Topic: Brain Wallet hacked, suspect bitcoin talk hackers. (Read 5564 times)

1) Never use passwords that are "easy to remember" for you - no matter how complicate they seem.
2) Always use long, complicated random-generated passwords (or even better: dice-ware passphrases)
3) NEVER re-use passwords or passphrases or any combination of them.

Just follow strictly these 3 very simple guidelines and you will be safe.

I don't think we need to rip on the OP anymore.  He has shared with us a good tale of why going to extreme lenghts to protect your wealth is a wise idea. 

If you're reasonably fluent in more than one language (i.e. can remember words in it), you can push that up a bit, e.g. ~116 bit for 8 words instead of ~103 with one language list alone. Language selection needs to be randomized as well though.

An 8 word Diceware password contains 96 bits of entropy. This should be enough to thwart brute forcing attempts for several more decades but personally, I'd go for something a bit higher just to be on the safe side. It wasn't too long ago that 5 word passwords were supposed to be "good enough" but advancements in processing power now mean that this is no longer true:


Link: http://arstechnica.com/information-technology/2014/03/diceware-passwords-now-need-six-random-words-to-thwart-hackers/

Both Electrum seeds and Casascius coin addresses have 128 bits of entropy (equivalent to a 10 word Diceware password) and they've been holding out pretty well so far. An fresh address generated by Bitcoin Core contains 160 bits of entropy (about 4 billion times stronger than 128 bits). To get the same level of security for a brainwallet, you will need a 13 word Diceware password.

Brainwallet is just so convenient: say goodbye to constant backups and having to carry a trezor/usb/whatever, say hi to HD wallets and privacy and accessible wallet everywhere.

Of course, security is an issue, Andreas has addressed this before. So I would use brainwallet only for small amounts of BTC that you want to have accessible everywhere, never for your main amount.

Yes, I did my back-of-the-napkin calculations based on the speed of an approach using rainbow tables, without knowing whether that attack would work on what they actually got from the btctalk hack.

That said, the point I wanted to make remains the same: passwords consisting of (systematically) repeating substrings have lower entropy than equal length password with no such (systematic) repetition.

The computation for the rainbow table entry for your address could have been done months or or even years ago. The attacker could just have been comparing live transactions to see if he already has computed your private key in his rainbow table, and then use that to do the sweep.

[deleted partial garbage]

Hehe fun to read, I might have thought twice reading this beforehand. Thankfully I still have most of my bitcoin to worry about.

Thanks for your input Oda.krell

The more I think about it the more I realise how ridiculously insecure it was, but surely the decision to combine passwords in sets of three goes hand in hand with many different ways of combining passwords, an on top of that, doesnt hashing and sweping a brain wallet take some compuation? wouldnt that be an ongoing recomputation every day to sweep wallets? is that billion hashes per second inclusive of that work?


I would rather not tell, for all I know I might still be using it at some old account I have forgotten about, besides being the key to my hacked brain wallet.

lets say it was about as strong as Clock123Clock123Clock123.....

That would be a moving target and it would depend a lot on how your brute-force program searches the space (since no brute-force tool is really 100% brute-stupid and would start attacking commonly used characters first). 15 years ago using a regular PC I was using L0pthcrack to scan our network for weak passwords and found many with 40+ bits of entropy.

Where are you pulling that number from? Source would be nice.
BTW, does anyone know what is the strongest entropy password that has been successfully cracked to date?

feeling sad for your losses..
yhats why i changed my password and everything as soon as possible..

Hey. Sorry for the loss. Also, no moral lectures from me. But I'd like to chime in, if you allow, because the line above is quite a bit of a misconception.

Basically, "3 times the effort" is nothing in computing. You are aiming for exponential increase in difficulty when setting good passwords. Here are a few more details...

Thinks of it as follows: imagine the attacker has a dictionary of common words, and a method to combine words from that dictionary in a reasonable* way. Now, "Yankee" is one word. "Doodle" is another word. Even "123" could be considered a word, since it's such a common string of numbers, together with "111", "789", and a few others.

Say that dictionary of words (and sort-of-words, like "123") has 10k entries in total. Probably not the exact right number, but let's assume it for a moment. Leaving capitalization of words aside (which we can in your example, because you just capitalized the first letters of a word, which only effectively doubles the size of our hypothetical dictionary), a single 3 word combination out of that 10k word dictionary represents one out of 10k^3 possible combinations.

I didn't look up the latest developments in the last 2 or 3 years, but a 2012 result I found reports an offline brute force attack (using rainbow tables) running at a speed of 350 billion passwords per second. Therefore:

A 3 word combo out of a 10k dictionary would take about 3 seconds to find.

Let that sink in for a  moment.

Now here's how to solve the problem, and still use, in principle, a similar method to yours, one that is easier for humans to remember than random ASCII characters:

Don't repeat the same combo. Doing so is useless, and doesn't add any substantial security.

In your example, "YankeeDoodle123" can be seen as one phrase (that the attack described above could find in 3 seconds). To get from "YankeeDoodle123" to "YankeeDoodle123YankeeDoodle123YankeeDoodle123", i.e. the 3 times repetition will take only minimal additional time (constant, or almost constant), assuming the attacker knows a) he just needs to, verbatim, repeat the phrase, and b) he can stop the repetitions after testing about 5 or so repetitions per phrase, since most humans don't enter passwords of 100 or more characters.

Here's a much safer example password, still using a dictionary based method:

yankee colour doodle resulting table parsley under chair (without the spaces)

Only slightly harder to remember in my view, but a lot better. Even assuming you took the words from a smaller dictionary of only 5k words, using 8 different entries from that dictionary means the attack mentioned above would take 10^12 years to brute force it. In other words, impossible. **

---

Take home message: For reasonably safe passwords, use the xkcd method ***

(but don't even think of using the same words used in the comic)

---

* "reasonable" here means: by an algorithm that is trying to capture how we, human users, set non-random passwords.

** no guarantees on that. it assumes you picked the 8 words randomly from the dictionary, which humans are notoriously bad at. But in any case, much better than repeating  a phrase inside a password.

*** I know, xkcd didn't invent it, just described it nicely imo.

@chessnut


So what was the password?  Since it is compromised now, please tell us, so other people can learn from this mistake as well.

Sorry for your loss.

https://en.bitcoin.it/wiki/Brainwallet#Low_Entropy

Brain wallet are not such easy to hack.
You should have changed your password

I have found sending to asdfasdfasdfasdf gets coin stolen too. I suspect, like correct horse battery staple, people are clearing out the address automatically

Example123 would likely already be in a password dump from somewhere.

Even if you think your password is difficult, it's still a really bad idea to reuse it.  The forum hacker is almost irrelevant because your password wasn't difficult AND you used the same one for something relatively unimportant (a forum account) and something important (your brain wallet).  It's not a human being who's trying to guess your password when your account is hacked, it's a machine which can make millions of attempts per second.

Convenient passwords are best left for trivial stuff.  If something's important enough that losing it would be disruptive to your life, then protect it properly.  Now go through all of your passwords for everything and think of the worst case scenario for one of them being obtained by someone else.  Ideally, someone getting hold of one of your passwords should lead them to a dead end, not give them the keys to the city.

It takes less time than you would think. The hackers just write a script of program that randomly generated passwords and then generates the keys and sweeps the funds. They run it and the program does all the work while they go and do other stuff.

It does not. Mining technology is designed to do one thing and one thing only: compute sha-256d hashes. They are not capable of doing anything else which means they cannot be used for password cracking unless the sha-256d hash were used.

IIRC, theymos stated because of the way the data was salted it would slow down any decryption giving you more time to change your passwords before they were fully compromised - but yeah, it wasn't going to guarantee your security. That being said, repeating your password over and over is something people would look for when bruteforcing.

Clearly because its easy for me to remember, and I was under the impression that the btc talk hacker would have difficulty cracking my password hash and that three combinations of a fairly difficult password was enough on top of that.

Full Disclosure: Im not proud of what I did!