Pages:
Author

Topic: Brain Wallets (Read 1415 times)

hero member
Activity: 994
Merit: 544
July 08, 2016, 11:10:41 PM
#27


   I found this interesting article about the vulnerability of brain wallets that left me asking some questions. I personally think the author of the article deserves a sharp pain below the waist line. He actually attacks and insults brain wallet users, provides very vague information, and it appears, the article is written to make you worry about your brain wallet, or any type of wallet for that matter.  Please read article below.


http://www.fastcompany.com/3056651/researchers-find-a-crack-that-drains-supposedly-secure-bitcoin-wallets


1> What I would like to know is, if when I generated my wallet, a seed was created for me to be able to restore my wallet at a later point in time, when I want to bring the wallet online again, how could my seed, and therefore my key be attacked??? There is nothing in the blockchain since there has never been any transactions. I don't understand what the author is really talking about? And even if I have conducted transactions to the wallet addresses, how could the presence of those public addresses in the blockchain be used to attack my wallet?

2> Is my above example a brain wallet, or is it something different??



Well actually using your address attackers may hack your bitcoin wallet and take all your bitcoins. But at this point of time blockchain has already made some innovation as to protect the owner of the wallet. By changing your wallet address every transaction it is unlikely or less possibly be attacked by hackers.
copper member
Activity: 2996
Merit: 2374
July 08, 2016, 09:57:09 PM
#26
If you're worried about using a brain wallet you mustn't have much of an imagination. If your seed phrase is too weak, you risk losing your money. If it's too complex, you risk forgetting it. If you have a good imagination, you can conquer these obstacles.

Brain wallets have many impressive advantages. The ability to quite literally think up a unique bank account that lives in your brain. That's insanely cool.


Other people have imaginations as well. The people trying to crack your brain wallet only need to think of a concept while the person making a brain wallet will need to think of the implementation.
full member
Activity: 146
Merit: 100
July 08, 2016, 06:30:09 PM
#25
If you're worried about using a brain wallet you mustn't have much of an imagination. If your seed phrase is too weak, you risk losing your money. If it's too complex, you risk forgetting it. If you have a good imagination, you can conquer these obstacles.

Brain wallets have many impressive advantages. The ability to quite literally think up a unique bank account that lives in your brain. That's insanely cool.

newbie
Activity: 56
Merit: 0
February 18, 2016, 01:49:54 PM
#24
I would NEVER use Brainwallet or the like after all that I have heard about these things. Too many risks involved. I would rather keep a wallet where I have the

keys and backuos for them. I have a wallet with the backup for it and plan to keep it that way. Fk crackers that crack things. The bad hackers are called

crackers and the ethical hackers are the hackers. Don't get the two mixed up. Crackers= bad. Hackers= Generally Recognized As Safe.
legendary
Activity: 1610
Merit: 1183
February 16, 2016, 11:26:15 AM
#23
The main risk is an attacker doesn't need to physically own a local file to try to bruteforce your password. This is why im too paranoid to not use anything that doesn't require a local file that you own, software wise thats why Bitcoin Core is the best I can think, and for cold storage a paper wallet. Im just too paranoid to trust brain wallets.
newbie
Activity: 51
Merit: 0
February 16, 2016, 10:26:11 AM
#22

There are many ways of generating secure brain wallets. One would be by employing the use of a "live" and offline operating system using a reputable wallet, such as electrum. Once your wallet is generated, you can write down all of your public addresses, and memorize your seed, (you should develop a way to get at your seed in case you forget it) and then take the wallet offline where it can remain in cold storage for a very long time. This method would likely be very safe. The amount of security you should employ depends on the amount of funds that you are trying to protect. People will be willing to work a lot harder to get at something that is worth a lot to them. Keep in mind that the physical security of the device (e.g. computer, tablet, phone, hardware wallet, etc...) is very important.



this thread isn't really to warn you any longer.   you're dead set on using brain wallets no matter how many others try to warn you off the idea.

brain wallets are not a safe way of storing your bitcoins.   but no one's stopping you doing that.

but if you want best practices for keeping bitcoins safe then brain wallets, aren't it!   'nuff said.   Its a warning to others, as you, marbu have your mind set on doing it.

its your life, marbu.  i really hope that it works better for you than it did for me.


aerobatic,

First of, there have not been others, as you state that have warned me. It only has been you. Many people in this forum will tell you that brain wallets are safe if you know what you are doing. Based on what you have said, I strongly recommend that you read up on managing encryption keys and passwords, as not only brain wallets are vulnerable if you are not careful. Good luck to you.
hero member
Activity: 702
Merit: 500
February 16, 2016, 10:19:54 AM
#21

There are many ways of generating secure brain wallets. One would be by employing the use of a "live" and offline operating system using a reputable wallet, such as electrum. Once your wallet is generated, you can write down all of your public addresses, and memorize your seed, (you should develop a way to get at your seed in case you forget it) and then take the wallet offline where it can remain in cold storage for a very long time. This method would likely be very safe. The amount of security you should employ depends on the amount of funds that you are trying to protect. People will be willing to work a lot harder to get at something that is worth a lot to them. Keep in mind that the physical security of the device (e.g. computer, tablet, phone, hardware wallet, etc...) is very important.



this thread isn't really to warn you any longer.   you're dead set on using brain wallets no matter how many others try to warn you off the idea.

brain wallets are not a safe way of storing your bitcoins.   but no one's stopping you doing that.

but if you want best practices for keeping bitcoins safe then brain wallets, aren't it!   'nuff said.   Its a warning to others, as you, marbu have your mind set on doing it.

its your life, marbu.  i really hope that it works better for you than it did for me.
newbie
Activity: 51
Merit: 0
February 16, 2016, 10:12:12 AM
#20

I don't see how it's possible to crack such a sophisticated password as what you say you used. You are talking about a 256 bit + password. This password cannot be cracked in any practical amount of time.


marbu -

there's several attack vectors to worry about when using brain wallets, which aren't a worry when using other types of wallet.

for instance.  every time you need to type it out, to get it converted back into the private key...  it could be intercepted locally on your computer using spyware or a key logger.   it could be intercepted using man in the middle attack on your internet connection or your wifi via a network sniffer or via a mitm ssl attack.   it could be intercepted at the web site that you're using to generate the brain wallet key in the first place.  or your java installation etc.  it could be a corrupt brain wallet generator.  or one with a weakened rng seed... etc.  there's too many attack vectors to think that brain wallets are a safe way of storing your bitcoins.  you are very reliant on a lot of things not being hacked, for you to continue to use a brain wallet.   anytime, during creation or use, or even just doing nothing, can be a risk factor.   Even Entropy checkers that are on the internet, could potentially be logging your passwords, and populating similar words into their dictionary with your entropy test results, so that the hackers have a better understanding on what kind of passwords people use (!)


i counted the letters in the brain wallet i was referring that got hacked, and to make a correction, it was less than the 40 chars i said it was - just to be accurate, it was 34 characters.  sorry, i thought it was more.. but the point was, it was still a long string of letters and numbers, some of which were words, some caps, some punctuation, and it still got hacked.  whether it was hacked with brute force from a cloud password generator or some other weak point in the brain wallet system, i really don't know.   All i know is that the ONLY loss i have ever had from any bitcoin wallet... was from a brain wallet.   Ive not even (touch wood) lost anything from web wallets like Blockchain.info   (and nowadays I've migrated to a hardware wallet and cold storage, as i don't even trust paper wallets as they have some of the same attack vectors to brain wallets)


aerobatic,

Any time that you send btc from a wallet, you are subject to the possibility of someone stealing your private keys, which are what is necessary to take over the wallet and remove all funds. The use of any wallet involves the use of encryption. Encryption is a tool that must be used properly, or just like any other tool, you can end up hurting yourself or others. I suggest you read up on managing encryption passwords and keys.

The information that you provided, as far as the different attack vectors that brain wallets are subject to, also applies to other wallets. I dispute, however, your claim, that brain wallets should never be used.

Going back to your case scenario, where you stated, that you had a 34 character password with characters and symbols, one can only conclude, that your password was stolen by some means; a key logger, or a different type of malware. Again, it is highly unlikely that your password (as you describe it) was brute forced, therefore I have to conclude that you completely mismanaged your wallet.

There are many ways of generating secure, brain, and other types of wallets. One would be by employing the use of a "live" and offline operating system using a reputable wallet, such as electrum. Once your wallet is generated, you can write down all of your public addresses, memorize your seed, (you should develop a way to get at your seed in case you forget it) and then take the wallet offline, where it can remain in cold storage for a very long time. This method would likely be very safe. The amount of security you should employ depends on the amount of funds that you are trying to protect. People will be willing to work a lot harder to get at something that is worth a lot to them. Keep in mind that the physical security of the device you are using to store your wallet (e.g. computer, tablet, phone, hardware wallet, etc...) is very important.

copper member
Activity: 2996
Merit: 2374
February 14, 2016, 12:42:58 AM
#19
if the prize is only $4 (0.01 btc) then the hacker wont spend a huge amount of compute power trying to crack that address.  but when the prize justifies the crack, they might try a little harder

People that crack brain wallets just brute force possible phrases regardless of the prizes they may obtain. They don't attack specific addresses, they just try and sweep all the addresses that they find during their attack.

This is why I have created about 10 paper wallets (random or brain wallets) and transfer 1000 bits into each to test. If after some time the coins are still there, I will then transfer a larger amount.
This isn't going to work. Some brain wallet hackers/farmers will monitor addresses to brainwallets and will not spend funds contained in a brainwallet right away, but will instead wait some time and hope that the "owner" will send additional BTC to the brain wallet.
legendary
Activity: 3472
Merit: 10611
February 13, 2016, 11:42:22 PM
#18
Ever since I heard of the Brainwallet issue, I have never opened any, and that was when I was looking for a good wallet. I had done some research

and didn't like Brainwallet after what I saw.

what did you see?!
as far as i know, there never was any problem with brainwallet. the problem came from people who were using it. their ignorance of the clear warning about not using an empty string, a simple "123" password or a popular sentence from a song.
full member
Activity: 182
Merit: 100
★Bitvest.io★ Play Plinko or Invest!
February 13, 2016, 09:26:25 PM
#17
Ever since I heard of the Brainwallet issue, I have never opened any, and that was when I was looking for a good wallet. I had done some research

and didn't like Brainwallet after what I saw.
sr. member
Activity: 552
Merit: 250
February 13, 2016, 09:19:22 PM
#16
if the prize is only $4 (0.01 btc) then the hacker wont spend a huge amount of compute power trying to crack that address.  but when the prize justifies the crack, they might try a little harder

People that crack brain wallets just brute force possible phrases regardless of the prizes they may obtain. They don't attack specific addresses, they just try and sweep all the addresses that they find during their attack.

This is why I have created about 10 paper wallets (random or brain wallets) and transfer 1000 bits into each to test. If after some time the coins are still there, I will then transfer a larger amount.
legendary
Activity: 1974
Merit: 1030
February 13, 2016, 09:06:11 PM
#15
if the prize is only $4 (0.01 btc) then the hacker wont spend a huge amount of compute power trying to crack that address.  but when the prize justifies the crack, they might try a little harder

People that crack brain wallets just brute force possible phrases regardless of the prizes they may obtain. They don't attack specific addresses, they just try and sweep all the addresses that they find during their attack.
legendary
Activity: 4424
Merit: 4794
February 13, 2016, 08:28:32 PM
#14

I don't see how it's possible to crack such a sophisticated password as what you say you used. You are talking about a 256 bit + password. This password cannot be cracked in any practical amount of time.


a brain wallet is where you choose the words.. and most of the time brain wallet users choose between 1-6 common words that are part of a known phrase..

a seed wallet is where 12-20 RANDOM and UNCOMMON words are used.

the article stated
Quote
checked a trillion passwords and recovered 18,000 brain wallets
that is a 0.0000018% success rate.

now although there are 171,000 words in the dictionary. its estimated that only 3500 words are used commonly.

so imagine the password is 1 common word.
thats a 1 in 3500 chance of a hit.

so imagine the password is 2 common words.
thats a 1 in 12,250,000 chance of a hit.(3500 x 3500)

so imagine the password is 3 common words.
thats a 1 in 42,875,000,000 chance of a hit.(12,250,000 x 3500)

som brute forcers know that even in the 3500 common words, some are not used, so they could get the odds down. they also know that when using more than 3 words its more likely that a sentance structure was used (phrase or quote) so they know what words naturally follow grammatical structure and what words dont naturally follow each other in a sentance.

so although the odds of having 12 common words can be upto:
1 in 3379220508056640000000000000000000000000000 chance.
brute forcers can reduce that down to:
1 in 1000000000000000000000000000000000000 chance.
just by employing some grammatical rules to cut down on the variations possible.

which is still extreme for 12 word sentence.. but. its highly important to not use sentances/quotes that follow grammatical rules. it is also important to not use the 3500 common words. that way 12 random non common words can be:
1 in 3138428376721000000000000000000000000000000000000000000000000 chance.

so in short a brain wallet of 3 common words is:
1 in 42875000000 chance

so a seed of 12 random and uncommon words is:
1 in 3138428376721000000000000000000000000000000000000000000000000 chance.
hero member
Activity: 702
Merit: 500
February 13, 2016, 08:13:26 PM
#13
I have two or three brain wallet with about 0.01 BTC and they are still ok (for the time being). It has a lower entropy than randomly generated address, but I guess it is "random" enough for my purpose.

hi tobacco.  if the prize is only $4 (0.01 btc) then the hacker wont spend a huge amount of compute power trying to crack that address.  but when the prize justifies the crack, they might try a little harder
legendary
Activity: 1512
Merit: 1012
February 13, 2016, 06:13:50 PM
#12
If I memorize the seed generated when wallet was created, would that be considered a brain wallet?  Can you give other examples of brain wallets?


Also how can an attacker use a password to attack my wallet seed??? I thought passwords were used to protect (encrypt) private keys? If I have not exposed my private keys, how can my wallet be attacked by randomly guessing passwords?

Yes, if you memorize the seed it becomes a brainwallet, as per its definition on the Bitcoin Wiki

A password can be used to attack a wallet seed when you have that seed on an online computer, protected by that same password...
sr. member
Activity: 552
Merit: 250
February 13, 2016, 05:58:48 PM
#11
I have two or three brain wallet with about 0.01 BTC and they are still ok (for the time being). It has a lower entropy than randomly generated address, but I guess it is "random" enough for my purpose.
hero member
Activity: 702
Merit: 500
February 13, 2016, 05:50:53 PM
#10

I don't see how it's possible to crack such a sophisticated password as what you say you used. You are talking about a 256 bit + password. This password cannot be cracked in any practical amount of time.


marbu -

there's several attack vectors to worry about when using brain wallets, which aren't a worry when using other types of wallet.

for instance.  every time you need to type it out, to get it converted back into the private key...  it could be intercepted locally on your computer using spyware or a key logger.   it could be intercepted using man in the middle attack on your internet connection or your wifi via a network sniffer or via a mitm ssl attack.   it could be intercepted at the web site that you're using to generate the brain wallet key in the first place.  or your java installation etc.  it could be a corrupt brain wallet generator.  or one with a weakened rng seed... etc.  there's too many attack vectors to think that brain wallets are a safe way of storing your bitcoins.  you are very reliant on a lot of things not being hacked, for you to continue to use a brain wallet.   anytime, during creation or use, or even just doing nothing, can be a risk factor.   Even Entropy checkers that are on the internet, could potentially be logging your passwords, and populating similar words into their dictionary with your entropy test results, so that the hackers have a better understanding on what kind of passwords people use (!)


i counted the letters in the brain wallet i was referring that got hacked, and to make a correction, it was less than the 40 chars i said it was - just to be accurate, it was 34 characters.  sorry, i thought it was more.. but the point was, it was still a long string of letters and numbers, some of which were words, some caps, some punctuation, and it still got hacked.  whether it was hacked with brute force from a cloud password generator or some other weak point in the brain wallet system, i really don't know.   All i know is that the ONLY loss i have ever had from any bitcoin wallet... was from a brain wallet.   Ive not even (touch wood) lost anything from web wallets like Blockchain.info   (and nowadays I've migrated to a hardware wallet and cold storage, as i don't even trust paper wallets as they have some of the same attack vectors to brain wallets)
newbie
Activity: 51
Merit: 0
February 13, 2016, 03:24:47 PM
#9


2 - What example? Cheesy


If I memorize the seed generated when wallet was created, would that be considered a brain wallet?  Can you give other examples of brain wallets?


Also how can an attacker use a password to attack my wallet seed??? I thought passwords were used to protect (encrypt) private keys? If I have not exposed my private keys, how can my wallet be attacked by randomly guessing passwords?
newbie
Activity: 51
Merit: 0
February 13, 2016, 03:17:20 PM
#8


   I found this interesting article about the vulnerability of brain wallets that left me asking some questions. I personally think the author of the article deserves a sharp pain below the waist line. He actually attacks and insults brain wallet users, provides very vague information, and it appears, the article is written to make you worry about your brain wallet, or any type of wallet for that matter.  Please read article below.


http://www.fastcompany.com/3056651/researchers-find-a-crack-that-drains-supposedly-secure-bitcoin-wallets


1> What I would like to know is, if when I generated my wallet, a seed was created for me to be able to restore my wallet at a later point in time, when I want to bring the wallet online again, how could my seed, and therefore my key be attacked??? There is nothing in the blockchain since there has never been any transactions. I don't understand what the author is really talking about? And even if I have conducted transactions to the wallet addresses, how could the presence of those public addresses in the blockchain be used to attack my wallet?

2> Is my above example a brain wallet, or is it something different??







Marbu -

never ever use a Brainwallet.  theyre not safe.  The big flaw is that they are human generated passwords - the worst kind.   And the reward for cracking them is cold hard cash, so every hacker and thief has an incentive to crack them.

it can happen to anyone - including me - when i first started in bitcoin, i used a brain wallet along with regular wallets.  i didnt have much in there because a cryptographer friend had already warned me they were unsafe but i i wasnt so sure as i had picked a very complex and long password and i thought that my one would be safe.

So instead of emptying my brain wallet, i left it with some funds but de-risked it and removed most of my coins - i had probably left just a couple in there.   awhile later (a few months), i checked back and all my funds had of course been drained ages earlier.   this was a very long (40+ characters) password.  It had several real words inside it, but it also had numbers and punctuation marks and was longer and more complex than anything in the best dictionary.  didnt take them long to crack it and steal my (albeit, small) reward.  A month earlier and it wouldve been a lot more.

In short, there's nothing the human brain could think of that a brute force password cracking software in the cloud couldnt find, given a bit of time.

Bottom line:  Dont do it.  there's no sane reason to use a brain wallet.  And if you do, expect to lose your funds.   The hackers have infinite time to keep retrying your password.  nothing stops them.  they can do millions of tries a second and keep going for months til they crack it.  Why let them!?



I don't see how it's possible to crack such a sophisticated password as what you say you used. You are talking about a 256 bit + password. This password cannot be cracked in any practical amount of time.


Pages:
Jump to: