brain wallet and multi-sig question.

Harley997

sr. member

Activity: 266

Merit: 250

Quote

Belief: If I chose a very guessable brain wallet eg:"bitcoin123" I will probably lose my coins by the end of the day because algo's are regularly testing for simple brain wallets. They do this by trying simple phrases and getting the public key from those simple phrases, and then using a blockchain explorer look fora positive balance. And then spending those coins. True?

Brain wallets are generally very easy to steal from.

A brain wallet of "bitcoin123 would probably not even be allowed by most websites/software that allows you to create brainwallets. If you were able to create a brain wallet with this password then the coins would likely be stolen before you can even check to see if the transaction was propagated throughout the network.

The best advise for brain wallets is to use something that is not found in any piece of literature (including movie scripts, songs, plays) that is in any language. At the very minimum a brain wallet should be at least 12 words that are in somewhat of a random order.

If you would like to see how quickly funds in a brainwallet can be stolen then checkout the following address: 1JwSSubhmg6iPtRjtyqhUYYH7bZg3Lfy1T

shorena

copper member

Activity: 1498

Merit: 1499

No I dont escrow anymore.

Quote from: Beliathon on June 01, 2014, 12:43:15 AM

-snip-
A shitty poem you make up right now, and are 99.999% sure you will never forget, would be a reasonably good password.

If you have to make up a shitty peom anyway, why not generate a private key properly and remember that. For all I care remember it in a form of a peom.

5Horses you Zionist van Queer need From no Xiam Lizardqueen ...

you get the picture.

junshong

full member

Activity: 192

Merit: 100

Hi!

Do not choose any password that is in the dictionary or short, they can be cracked fairly easily.

Beliathon

hero member

Activity: 784

Merit: 1000

https://youtu.be/PZm8TTLR2NU

Use a long password that only you would ever know. Nothing that has ever been written or recorded anywhere, ever.

A shitty poem you wrote as a child, for example, would not be safe because it was once written on paper.

A shitty poem you make up right now, and are 99.999% sure you will never forget, would be a reasonably good password.

DannyHamilton

legendary

Activity: 3388

Merit: 4615

There is no need to use a blockchain explorer.

If I was going to attack brainwallets, I'd generate a list of all possible bitcoin addresses (actually, I'd just use public key hashes instead of actual addresses, but the concept is the same) built from simple brain wallets. Then, I'd create a custom Bitcoin Core wallet. The Bitcoin Core wallet acts as a peer on the network. It receives every transaction as it is being relayed from peers, and re-transmits it to any connected peers that haven't heard of the transaction yet.

For every transaction received, my modified Bitcoin Core would scan the pre-generated list of addresses to see if the transaction was sending to any of them. If I found that any address in the list was receiving bitcoins from the transaction, my custom Bitcoin Core would immediately (and automatically) build and transmit a transaction paying those bitcoins to some other address that ONLY I had.

As for multi-sig, the attacker can pre-generate and scan against a list of possible hashes from multi-sig P2SH. The more signatures that are needed, the more possibilities the attacker will need to generate (just like passphrases with more characters require generating more possibilities).

jonald_fyookball

legendary

Activity: 1302

Merit: 1004

Core dev leaves me neg feedback #abuse #political

Mostly Right but it won't be long before people are running similar password dictionary scripts on multisig addresses so I wouldn't recommend weak passwords even if it's multisig.

successcouncil

newbie

Activity: 46

Merit: 0

First, I believe the following to be true, and it is true, then tell me if you conclusion is correct.

Belief: If I chose a very guessable brain wallet eg:"bitcoin123" I will probably lose my coins by the end of the day because algo's are regularly testing for simple brain wallets. They do this by trying simple phrases and getting the public key from those simple phrases, and then using a blockchain explorer look fora positive balance. And then spending those coins. True?

Conclusion: If I use 3 simple brain wallets to create a 3 of 3 multi sig address, then this will be quite difficult to steal the coins because the "blockchain explorer" step above will will not reveal that this simple brain wallet is part of a multisig wallet? Perhaps the algos could just try to spend a handful of satoshis for combinations of stupid brain wallets.
But it seems having 1 simple brain wallet on a multisig would not be such a terrible idea.

Is this true? thoughts?

Thanks in advance

Topic: brain wallet and multi-sig question. (Read 774 times)