[ANN] Instawallet will we down for a few hours

[davout]

I'd imagine attackers can check bitcoin keys a lot faster than they can try to access instawallets. Short ones will become more vulnerable.

Ah, I was just trying things out and it seems you can't make a new wallet with your own private part anymore? Is that intended?

Yes.

That's part of the security improvements.

[mcorlett]

I'd imagine attackers can check bitcoin keys a lot faster than they can try to access instawallets. Short ones will become more vulnerable.

Ah, I was just trying things out and it seems you can't make a new wallet with your own private part anymore? Is that intended?

Yes.

That's part of the security improvements.

I'm disappointed. At least allow us to do it at our own risk.

[davout]

I'm disappointed. At least allow us to do it at our own risk.

The point is not to protect users against themselves, I hate it when applications try to do that.
The rationale behind it is to protect the backend against malicious input.

That doesn't mean we can't create whatever custom wallet ID you desire for you (and for anyone who requests so) if it makes you happy

[SgtSpike]

I'd imagine attackers can check bitcoin keys a lot faster than they can try to access instawallets. Short ones will become more vulnerable.

Ah, I was just trying things out and it seems you can't make a new wallet with your own private part anymore? Is that intended?

How short are the short ones?

Just make the calculation complex enough to where brute-forcing it would be impossible.

[davout]

Just make the calculation complex enough to where brute-forcing it would be impossible.

Yep, just replace SHA256 by bcrypt in my original idea and we're good to go

[giszmo]

And regarding the discussions about what would happen in the case Instawallet's service was to be discontinued here's what we would do :

• A notice would be posted a long time in advance,
• We would generate a private key for each account, in a publicly documented way, using the wallet URL as seed,
• We'd compute the public key from the private key,
• We'd compute the address from the public key,
• We'd send the balance to this generated address,
• And that's it!

Now all you'd need to regain control of your coins is to follow the steps using your wallet key, you'll get a private key you can import into any client, or into any service.

Even a user without any technical knowledge could use a third-party service that could perform these steps given a wallet URL, for a fee obviously, but in perfect market conditions, therefore the fee would always be as competitive as possible.

Thoughts ?

That's smart.

It is very smart and only possible with bitcoin. You can go offline without people loosing access to their coins

I think this is the most noble of all possible solutions. With your solution coins people forgot will really be lost (until computers can brute force those by then weak keys). I guess I would have a problem seeing lost coins and count on x% never asking back their money. Most likely you could even get an insurance for that x% risk.

[FreeMoney]

I'd imagine attackers can check bitcoin keys a lot faster than they can try to access instawallets. Short ones will become more vulnerable.

Ah, I was just trying things out and it seems you can't make a new wallet with your own private part anymore? Is that intended?

How short are the short ones?

Just make the calculation complex enough to where brute-forcing it would be impossible.

You used to be able to make them 1 character even.

[SgtSpike]

I'd imagine attackers can check bitcoin keys a lot faster than they can try to access instawallets. Short ones will become more vulnerable.

Ah, I was just trying things out and it seems you can't make a new wallet with your own private part anymore? Is that intended?

How short are the short ones?

Just make the calculation complex enough to where brute-forcing it would be impossible.

You used to be able to make them 1 character even.

Oh, yeah, that would be a problem indeed.

[davout]

Oh, yeah, that would be a problem indeed.

Previously these strings were passed as account names to the bitcoin client.
And I think it's wiser not to trust the JSON-RPC API to properly sanitize everything in every possible edge case.