed Bitcoin Exchange

Install - Getting Started - BitcoinTalk Thread - Github Source
Pieter Wuille
Legendary
*
Offline Offline

Activity: 1036


View Profile WWW
August 02, 2012, 12:26:50 PM
 #60

I'm not sure you're looking at the same dictionary that "professional" password crackers use.

From the many password database leaks that have already happened in the past, there are known passwords of over 10 random-looking characters that have been cracked, presumably just from the leaked SHA hash. I don't have an example myself, but please don't just assume that because you can't crack something yourself, nobody can. Everyone is smart enough to devise a system he can't crack himself. Realize that the bitcoin network itself has done almost 2^70 SHA256 operations already, enough to traverse the entire space of up-to-11 characters alphanumeric passwords.

If you're really creating a wallet based on a passphrase, do the math. A word chosen randomly from a 5000-word dictionary provides 12 bits of entropy. Say you include randomly some words from one other language, given that there are 500 other languages and dialects, gives you 13*n+9 bits of entropy. I wouldn't advise using less than 128 bits to create a wallet, so that'd mean 9 words if you include foreign ones, or 10 if you don't. Please note that this calculation is assuming random words, and not existing text.


aka sipa, core dev team

Tips and donations: 1KwDYMJMS4xq3ZEWYfdBRwYG2fHwhZsipa
Pages: « 1 2 [3] 4 5 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!