Reminds me of attacks people were running on 'brainwallets' a while back - i.e. wallets whose initial key material was just a passphrase you'd remember. The idea was that you could keep the passphrase stored nowhere and not have to worry about it being stolen by... well, any of the 10,000 things out there looking for cryptocurrency keys. Of course, there is no way in hell you can actually make the human brain store enough entropy perfectly, and once people realized that these wallets were crackable, they all got drained pretty quick.
Owning Bitcoin is like paying into an involuntary bug bounty program. Every time someone finds a bug, your life savings get wiped out.
> By examining 300 billion candidate passwords, we found 884 brain wallets that were active at some point in time. Unfortunately, we also found that nearly all were drained – usually quickly. While our findings are necessarily incomplete, they certainly suggest that brain wallets are not a secure method for using bitcoin. Perhaps the most surprising result of our analysis is the relative scarcity of brain wallets in use today. This is actually quite encouraging, because it means that fewer users are at risk to these attacks than has previously been supposed.
I don’t think that logic holds up.
It’s pretty much an entire paper of FUD.
And no, anyone with 400,000 ETH who claims they used a brain wallet, and oppsie .. someone stole it. Is having a boating accident, if you know what I mean.
Someone used the passphrase "how much wood could a woodchuck chuck if a woodchuck could chuck wood" to store 250 BTC. I personally drained it by mistake, then tracked down the owner, via the pool he'd mined it from.
I'm a co-author of that paper, we later got funding to do a larger cracking run and found more wallets, and even some that still had balances. See slide 18:
Feeding a massive corpus reddit comments and six years of IRC logs into the cracking tool was particularly interesting.
> And no, anyone with 400,000 ETH who claims they used a brain wallet, and oppsie .. someone stole it. Is having a boating accident, if you know what I mean.
It was about 40,000. The password was "guybrush", and I spoke to the guy who made it. He didn't understand how the tool worked when he made an address. Much later, the Ethereum foundation sent him the ETH. It was gone by the time he went to spend it. Dude put out a press release offering to let whoever did it keep half if they gave back the other half. The ETH hasn't moved since the day it was stolen, almost eight years ago.
I assure you, the guy made a genuine fucky wucky.
If I'd gone blackhat with this research, I could be retired to a volcano lair on a private island by now.
That sounds exactly like a well acted boating accident.
My angle is that simple brain wallets that use a combination of a memorable phrase with some individual information, like the user’s name, birthdate, address and a 4 digit PIN, used as salt, are then extremely secure. And your paper and the original comment I responded to don’t emphasize that it’s the user’s use of such an systen that makes them vulnerable not the foundation of the technique of brainwallets.
Basically you’re blaming the car for the drivers not understanding how to drive and immediately crashing.
And you're blaming the victim for not understanding things that were never explained to them until after they were already pwned.
The correct way to handle this would be for brainwallet software to generate and provide the user with a high-entropy passphrase rather than asking for the user to provide one. Failing that, it could at least reject very-low-entropy passwords (e.g. impose a minimum 20 character limit).
But even then we're band-aiding the underlying problem, which is that decentralization[0] and finance go together about as well as twizzlers and guacamole. Transaction reversibility is a feature, not a bug, and there's no trustworthy way to implement that sort of thing in a decentralized finance system. Absent a way to dispute fraudulent transactions the only way to avoid your money becoming everyone's money is to overcompensate on preventative measures: i.e. insanely long passphrases stored on hardware keys in lockboxes buried under a garden birdbath.
And sure, yes, we can point and laugh at the credit card industry for treating primary account numbers printed on the front of the card as secure tokens, taking decades to adopt EMV cards in the US, charging horrible swipe and chargeback fees to businesses, and so on. However, there is a reason why, a decade and a half in, people use credit cards and not Bitcoin. Credit cards actually function as a payment mechanism and you are less likely to be defrauded using them.
[0] I additionally dispute the idea that any cryptocurrency system is actually decentralized. The need to agree on the validity and order of transactions necessarily requires one individual or institution actually decide the rules everyone else, with unanimity, agrees upon. Operation of the network is nominally decentralized but the need for security against transaction reordering in the face of no strong identity being available means that practically, it is centralized.
We've seen this with the 'scaling wars' of Bitcoin. Two groups of shadowy puppetmasters - developers and miners - duked it out over absurdly stupid technical arguments regarding how to scale Bitcoin.
> don’t emphasize that it’s the user’s use of such an systen that makes them vulnerable not the foundation of the technique of brainwallets.
That's because it is the foundation of the technique that makes them vulnerable. They are an "attractive nuisance". A system must be evaluated based on "typical use", not "perfect use".
You come across as a social Darwinist who would be happy for all the warning labels to be removed from everything and all safety regulations repealed. The world you advocate for would be an awful dystopia. You have nothing to say I haven't heard before.
I think this more applied to you. You actually invested time to write a paper about brainwallets because some people don’t understand or know how to use them properly. The paper is not logical, if it was then a small POC I know about is all of them, which obviously it isn’t, you can’t find serious people’s brainwallets, they would be salted in a way that it’s hopeless to crack.
You claim brainwallets are fundamentally unsafe, which honestly is total nonsense if you understand them and how they work.
I’m gonna guess you’re a ban Bitcoin type because it’s… wrong or whatever.
FUD!! and you know it if you actually took time to read the post.
> I could find the passwords for 17.956 of the addresses.
* Only 2 addresses of the hacked brainwallets are currently not empty, and the total money that I could actually steal is 0.00115215 BTC.
> Somebody seems to have systematically flooded the blockchain with transaction to brainwallets. E.g. this transaction: https://blockchain.info/tx/ba421da33e5f85669d9312b804e22fa4c...
It seems that each target address is actually a brainwallet and alphabetically ordered. The passwords for the first 3 addresses are Hollister, hollowing,
Nobody’s real brain wallets are being hacked! It’s just left over traces from someone running aome testing in early days of bitcoin.
This one says 17K wallets … oppsie all empty and obviously programmatically generated! i.e not used for real.
The other paper found 800!! supposedly… all empty.
A well designed brainwallet is perfectly fine and safe, just don’t use a sequential phrase from known sources and modify the words you do. Obviously.
> Nobody’s real brain wallets are being hacked! It’s just left over traces from someone running aome testing in early days of bitcoin.
I've talked to a LOT of real people who's real brainwallets were hacked. Certainly there is also some 'testing' but that doesn't change the fact that there have been real and substantial losses.
Brainwallets are very dangerous.
A brainwallet is the same thing as using a user provided password to secure a high value system that has an unsalted and public password hash database. This is a negligent practice. In the corporate world it wouldn't be shocking to learn that a security engineer was instantly fired for implementing such a practice.
Good security advice results in practical security even if the user uses the system less than perfectly. Attacker-originated security "advice" provides security only under unrealistic perfect use. Telling people to use brainwallets is like recommending one-time-pad encryption. In practice the security will be fragile if not outright broken though in theory with it may go okay sometimes.
Correct usage would require secure mechanically generated uniformly random seed phrases with a hundred plus bits of entropy. That isn't generally what people do in practice and the few who have often have issues with retention of the string being inevitably very poor, causing them to lose the funds by forgetting (esp after getting a fever). (Of course, if they're going to write it down and they didn't generate it themselves then it's not something anyone should be calling a brainwallet anymore.)
> A well designed brainwallet is perfectly fine and safe
Especially if the brainwallet adds a salt, which is maybe the problem that the previous poster was referring to. Brainwallets that don't add a salt are definitely a risk.
This was one of the best uses of GPUs 10 years ago, people still have those instances running just in case people use “obscure” common phrases from books again instead of mnemonics
Its more like anyone that thought they were clever got swept. There arent statistics, just threads on bitcointalk and reddit
The person who originated the practice and created the first "brainwallet" site did exactly what you're doing: insisted that it was secure, and insisted that people who lost their funds deserved it. Are you also doing what he did? stealing the funds of the deserving victims yourself?
Eventually taking the weak brainwallets he talked people into creating wasn't enough: He lost his bitcoin (I think via gambling but maybe an exchange hack), whined he was broke for a while, and whined that not many people were making hackable brainwallets, then added a more explicit vulnerability to the site. He vanished after it was caught.
You only need a phrase of twelve words from a 2048 word dictionary to have 128 bits of entropy. Twelve words is up to "Thy kingdom" in the Lord's Prayer, so certainly people are able to memorize twelve word phrases or even 24 word phrases without too much trouble.
And English is a lot more than 2048 words - so you could probably use a shorter phrase and still be fine.
The thing about the Lord's Prayer doesn't really follow. If you use a grammatically correct and semantically commonplace 12 word sequence like that, you surely don't have 128 bits of entropy. But the ease of memorization comes almost entirely from those attributes!
To get 128 bits of entropy with words, you need to pick about thirteen out of a million words--which is on the order of all the words in the English language--and give all of them equal probability. The sequence needs to be fully random as well. What you end up with will surely be easier to memorize than a UUID, but substantially more difficult than the start of the Lord's Prayer.
EDIT: Math is wrong, I was thinking 10 bits per million instead of 20. So 6-7 words out of a million (whole language) or 13 words out of a thousand (very limited subset of the language). Point about random selection still stands, but it's certainly easier than 13 very uncommon words. Still much harder than a realistic sentence of that length, though.
Probably much higher than you suspect. Making password haikus is an obvious idea which has been suggested many times before.
I'm sure that even with a great statistical model of password haikus (say an LLM) yours would still be one in a billion which still seems unlikely, but a cracking cluster can try billions per second.
In these cases it's very easy to have security that depends on the odds that a powerful attacker just hasn't gotten around to seriously trying the broad class of predictable generation schemes you've used.
Don't confuse key length with entropy. A properly-scaled PBKDF remains secure with as little as 48 bits or so. Needless to say, though, a 32 bit time value is hardly a properly designed key derivation input.
That’s excellent! I had the same idea I completed a few weeks ago in python trying to write it with the standard library and have it be easily auditable. You can check it out here if you want:
I use these passwords all the time. However, you should keep in mind the text in the comic:
> (Plausible attack on a weak remote web service. Yes, cracking a stolen hash is faster, but it's not what the average user should worry about.)
This is almost a sound assumption for most web services[1]. However, this is Bitcoin. The only thing the attacker has is your hash. And you're using a payments system which economically incentivizes the creation of ever-larger systems for brute-forcing hashes. The network's hash power as a whole is estimated to be around 331 exahashes per second, so 68 bits of entropy would take one second to crack.
Correct horse battery staple would be cracked in fractions of a second by the full network. Eight common words would take 12 days. If we go further to 12 words, then we do get reasonable levels of security, but I'm assuming hashrates stay constant forever which is a bad assumption. And 12 word passphrases will already be about as much of a pain to remember as the 'password policy compliant' passwords xkcd was railing against.
[1] The most likely attack is actually credential-stuffing, not brute-force. xkcd is assuming you already use separate passwords.
Related: The password hashes for the xkcd forums actually did leak and it turned out most people's passwords were "correct horse battery staple".
No, not four random words. I mean the literal text "correct horse battery staple".
> However, this is Bitcoin. The only thing the attacker has is your hash.
You're doing exactly the "confusing entropy with key length" thing I was mentioning above.
That's not the situation at hand. The entropy in question is the private key generation, it's not related to any SHA256 hash in the protocol. But you're right, if you were trying to generate symmetric keys using a 48 bit password expanded using SHA256 as a PBKDF that would be a disaster. But no software is doing that[1]. All you need to do is pull a key derivation function off the shelf and use it with recommended parameters. Really these have been stable, even bcrypt is still very solid.
Your question was essentially "can a human being remember enough entropy to secure a bitcoin wallet". And the answer is absolutely yes.
Encrypting your hard drive is like paying into an involuntary bug bounty program. Every time someone finds a bug, your nudes get posted to the internet.
Owning Bitcoin is like paying into an involuntary bug bounty program. Every time someone finds a bug, your life savings get wiped out.