Bitcoin Forum
December 11, 2017, 08:18:06 PM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 [2]  All
  Print  
Author Topic: (!) Armory Brain Wallet  (Read 4759 times)
btchris
Hero Member
*****
Offline Offline

Activity: 672

a.k.a. gurnec on GitHub


View Profile WWW
October 09, 2014, 07:36:47 PM
 #21

And since "Two beer, or bottle of wine? That is the question of my silly brain." is (almost) grammatically correct and uses sensible punctuation, it has much lower entropy than one would expect.  I *think* it is barely out of reach of a brute force search, but honestly I have no clue.

I agree it seems like a nice long passphrase, but this is exactly the problem.

We humans (myself included of course) are really bad at estimating how much entropy something has by just looking at it, and we're just as bad creating things with lots of entropy using only our brains. If it turns out the passphrase was in fact good enough, you'll know in 10 or 20 years because your key was never stolen. If, on the other hand, you were wrong, your bitcoin could disappear at any time between now and then.

If you're that worried about losing your paper backups, you can be nearly as paranoid as you want, e.g. print a 2-of-6 backup, and store them all in safety deposit boxes at different banks. (or how about just a standard/1-of-1 backup that you tattoo to a, uh, private area of your body? that should be hard to lose and, depending on your profession, hard to get stolen too Smiley)
1513023486
Hero Member
*
Offline Offline

Posts: 1513023486

View Profile Personal Message (Offline)

Ignore
1513023486
Reply with quote  #2

1513023486
Report to moderator
1513023486
Hero Member
*
Offline Offline

Posts: 1513023486

View Profile Personal Message (Offline)

Ignore
1513023486
Reply with quote  #2

1513023486
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1513023486
Hero Member
*
Offline Offline

Posts: 1513023486

View Profile Personal Message (Offline)

Ignore
1513023486
Reply with quote  #2

1513023486
Report to moderator
spin
Sr. Member
****
Offline Offline

Activity: 360


View Profile
October 10, 2014, 09:06:44 AM
 #22

It's
And since "Two beer, or bottle of wine? That is the question of my silly brain." is (almost) grammatically correct and uses sensible punctuation, it has much lower entropy than one would expect.  I *think* it is barely out of reach of a brute force search, but honestly I have no clue.

I agree it seems like a nice long passphrase, but this is exactly the problem.


Exactly, this has far less entropy than the same number of random (i.e. computer chosen) words from a long words list.  How much less is not clear.  
(Of course given that it's now a sentence on a bitcoin related site, using it now would be suicide!)



If you liked this post buy me a beer.  Beers are quite cheap where I live!
194YjsiwmGm3hcbPcJWWyzRAS9CQLX1fJL
Newar
Legendary
*
Offline Offline

Activity: 1274


https://gliph.me/hUF


View Profile
October 10, 2014, 03:56:59 PM
 #23

[...] 
(Of course given that it's now a sentence on a bitcoin related site, using it now would be suicide!)

Yeah, why bruteforce when you can wordlist? http://arstechnica.com/security/2013/10/how-the-bible-and-youtube-are-fueling-the-next-frontier-of-password-cracking/



[....]
I *think* it is barely out of reach of a brute force search, but honestly I have no clue.

https://dl.dropboxusercontent.com/u/209/zxcvbn/test/index.html gives an entropy of 194 bits.

OTC rating | GPG keyid 1DC91318EE785FDE | Gliph: lightning bicycle tree music | Mycelium, a swift & secure Bitcoin client for Android | LocalBitcoins
btchris
Hero Member
*****
Offline Offline

Activity: 672

a.k.a. gurnec on GitHub


View Profile WWW
October 10, 2014, 05:07:51 PM
 #24

[...] 
(Of course given that it's now a sentence on a bitcoin related site, using it now would be suicide!)

Yeah, why bruteforce when you can wordlist? http://arstechnica.com/security/2013/10/how-the-bible-and-youtube-are-fueling-the-next-frontier-of-password-cracking/



[....]
I *think* it is barely out of reach of a brute force search, but honestly I have no clue.

https://dl.dropboxusercontent.com/u/209/zxcvbn/test/index.html gives an entropy of 194 bits.


I do believe that in suggesting that (or any) entropy estimation tool, you just contradicted yourself...

Entropy estimation tools such as the one mentioned can provide, at best, an upper bounds estimate, and therefore provide a false sense of security. They assume password crackers only use particular predetermined techniques when generating password guesses, however crackers are forever improving their techniques (furthermore these techniques are not necessarily public knowledge).

The (nice, thanks for that) article you pointed to exactly demonstrates this. I took the first "difficult" password mentioned in the article (which has been successfully cracked using the described techniques), and plugged it into the estimation tool, and got this:

Code:
password:              Am i ever gonna see your face again?
entropy:               100.857
crack time (seconds):  1.1482519836189682e+26
crack time (display):  centuries
score from 0 to 4:     4
calculation time (ms): 7

It seems awfully unlikely that the article's authors were able to crack a password with 101 bits of entropy, hence the estimate is a bad one. So, just to reiterate: estimating entropy is really hard...
CircusPeanut
Full Member
***
Offline Offline

Activity: 123


View Profile
October 10, 2014, 06:43:55 PM
 #25


Hypothetically speaking (I am absolutely not suggesting that anyone is doing this now) if I was a hacker it seems like a good way to steal bitcoins would be to write a little program, probably like the javascript above, but something faster, that for each pass phrase in those lists, generate an Armory wallet, check the first 20 or so addresses for any bitcoins. Just let the program run in the background and then get on the forums talk up the generating a Bitcoin Armory brain wallet.


I use a shuffled deck of cards myself. Peel off the first 40 cards to generate my root key. Then 3 of 6 fragmented backup, test them out a few times on my offline device, and store them in separate places. Then I use my brain wallet pass phrase to protect my offline armory wallet. Good to go.
btchris
Hero Member
*****
Offline Offline

Activity: 672

a.k.a. gurnec on GitHub


View Profile WWW
October 10, 2014, 07:13:57 PM
 #26

Hypothetically speaking (I am absolutely not suggesting that anyone is doing this now) if I was a hacker it seems like a good way to steal bitcoins would be to write a little program, probably like the javascript above, but something faster, that for each pass phrase in those lists, generate an Armory wallet, check the first 20 or so addresses for any bitcoins.

People already do it for other brain wallets, so I don't see why it would be any different for Armory brain wallets.

I use a shuffled deck of cards myself. Peel off the first 40 cards to generate my root key. Then 3 of 6 fragmented backup, test them out a few times on my offline device, and store them in separate places. Then I use my brain wallet pass phrase to protect my offline armory wallet. Good to go.

That sounds pretty good to me. Since it's no longer a brain wallet, there's no reason to call it a "brain wallet pass phrase", right?
CircusPeanut
Full Member
***
Offline Offline

Activity: 123


View Profile
October 10, 2014, 09:49:41 PM
 #27

...Then I use my brain wallet pass phrase to protect my offline armory wallet....

That sounds pretty good to me. Since it's no longer a brain wallet, there's no reason to call it a "brain wallet pass phrase", right?

I meant that instead of using my brain wallet pass phrase to generate the wallet, I would use the pass phrase as the password for protecting the wallet file. So, yeah, I guess at that point it's just a pass phrase.
Newar
Legendary
*
Offline Offline

Activity: 1274


https://gliph.me/hUF


View Profile
October 11, 2014, 02:50:58 PM
 #28

I do believe that in suggesting that (or any) entropy estimation tool, you just contradicted yourself...

Entropy estimation tools such as the one mentioned can provide, at best, an upper bounds estimate, and therefore provide a false sense of security. They assume password crackers only use particular predetermined techniques when generating password guesses, however crackers are forever improving their techniques (furthermore these techniques are not necessarily public knowledge).


The developer of the tool writes a bit about entropy estimation in this blog post, which may be of interest to you: https://tech.dropbox.com/2012/04/zxcvbn-realistic-password-strength-estimation/ (scroll down about a third of the page)



The (nice, thanks for that) article you pointed to exactly demonstrates this. I took the first "difficult" password mentioned in the article (which has been successfully cracked using the described techniques), and plugged it into the estimation tool, and got this:

Code:
password:              Am i ever gonna see your face again?
entropy:               100.857
crack time (seconds):  1.1482519836189682e+26
crack time (display):  centuries
score from 0 to 4:     4
calculation time (ms): 7

It seems awfully unlikely that the article's authors were able to crack a password with 101 bits of entropy, hence the estimate is a bad one. So, just to reiterate: estimating entropy is really hard...

Of course, anything you can find on google (using quotation marks around the search term), you don't need to bother putting it in that tool. Contrary to other "password check" tools, zxcvbn at least makes mention of that by showing "pattern: dictionary".

OTC rating | GPG keyid 1DC91318EE785FDE | Gliph: lightning bicycle tree music | Mycelium, a swift & secure Bitcoin client for Android | LocalBitcoins
btchris
Hero Member
*****
Offline Offline

Activity: 672

a.k.a. gurnec on GitHub


View Profile WWW
October 11, 2014, 04:44:40 PM
 #29

The developer of the tool writes a bit about entropy estimation in this blog post, which may be of interest to you: https://tech.dropbox.com/2012/04/zxcvbn-realistic-password-strength-estimation/ (scroll down about a third of the page)

That's a great article, thanks.

Of course, anything you can find on google (using quotation marks around the search term), you don't need to bother putting it in that tool. Contrary to other "password check" tools, zxcvbn at least makes mention of that by showing "pattern: dictionary".

Good points. I hope you're not suggesting that you should type your brainwallet into google to check its password strength....  Wink
Newar
Legendary
*
Offline Offline

Activity: 1274


https://gliph.me/hUF


View Profile
October 11, 2014, 06:57:01 PM
 #30

[...]
Good points. I hope you're not suggesting that you should type your brainwallet into google to check its password strength....  Wink

Lol, no.

This brings back the memories of instawallet and the way bitcoin addresses were leaked to the Google search index via Chrome. It made these addresses real easy to find.

https://bitcointalk.org/index.php?topic=164143.msg1719541#msg1719541

OTC rating | GPG keyid 1DC91318EE785FDE | Gliph: lightning bicycle tree music | Mycelium, a swift & secure Bitcoin client for Android | LocalBitcoins
etotheipi
Legendary
*
Offline Offline

Activity: 1428


Core Armory Developer


View Profile WWW
October 13, 2014, 05:47:50 AM
 #31

By the way, it's fairly established that the english language has 0.8 to 1.2 bits per letter.   Rather, grammatically correct, properly spelled english has appoximately one-eighth the amount of entropy as its length.  So for the phrase you picked as an example has 68 letters, so between 54 and 81 bits of entropy.  This is somewhat strong, but on the low-end, still brute-forceable.   

Root keys should never be generated with less than 128 bits of entropy.  That is both a reasonable, forever-secure value, and also the approximate protection level of a 256-bit ECDSA private key (ECDSA private keys have about half the seucirty of their length).

Even if you're holding $100, 54 bits of entropy is really quite terrible considering that an attacker can brute-force all brainwallets in the world with the same brute-force search.   You can improve it with some solid passphrase stretching, but for any significant amounts of money no one should even be taking this risk.

Founder and CEO of Armory Technologies, Inc.
Armory Bitcoin Wallet: Bringing cold storage to the average user!
Only use Armory software signed by the Armory Offline Signing Key (0x98832223)

Please donate to the Armory project by clicking here!    (or donate directly via 1QBDLYTDFHHZAABYSKGKPWKLSXZWCCJQBX -- yes, it's a real address!)
CircusPeanut
Full Member
***
Offline Offline

Activity: 123


View Profile
July 08, 2015, 07:54:52 PM
 #32

Here's another great article on why Brain Wallets are insecure:

http://www.wired.com/2015/07/brainflayer-password-cracker-steals-bitcoins-brain/

All you really need to know is that every hacker that is attacking a bitcoin brain wallet, is attacking your bitcoin brain wallet...if you have one, so don't have one.
Searinox
Full Member
***
Offline Offline

Activity: 125


Do you like fire? I'm full of it.


View Profile
July 10, 2015, 04:15:06 PM
 #33

If you absolutely MUST use a brain wallet, why not make something that takes Armory's master key and provides multiple methods of representing it as easily memorizable words or phrases? You at least keep Armory's crypto-securely-generated master key. You don't make it any less of a risk to forget it, but it's a step up at least.
timz
Member
**
Offline Offline

Activity: 113


View Profile
July 10, 2015, 06:01:25 PM
 #34

If you absolutely MUST use a brain wallet, why not make something that takes Armory's master key and provides multiple methods of representing it as easily memorizable words or phrases? You at least keep Armory's crypto-securely-generated master key. You don't make it any less of a risk to forget it, but it's a step up at least.
The main reason - Armory's master key generated by Armory's algorithm. If the algorithm will be compromised, or will be picked up initial conditions for key generating, then your coins will be at stake. In addition, I think it is not easy to find out (and remember) a phrase for existing key.
I just like idea that you may use your favorite phrase to restore wallet anywhere anytime. Just select strong passphrase. In addition you may create paper fragmented backup if you like.

TimS
Sr. Member
****
Offline Offline

Activity: 247


View Profile WWW
July 11, 2015, 02:10:46 AM
 #35

The main reason - Armory's master key generated by Armory's algorithm. If the algorithm will be compromised, or will be picked up initial conditions for key generating, then your coins will be at stake. In addition, I think it is not easy to find out (and remember) a phrase for existing key.
I just like idea that you may use your favorite phrase to restore wallet anywhere anytime. Just select strong passphrase. In addition you may create paper fragmented backup if you like.
1. You're underestimating the security of Armory's random number generator. The non-technical version is that computers and algorithms are actually pretty great at generating a limited number of securely random bits. For more details, read this comment in the source code (it captures a lot of info about your mouse clicks, key presses, system files, and a screenshot of your desktop for extra entropy).
2. You can generate a phrase for any given key/number following grammatical structure pretty easily, even if it might not make perfect semantic sense (but that's okay, it doesn't need to be sensical, just memorable).
3. You're overestimating the security of a person thinking up a "strong passphrase". This is what everyone in this thread has been trying to tell you. Bottom line: If your brain came up with it, it's bad! (not 100% of the time, but often enough that that's the advice I'll give you)

If you want to memorize your Armory key, what I'd recommend is making an algorithm that can convert between the easy base 16 format and a passphrase format. There should be a one-to-one-to-one correspondence between valid 128-bit keys, valid 128-bit base 16 encodings, and valid 128-bit passphrases.
Pages: « 1 [2]  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!