Pages:
Author

Topic: Brain wallet, step-by-step guide (FIXED!)[Mod note: DO NOT USE BRAINWALLETS] - page 3. (Read 7199 times)

legendary
Activity: 2053
Merit: 1356
aka tonikt
It also is about the likelihood that someone else will choose something similar by coincidence.

Now you've made me intrigued, how is it possible that nobody have painted a second Mona Lisa, just by coincidence Smiley

Quote
The security of bitcoin is based entirely on the entropy of the private key.  

What???
Man, you don't know what you are talking about.

If you don't understand that the security of ECDSA is all about complexity of reversing the EC multiply function, then we have nothing to discuss any further.

You're wasting my time and the time of people reading this topic.
legendary
Activity: 3472
Merit: 4801
Stop talking this nonsense about entropy.
What's this obsession of you guys, with the entropy of brain wallets?

You are the one that said that you wanted to talk about the technical details.  Now you want to skip the details and go with your opinion instead?

Entropy has nothing to do with it - the security of brain wallets is solely about complexity of breaking the password.

Nope.  It also is about the likelihood that someone else will choose something similar by coincidence.

How much entropy the EC multiply function gives you?
Fucking zero!
Each time it calculates exactly the same public key, for the same private key.
And yet, all the bitcoin security is based on this zero-entropy calculation.

Nope.  The security of bitcoin is based entirely on the entropy of the private key.  If you choose a truly random number between 1 and 115792089237316195423570985008687907852837564279074904382605163141518161494336 then the likelihood that someone else will choose (or find) the exact same number is close enough to impossible that it can be considered secure.

If you use a system with too little entropy, then the likelihood that someone else chooses (or finds) that exact same number increases.  There is a threshold where the likelihood becomes so great that it can no longer be considered secure.

Why?
Because reversing this function is too complex for anyone to calculate the private key, from the public key.
Just like cracking a good brain wallet is too complex.

This discussion has nothing to do with "reversing the function" or "calculating the private key from the public key".
legendary
Activity: 2053
Merit: 1356
aka tonikt
Quote
What he's saying is that really smart people understand the importance of entropy and the lack of entropy in their own minds.  Therefore, they tend to acknowledge that they are not capable of thinking of a strong password.  Those that are most likely to believe that their password is strong enough are the ones that are most likely to be wrong about that belief.  Not everyone.  Just most.  Perhaps you actually have come up with enough entropy in your brainwallet, but that doesn't mean you should encourage the average person to try.

Stop talking this nonsense about entropy.
What's this obsession of you guys, with the entropy of brain wallets?
Entropy has nothing to do with it - the security of brain wallets is solely about complexity of breaking the password.

How much entropy the EC multiply function gives you?
Fucking zero!
Each time it calculates exactly the same public key, for the same private key.
And yet, all the bitcoin security is based on this zero-entropy calculation.
Why?
Because reversing this function is too complex for anyone to calculate the private key, from the public key.
Just like cracking a good brain wallet is too complex.
legendary
Activity: 3472
Merit: 4801
I wish we could discuss technical and numbers here (exactly the math), instead of playing politics on which demagogy is going to get a bigger applause.

That would be a lot easier if you'd take the time to actually read what was posted and not run off on a rant from taking a few words out of context.

For example:

You're using math that assumes people generate their passphrases or passwords randomly. It is possible for people to do this. A small number of them do. The problem is that, as every database leak that's included hashed passwords has shown, the vast majority of people choose weak passwords. This is a problem, since brainwallets automatically leak what amounts to a hash immediately on use.
Of couse I am using math - what else am I supposed to be using?
Math is the only objective language to describe the complexity of the problem. Or a lack of it, if you prefer...

Without the math we are only debating our belives.

Seriously?  That's what you took from what ryanc wrote?  That he was complaining that you were using math?

Come on.  You're the one that keeps saying that you want to discuss technical details here.  Then pay attention to the details.

So yes, I believe that most people are not capable of choosing a password or passphrase that is sufficiently strong to use as a brainwallet, and there is a mountain of evidence to support me. This is not a matter of ego. I would not feel comfortable in my ability to come up with a password or passphrase that could not be cracked without a secure random number generator.
What you are saying it that you belive people are not smart enough to think of a strong password.

That's not what he's saying at all.

What he's saying is that really smart people understand the importance of entropy and the lack of entropy in their own minds.  Therefore, they tend to acknowledge that they are not capable of thinking of a strong password.  Those that are most likely to believe that their password is strong enough are the ones that are most likely to be wrong about that belief.  Not everyone.  Just most.  Perhaps you actually have come up with enough entropy in your brainwallet, but that doesn't mean you should encourage the average person to try.

And is it really so hard to believe that I, and others like me, genuinely want to help prevent people from losing money?

No.  I believe that you are trying to help.  I just believe that your advice is flawed, and that in your attempt to help, you are making things worse for the average person.


Even the entire Tolkien's trilogy would be a bad idea to use as a brain wallet... unless you pick a set of words from the trilogy, by the system that only you know and remember - such could be a very strong password.

Well, if that "system" was to use a good source of entropy to, at least a dozen times, choose a RANDOM page, and then a RANDOM word on that page, then perhaps.  Although some words occur FAR more frequently than others, so even that is a risky proposition.  If your "system" is to make a conscious choice about which pages and words to choose, then it sounds like a bad idea to me.
 
Now, if you don't know the system by which I chose the words from a book, how can you possibly write a software to crack it, even had you known the book?

It's not that I can crack your specific wallet.  It's that if enough people do it, I can crack the AVERAGE user's wallet.  There will be outliers (perhaps including yourself), but on AVERAGE there will be a tendency to choose certain pages and certain words. It will be a bell shaped distribution, and the hacker will get the 80% of users that are closest to the mean.
legendary
Activity: 2053
Merit: 1356
aka tonikt
Now, please prove me wrong.

You're using math that assumes people generate their passphrases or passwords randomly. It is possible for people to do this. A small number of them do. The problem is that, as every database leak that's included hashed passwords has shown, the vast majority of people choose weak passwords. This is a problem, since brainwallets automatically leak what amounts to a hash immediately on use.

So yes, I believe that most people are not capable of choosing a password or passphrase that is sufficiently strong to use as a brainwallet, and there is a mountain of evidence to support me. This is not a matter of ego. I would not feel comfortable in my ability to come up with a password or passphrase that could not be cracked without a secure random number generator. Is it really so hard to believe that I, and others like me, genuinely want to help prevent people from losing money?

I am not saying "it's impossible to create a brainwallet that won't be cracked". My argument is that so many people are not able to evaluate whether their passwords or passphrases are strong enough that assisting them in creating a brainwallet is an act of gross negligence.

Of couse I am using math - what else am I supposed to be using?
Math is the only objective language to describe the complexity of the problem. Or a lack of it, if you prefer...

Without the math we are only debating our belives.
What you are saying it that you belive people are not smart enough to think of a strong password.
However, you seem to belive that the same people are smart enough to secure their file system from the hackers, plus to secure all the possible storage places (for the backup) from accessing by unwanted parties. Not to mention a physical access to the actual storage.

Well this is where we disagree.

I believe it is much easier to come out with the password that no other person on earth can crack/think-of, then to find a file storage that no other person can access.

And is it really so hard to believe that I, and others like me, genuinely want to help prevent people from losing money?

And again: I wish we could discuss technical and numbers here (exactly the math), instead of playing politics on which demagogy is going to get a bigger applause.

So, coming back to "how much wood could a woodchuck chuck if a woodchuck could chuck wood" - obviously it is a very bad password.
It is not better than my 8-random-characters example.
Anything that can be searched in Google is a very bad password.
Even the entire Tolkien's trilogy would be a bad idea to use as a brain wallet... unless you pick a set of words from the trilogy, by the system that only you know and remember - such could be a very strong password.
Now, if you don't know the system by which I chose the words from a book, how can you possibly write a software to crack it, even had you known the book?

Anyway, do you have any other "strong" passwords that you or anyone else have cracked?
Because so far I have not seen an example of a cracked password that I'd consider strong.

IMO, there is absolutely no backup to conclude that [any] "research demonstrates [again] that brain wallets are not secure and no one should use them".
This is a bunch of bollocks and people claiming such nonsens, calling it a research, are embarrassing themselves.
member
Activity: 105
Merit: 59
You can't fix stupid, not even with key-stretching.

True, but you can mitigate it, at least to some extent. I probably should try getting WarpWallet to accept my patches again.
full member
Activity: 224
Merit: 117
▲ Portable backup power source for mining.
WarpWallet does something like that. Using it with a salt and six diceware words (use actual dice!) should be sufficient unless you're Satoshi. I still strongly recommend against coming up with your own password or passphrase, and BIP39 + BIP32 is better for a number of other reasons.
I checked Warp Wallet, and it appears that people still use passphrases like "a", " ", "correct horse battery staple" and "bitcoin".
You can't fix stupid, not even with key-stretching.
member
Activity: 105
Merit: 59
1GjjGLYR7UhtM1n6z7QDpQskBicgmsHW9k
Someone put 250BTC on that address, that was hacked by a white hat hacker, who tried to warn the owner (and did not simply take the coins, yes, people like this exist) by adding more and taking it back, but the owner did not notice, so the hacker traced the owner to a mining pool, and found the owner's phone number, and called to explain...this lengthy story was presented during a DEFCON conference.

That was me.

Quote from: ArcCsch
I think brain wallets should be strengthened by salting, and by using key-stretching, as in BIP38, this would make hacking all but the weakest passphrases totally impractical.
With this post, I request from software developers to include a new brain wallet generator, with separate boxes for passphrase and salt, and with some heavy key-stretching to slow down those hackers.
Something like this:
key=GenerateKey[scrypt[Hash[passphrase]||Hash[salt]]]

WarpWallet does something like that. Using it with a salt and six diceware words (use actual dice!) should be sufficient unless you're Satoshi. I still strongly recommend against coming up with your own password or passphrase, and BIP39 + BIP32 is better for a number of other reasons.
full member
Activity: 224
Merit: 117
▲ Portable backup power source for mining.
Strong passphrases are very important, and many people choose weak ones, a famous example is the following:
how much wood could a woodchuck chuck if a woodchuck could chuck wood
Which results in:
1GjjGLYR7UhtM1n6z7QDpQskBicgmsHW9k
Someone put 250BTC on that address, that was hacked by a white hat hacker, who tried to warn the owner (and did not simply take the coins, yes, people like this exist) by adding more and taking it back, but the owner did not notice, so the hacker traced the owner to a mining pool, and found the owner's phone number, and called to explain...this lengthy story was presented during a DEFCON conference.

I think brain wallets should be strengthened by salting, and by using key-stretching, as in BIP38, this would make hacking all but the weakest passphrases totally impractical.
With this post, I request from software developers to include a new brain wallet generator, with separate boxes for passphrase and salt, and with some heavy key-stretching to slow down those hackers.
Something like this:
key=GenerateKey[scrypt[Hash[passphrase]||Hash[salt]]]
member
Activity: 105
Merit: 59
Now, please prove me wrong.

You're using math that assumes people generate their passphrases or passwords randomly. It is possible for people to do this. A small number of them do. The problem is that, as every database leak that's included hashed passwords has shown, the vast majority of people choose weak passwords. This is a problem, since brainwallets automatically leak what amounts to a hash immediately on use.

So yes, I believe that most people are not capable of choosing a password or passphrase that is sufficiently strong to use as a brainwallet, and there is a mountain of evidence to support me. This is not a matter of ego. I would not feel comfortable in my ability to come up with a password or passphrase that could not be cracked without a secure random number generator. Is it really so hard to believe that I, and others like me, genuinely want to help prevent people from losing money?

I am not saying "it's impossible to create a brainwallet that won't be cracked". My argument is that so many people are not able to evaluate whether their passwords or passphrases are strong enough that assisting them in creating a brainwallet is an act of gross negligence.
legendary
Activity: 4326
Merit: 8950
'The right to privacy matters'
I mean, seriously? Smiley
What kind of idiot do you think would chose any of the above passwords to protect his life's savings?
Clearly multiple people chose those passwords to protect some amount of Bitcoin.

The point is that people think those passwords are strong passwords because online password checkers say that those passwords are strong. If you are recommending people to use brainwallets, they are likely to use those types of passwords thinking that they are strong passwords when in actuality they are not.

A six digit random number picker
A six letter word
A six digit random number picker
A six letter word

Is fairly strong.

Then put a copy of it in a safe deposit box

Then do it again with 24 different letters and numbers.

Combine the two giving you a 48 place password

Put the second set of 24 in a second safe deposit box.

I would like to see a program crack that.
legendary
Activity: 2053
Merit: 1356
aka tonikt
I just want to add that I think that this is a very interesting topic and I wish we could just discuss it in a cold professional manner, putting emotions and dick measuring aside.

I wish we were able to discuss the complexity of cracking brain wallets and the important aspects around their security.

So why won't I start.

I think it would be fair to assume that the throttle is set by the EC function that multiplies a number repesenting a potential private key by the G point of the curve.
To simplify, let's put the times of any hashings aside - let's say they are zero.

In the library I currently use, my i7 Intel CPU, needs about 120 nanoseconds to perform such an operation.
But it is obviously not the most optimal implementation - so let's assume that the optimal implementation is more than one million times faster than it: it can calculate 1 million public keys within 100 nanoseconds, which comes to 10000000000000 (1e13) operations per second.

Now, let's take a simple password - only low case characters: 'a' to 'z'

For 8 characters long password, at this speed of brute forcing, it would take 26^8/1e13 = 0.02 second (in the worst case) to find the password.
Meaning: you do not want to use 8 characters long password - 8 characters long brain wallets are shit!
But it does not yet mean that all the brain wallets are not secure...

Because, what would the time be for 16 characters long password?
Well, the number is 26^16/1e13/3600/365 = 3318 years.

How about 32 characters password?
According to my calculator, 26^32/1e13/3600/365 equals 144727736474009759620915358 [years] - I'm sure we don't have that much time.

This is 32 characters long password, with only lower case letters ('a' to 'z')!

And here we come to the point.
Some people out there are saying that they can program a software to predict what my brain had been thinking while generating the 32 characters long password.
They are going to use dictionaries and all kind of technics to only check the sequences that my brain would think of, skipping those that it would not...
And this software will be so efficient that it will simplify the problem by about 144727736474009759620915358 times, so they can find my password within a year.
Right!
I am really dying to learn about these breakthrough technics and their ingenious algos.
Because what I have seen so far is only making me to say: spare your efforts little boys, before you shit yourself trying. Smiley
And forgive me concluding with this humorous metaphor.

Now, please prove me wrong.
legendary
Activity: 2053
Merit: 1356
aka tonikt
Ask Evil-Knievel.  It was his term.  That's why ryanc put it in quotes when he used it:
Whatever - it's just silly joking.

But you are wrong @Danny, because backup is a very weak and very fragile point of a wallet's security.
That's mostly why I choose a brain wallet.
Another is convenience - why would I have to carry a file with me if all I need is my brain.

And no, I do not have my passwords written anywhere.
However I do have some hints written down.
But they are designed in a way that only I can understand their meaning.
Actually, only I can understand that these are the hints.

Start using your brains - that's all I have to say.
Don't buy into the bullshit that your brain is not smart enough to make a password that other people's brains can't hack.
legendary
Activity: 3472
Merit: 4801
You are trying to say that the "people" are too stupid to make a password that you "crypto guys"  cannot crack.

The problem with brainwallets isn't just the possibility that "crypto guys" might crack them.  It's also that they generally have insufficient entropy and are therefore significantly more risky.

That might mean being cracked by a hacker, or "crypto guy", but it also might just mean that another of the billions of humans on the planet could end up making the same choices as you.  

And what other reason for that if not to indulge one's poor ego?

Perhaps to help protect others from experiencing preventable losses?

Maybe not because we care about them,

Clearly.

Crack my password, mr crypto guy, if you are as smart as you are pretending to be.
It holds thousands of bitcoins - that should be enough of the motivation.

"Cracking your password" doesn't require intelligence.  It just requires that someone somewhere has the same misconceptions as you.
legendary
Activity: 3472
Merit: 4801
Also, if you would not mind sharing what does it actually take to become a "crypto guy"?

Ask Evil-Knievel.  It was his term.  That's why ryanc put it in quotes when he used it:

- snip -
roughly two years ago when suddenly a secret society of crypto guys started a war on brain wallets
- snip -

legendary
Activity: 2053
Merit: 1356
aka tonikt
Also, if you would not mind sharing what does it actually take to become a "crypto guy"?

I am not asking because I want to become one.
I am asking because I do not want to be associated with a "crypto science" like yours..
I prefer a "crypto practice" - so whatever else you do not do, will likely also work for me Smiley
legendary
Activity: 2053
Merit: 1356
aka tonikt
your motivation here is highly suspect.

[...]

What motivation do you think us "crypto guys" have for trying to prevent people from using brainwallets, other than to save people from themselves?

Your motivation is pretty obvious and I think I already said that.
You are trying to say that the "people" are too stupid to make a password that you "crypto guys"  cannot crack.
And what other reason for that if not to indulge one's poor ego?
Well, you are wrong. And we are here to help them proving that you are wrong - that is our motivation.
Maybe not because we care about them, but because wy love proving arrogant people to be wrong. Smiley

Crack my password, mr crypto guy, if you are as smart as you are pretending to be.
It holds thousands of bitcoins - that should be enough of the motivation.
member
Activity: 105
Merit: 59
I was asked by someone to comment here, since I wrote brainflayer and have coauthored two papers about brainwallet cracking.

I am really surprised by the collective refusal of brain wallets. It all started roughly two years ago when suddenly a secret society of crypto guys started a war on brain wallets ... including popular ones like brainwallet.org that I have used thoroughly back then.

Haven't I seen you posting https://bitcointalksearch.org/topic/this-message-was-too-old-and-has-been-purged-421842 in the past about cracking bitcoin keys? Hard to tell, since you've tried to purge your old posts, but your motivation here is highly suspect.

What motivation do you think us "crypto guys" have for trying to prevent people from using brainwallets, other than to save people from themselves?

This "research" paper does not say how many bitcoins they have collected as the result of cracking brain wallets.

You didn't read the paper, then. Threads on bitcoin talk where people are bragging about cracking brain wallets are listed. Hundreds of BTC have been taken.

I have personally had correspondence with people who have lost over 100BTC due to forgetting their brainwallet passphrase. I spoke on the phone with someone who lost about 47k ether from a brainwallet.

If someone wants to store bitcoin using a memorized secret, they should use BIP39, optionally combined with BIP32, and use spaced repetition to memorize the seed.

If you absolutely insist on coming up with a passphrase yourself and storing bitcoin with it, go use WarpWallet with your email address, name, or phone number as a salt. It's several orders of magnitude more secure against cracking, and multiple independent implementations of the algorithm exist.

legendary
Activity: 1260
Merit: 1168
Quote
You really need to learn the concept of secure backups.

I highly doubt that there is such thing as a secure backup.

You back up in the cloud? Big brother and his 3rd party affiliates are watching you!
You back up on an external hard disk? What if your place get's robbed? What if it burns down?
You back up on a "safe" RAID? Have fun if the RAID controller totals itself.
You back up in several redundant places? WIth every place the potential attack vectors for thiefs and/or social engineers increase.
You have a perfect encrypted non-flammable never-failing backup? Big brother can still subpoena you to decrypt your stuff.

Doesn't sound "secure" to me after all.

Regards
Dunning-Kruger
legendary
Activity: 3472
Merit: 4801
- snip -
just clearly state that the "passphrase" has to be unique and not "guessable" by anyone else, but that would be just to simple, wouldn't it?

Yes.  That would DEFINITELY be "just to simple".

I have personally lost BTC, that were stored in my mobile wallet (when my mobile was "borrowed" by a worthless asshat in the subway).

You didn't have a backup?

I have lost BTC that were stored in a wallet.dat when my SSD suddenly failed.

You didn't learn your lesson and create a backup?

I have lost BTC that were stored in a wallet.dat when I accidently typed rm -rf / into the console.

You STILL didn't learn your lessong and store a backup?

How can someone that is incapable of learning to backup valuable data (and careless enough to type "rm -rf /" into the console of the sole computer storing their wallet) think that they would be any good at all at choosing a secure brainwallet?

Oh, wait. I know...
It's the Dunning-Kruger effect isn't it?  Which is just one more reason to discourage brainwallet use.

But I am yet to lose any of my BTC that I have stored in a brain wallet.

"Yet" being the key word in that sentence.  You could have said the exact same thing about your mobile wallet seconds before it was "borrowed".  You could have said the exact same thing about your wallet.dat seconds before the SSD died and seconds before you typed "rm -rf /".

People have tried to convince me to store it in an online wallet (where the owner may pull of Houdini's magic disappearence act anytime)

Not anyone that knows what they're talking about.  Perhaps some newbies or other unknowledgeable individuals.

or on a crappy 100$ SSD (which failure is a poisson distribution around it's END-OF-LIFETIME point) before, but that's not gonna happen!

You really need to learn the concept of secure backups.

Saying "all brainwallets will be emptied" is just as wrong as claiming that "alternative storage methods" are fool-proof.

I've never said that "all brainwallets will be emptied".  I'm confident though in saying that MOST people that think a brainwallet is a good idea for themselves are making a bad decision.
Pages:
Jump to: