(Almost sure)brainwallet.org stole 22BTC from me - page 4.

AgentofCoin

legendary

Activity: 1092

Merit: 1001

Quote from: tautvilis on August 08, 2015, 06:23:28 AM

I have generated most of my wallets through brainwallet.org.But the address that got hacked was the only that I used to create a transaction via brainwallet.I don't remember my passphrase since I was just smashing my keyboard writing random characters for about 10-15 seconds it must have been at least 50(though I think it was more than 100) random nonsense characters.I then just copy the addresses and private keys to a notepad and forget the passphrase forever.I am almost sure it has to do nothing with the passphrase.

I think that if what you are saying is true, then it is possible that brainwallet.org was a scam site all along and was storing peoples passphrases.
Brainwallet.org then used the "brainwallet cracker presentation" as an excuse to shut down, steal all users BTC, and cover their tracks.
They can just claim now that someone has used the cracker program and your passphase wasn't safe enough.

For the record, any user making brainwallets, make sure you create them on offline computers if you are using any sites' source code.

jonald_fyookball

legendary

Activity: 1302

Merit: 1004

Core dev leaves me neg feedback #abuse #political

Quote from: tautvilis on August 08, 2015, 06:23:28 AM

I have generated most of my wallets through brainwallet.org.But the address that got hacked was the only that I used to create a transaction via brainwallet.I don't remember my passphrase since I was just smashing my keyboard writing random characters for about 10-15 seconds it must have been at least 50(though I think it was more than 100) random nonsense characters.I then just copy the addresses and private keys to a notepad and forget the passphrase forever.I am almost sure it has to do nothing with the passphrase.

they could be scraping or using weak rng...and maybe some fancy elliptic curve calculation where they can determine your curve points once the transaction is made.

i think serious cold storage efforts should involve rolling physical dice.

tautvilis

full member

Activity: 179

Merit: 100

Quote from: Blazr on August 08, 2015, 09:37:50 AM

I seen someone crack a 120+ character salted hash in a couple of hours..

That one seems totally fake.

jonald_fyookball

legendary

Activity: 1302

Merit: 1004

Core dev leaves me neg feedback #abuse #political

Quote from: Honeybooboo on August 08, 2015, 06:35:36 AM

Quote from: ransomer on August 07, 2015, 09:00:29 PM

This is still th biggest hinderance to bitcoin getting mass recognition.

It is far to unsafe to store any real wealth in for the average person.

IF people use weak passwords then you can say goodbye to the money in your online banking too. People need to really step up their game with security and 2-factor is a must at minimum.

No.

weak passwords are less dangerous in banking since 1. they cannot be brute forced easily (my bank will lock me out after only THREE bad attempts) 2. fraudulent transactions are often recoverable.

With Bitcoin, extreme brute forcing is possible. almost no limits on this, which is why super strong supercomputer-resistant passwords are a must...and there is little to zero recourse if you do get breached.

2fa is applicable to third party services which shouldn't be used anyway for big amounts.

ChosenSeller

brand new

Activity: 0

Merit: 10

Why are people using brainwallet to store their Bitcoin? thats one of the most stupid things I've ever heard

jonald_fyookball

legendary

Activity: 1302

Merit: 1004

Core dev leaves me neg feedback #abuse #political

Quote from: Holliday on August 08, 2015, 02:54:16 AM

Quote from: ransomer on August 07, 2015, 09:00:29 PM

It is far to unsafe to store any real wealth in for the average person.

I'm an average person. I've been using Bitcoin for over 4 years now. I've never lost a single coin.

All it takes is some responsibility. I learned enough (common sense really) to realize that private keys were the "key" to security. After that, it's child's play.

Create secure private keys offline, keep them offline, and your bitcoins will be quite secure.

Learn a little bit about shamir's secret sharing and you will have an asset that is more secure than any traditional asset known to man.

Data is easy to copy, so do it!

There is reliable, open source software which will accomplish all your bitcoin security needs without any additional education (beyond the basics I just mentioned) for the user.

So... I'll rephrase your post as follows: It is far too unsafe to store any real wealth in for the irresponsible, ignorant, unmotivated person. As it should be.

To be realistic, no you're not average. You're quite bright. On the other hand, the average person may be reasonably responsible, but is relatively ignorant and unmotivated. Sad but true.

deepceleron

legendary

Activity: 1512

Merit: 1028

Brainwallet itself is javascript that is in itself pretty inocuous, however it started with piss poor hash-your-passphrase that let many dummies loose their money. Then it also had a very poor random number implementation for generating non "brain" addresses that had to be pointed out to the author. It earned a "not to ever be taken seriously" badge-of-honor almost immediately.

The real danger is when you put it up on the web where the interface or code can be hacked and replaced with anything without the end user knowing. Putting a keygen on the web should never have been done, besides that the addresses and privkeys are also traveling to you through an unsecure pipe and you are getting added to the webserver's logs.

I have some Python code linked in my signature that does just one thing - make you a single good offline bitcoin address that doesn't rely on a user's idea of a secure brain-phrase. I've only advocated that you run it from a live cd, verify the program's hash posted here (would require hacking me in two very different ways to falsify), and unplug from the internet before you generate keys - maybe even unplug your hard drives first just to be idiot-proof.

Blazr

hero member

Activity: 882

Merit: 1005

Quote from: tautvilis on August 08, 2015, 06:23:28 AM

I have generated most of my wallets through brainwallet.org.But the address that got hacked was the only that I used to create a transaction via brainwallet.I don't remember my passphrase since I was just smashing my keyboard writing random characters for about 10-15 seconds it must have been at least 50(though I think it was more than 100) random nonsense characters.I then just copy the addresses and private keys to a notepad and forget the passphrase forever.I am almost sure it has to do nothing with the passphrase.

Smashing your hand on your keyboard isn't really that random, there are patterns that can be predicted. It is very possible somebody cracked your key, as mentioned in this thread new brainwallet cracking software has recently came out and many people are trying lots of different password lists and keybaord patterns etc. It is possible that the brainwallet.org code was changed and the owner stole the BTC that way (another reason brainwallets are so dumb) but nobody has presented any proof of that. Password cracking techniques are quite advanced, pretty much anything you come up with that you think is random can be predicted. I am always shocked by the kinds of passwords people are able to crack, just because it's long and looks random doesn't mean it is uncrackable at all, I seen someone crack a 120+ character salted hash in a couple of hours..

tautvilis

full member

Activity: 179

Merit: 100

Quote from: cellard on August 08, 2015, 08:43:39 AM

Quote from: tautvilis on August 08, 2015, 06:23:28 AM

I have generated most of my wallets through brainwallet.org.But the address that got hacked was the only that I used to create a transaction via brainwallet.I don't remember my passphrase since I was just smashing my keyboard writing random characters for about 10-15 seconds it must have been at least 50(though I think it was more than 100) random nonsense characters.I then just copy the addresses and private keys to a notepad and forget the passphrase forever.I am almost sure it has to do nothing with the passphrase.

Maybe someone accessed that notepad with all your keys?
Anyway, i never trusted anything but Bitcoin Core, too paranoid to get on the other stuff until some years from now when everything is more tested and proven.

I don't think he done that because there were(and still is) private keys with even more BTC.

cellard

legendary

Activity: 1372

Merit: 1250

Quote from: tautvilis on August 08, 2015, 06:23:28 AM

I have generated most of my wallets through brainwallet.org.But the address that got hacked was the only that I used to create a transaction via brainwallet.I don't remember my passphrase since I was just smashing my keyboard writing random characters for about 10-15 seconds it must have been at least 50(though I think it was more than 100) random nonsense characters.I then just copy the addresses and private keys to a notepad and forget the passphrase forever.I am almost sure it has to do nothing with the passphrase.

Maybe someone accessed that notepad with all your keys?
Anyway, i never trusted anything but Bitcoin Core, too paranoid to get on the other stuff until some years from now when everything is more tested and proven.

Honeybooboo

sr. member

Activity: 354

Merit: 250

Quote from: ransomer on August 07, 2015, 09:00:29 PM

This is still th biggest hinderance to bitcoin getting mass recognition.

It is far to unsafe to store any real wealth in for the average person.

IF people use weak passwords then you can say goodbye to the money in your online banking too. People need to really step up their game with security and 2-factor is a must at minimum.

tautvilis

full member

Activity: 179

Merit: 100

I have generated most of my wallets through brainwallet.org.But the address that got hacked was the only that I used to create a transaction via brainwallet.I don't remember my passphrase since I was just smashing my keyboard writing random characters for about 10-15 seconds it must have been at least 50(though I think it was more than 100) random nonsense characters.I then just copy the addresses and private keys to a notepad and forget the passphrase forever.I am almost sure it has to do nothing with the passphrase.

LiteCoinGuy

legendary

Activity: 1148

Merit: 1011

In Satoshi I Trust

Video - Brainwallets:

https://www.youtube.com/watch?v=fBOWAqmS7qY

project_aLice

member

Activity: 112

Merit: 10

No Risk No Fun

I feel sorry for you. Maybe it's impossible to take back those bitcoins, that stealer could exchange those btcs into real money, so keep patient and be careful in the next time

NorrisK

legendary

Activity: 1946

Merit: 1007

Quote from: AgentofCoin on August 08, 2015, 01:58:07 AM

See this as well:

"Why I'm releasing a brainwallet cracker at DEFCON 23"
https://bitcointalksearch.org/topic/why-im-releasing-a-brainwallet-cracker-at-defcon-23-1147035

OP, in light of the above link, it is possible that your "phrases" were not complex enough.

How about the brainwallets created by electrum? Or is the method they use secure enough compared to where people can choose their own "random" brainwallet?

Denker

legendary

Activity: 1442

Merit: 1014

Ouch 22 BTC is really no small loss. Hope OP that this hadn't been your complete holdings. Always makes me sad reading threads like this and I feel sorry for OP. Will follow the discussion on reddit about brainwallet.Really bad news.

LiteCoinGuy

legendary

Activity: 1148

Merit: 1011

In Satoshi I Trust

Quote from: Holliday on August 08, 2015, 02:54:16 AM

Quote from: ransomer on August 07, 2015, 09:00:29 PM

It is far to unsafe to store any real wealth in for the average person.

I'm an average person. I've been using Bitcoin for over 4 years now. I've never lost a single coin.

All it takes is some responsibility. I learned enough (common sense really) to realize that private keys were the "key" to security.

Average Joe wont do that Undecided

.

Like it or not, we will have bitcoin banks (we already have Coinbase etc but that is just the beginning.)

@ Dire

everyone's Brainwallet. the user is the problem.

uknohowwedo

full member

Activity: 166

Merit: 100

never heard of brain wallet but its possible this guy just lost the coins and is using this as a sympathy bait for handouts

Dire

member

Activity: 112

Merit: 10

Crypto-Games.net: DICE and SLOT

Is there any way to know the total funds gone from the whole Brainwallet site? Or is this just one instance? Because if it's everyone's Brainwallet then that's just terrible. A big heist in fact.

Is that what this is?

Velkro

legendary

Activity: 2296

Merit: 1014

Quote from: juju on August 07, 2015, 08:48:36 PM

This could be likely, however I just tried loading https://brainwallet.org and it just loads two words: 'Closed Permanently'

Who knows whats happening, but being closed permanently sounds like brainwallet.org is done.

It should be closed permanently long time ago. It was scam written all over it :/
So dangerous way to use secure bitcoin

Topic: (Almost sure)brainwallet.org stole 22BTC from me - page 4. (Read 7163 times)