Bitcoin - how long does it take to change a wallet password?

[gamebak]

Well can anyone tell me how long it will take to change a password from code ?

I will do some math and see with what i can come thru

[1715074891]

1715074891

[1715074891]

1715074891

[1715074891]

1715074891

[1715074891]

1715074891

[1715074891]

1715074891

[muqali]

I'm not sure what you're asking. With the bitcoin-qt client it'd take as long as it does to type your old password and new password twice. Given that mine is quite long and I need to look at my "reminder" sheet in my wallet to remember it all, it takes a minute or two. If your password is 1234 like the password on planet Druidia, not long.

If you mean change it via C or C++ code, I've no idea. I'd imagine not long, the client is open source. Pull the relevant parts and have a look see.

edit - or do you mean to crack a password? You mention using math to figure it out.

[gamebak]

yeah i was thinking about the math aspects of how long will take to crack some passwords. Because an attack could be given at any time, and if the password isn't well secured and long enough there's a big chance of getting into the account in no time, just by a bruteforece attack.

[silentseawolf]

there are password strength estimators and articles on how to make a strong password all over the web.  Google is your friend.

[tjb0607]

there are password strength estimators and articles on how to make a strong password all over the web.  Google is your friend.

Don't trust any random strong password test. I would make sure it's an https connection, and even then, try switching out a few letters and numbers just to make sure. I know Microsoft has a really simple one.

edit - or you could download software from a page like this http://www.passwordmeter.com/
if you really want to be extra cautious you can disconnect your Internet while using it.

Edit 2 - this one's cool. I'd make sure it's at least a few thousand years because the website looks pretty dated. http://lastbit.com/pswcalc.asp

[gamebak]

Guys maybe you didn't got my point, i know how to secure my password, but what i am interested in is how much it takes for a password to be changed from c/c++ for the wallet.

Because it's very possible that someone could break into your account if he's rig is powerfull enough, just by bruteforce.
Imagine a pool where all that imense power is gathered just for a bruteforce into 1 account, i doubt it will take so much time.

Just by using some simple math you could end up with few possible passwords:
This is just an example.
Let's say there are 54(a-zA-Z) + 12(!@#$%^&*?><_) [I know those aren't all of them] possible keywords in that password.
Then the password could contain any of those 64 possible keywords.

The math indicates that there are: n!/ (n-k)! total number of passwords.
n=64 (total ammount of keyowrds)
k=maximum length of the password

Let's take now the averege case, password length=6
we will have 64!/58! = 59 * 60 * 61 * 62 * 63 * 64 = 53.981.544.960 combinations

It seems big, but how much will take to crack ?
An averege a pool has over 500G/sec, wich is 500.000.000.000 per second (so it will crack that password in less than a second), the question remains how long does it take for a wallet to change that password?


This was just an example(i am sure not all the calculations were done right), but i hope you can see my point, and understand why there is such a big concern to the security of this thing.

[RaTTuS]

your thinking wrong
if he can get onto your machine then he can install a keylogger and get the password as fast as you type it.

[Foxpup]

your thinking wrong
if he can get onto your machine then he can install a keylogger and get the password as fast as you type it.

That depends on what you mean by "get onto your machine". It's much harder to install a keylogger than it is to just read files. Installing a hardware keylogger requires physical access to the machine, and a software keylogger requires direct access to the keyboard driver, which requires administrator privileges on any sane operating system (though if you're in the habit of giving admin privileges to any random program that asks for it, you're screwed).

[realnowhereman]

and a software keylogger requires direct access to the keyboard driver, which requires administrator privileges on any sane operating system

No it doesn't.

To access the actual keyboard, maybe.  But you only want the key events for a key logger; and that certainly doesn't need admin access.  If it did then how would what you were typing ever make it to the application?

Have you ever seen virtual keyboard apps?  Or accessibility helpers?  Both of those get at the keyboard without any difficulty.

[Foxpup]

and a software keylogger requires direct access to the keyboard driver, which requires administrator privileges on any sane operating system

No it doesn't.

To access the actual keyboard, maybe.  But you only want the key events for a key logger; and that certainly doesn't need admin access.  If it did then how would what you were typing ever make it to the application?

Key events can only be received by whichever application has keyboard focus. They cannot be accessed by other programs without admin privileges.

Have you ever seen virtual keyboard apps?  Or accessibility helpers?  Both of those get at the keyboard without any difficulty.

Sending key events and receiving those sent to other programs are two different things. The latter is not normally possible under any sane operating system. If you're asking about the possibility that such programs might log their own input, then yes, this is possible, but entering passwords directly into another application is kinda dumb.

[memvola]

The math indicates that there are: n!/ (n-k)! total number of passwords.
n=64 (total ammount of keyowrds)
k=maximum length of the password

Let's take now the averege case, password length=6

Nope, there are n^k is the total number, since you can use the same symbol twice more than once. And a 6 letter passwords won't protect you.

If you have a casual 10 character password using a 64 symbol set, it would give you 10¹⁸ possibilities to be forced. It would be safer to pick out of 95 symbols though, and for instance, my password length is 16.

I think what you mean by "change the password from code" is the decryption of the master key and checking its validity. That's actually a good question. I think the dynamic number of rounds mentioned here is to address exactly that, but I don't know the actual trade-off values.

[realnowhereman]

and a software keylogger requires direct access to the keyboard driver, which requires administrator privileges on any sane operating system

No it doesn't.

To access the actual keyboard, maybe.  But you only want the key events for a key logger; and that certainly doesn't need admin access.  If it did then how would what you were typing ever make it to the application?

Key events can only be received by whichever application has keyboard focus. They cannot be accessed by other programs without admin privileges.

I'm sorry, but that just is not true.  In Linux, for example, the window manager, a separate app, can pick up key presses like "Alt-F4" before the app to close the window -- any it doesn't want it simply forwards.  At the extreme end on UNIX you could just catch every byte sent to the X window control socket (which is owned by the user, not root).  But you could also make one giant transparent window that receives everything and simply passes it through to whatever app underneath the keylogger wants.

Have you ever seen virtual keyboard apps?  Or accessibility helpers?  Both of those get at the keyboard without any difficulty.

Sending key events and receiving those sent to other programs are two different things. The latter is not normally possible under any sane operating system. If you're asking about the possibility that such programs might log their own input, then yes, this is possible, but entering passwords directly into another application is kinda dumb.

That's why I mentioned two classes of program.  Virtual keyboard apps can send; and accessibility helpers can capture keys (slow modifiers is a common one).  Combine those facilities in one application.