BrainWallet Defcon Attack Discussion, Advice, Q&A, Brainflayer Info, etc.

dzxpert

newbie

Activity: 1

Merit: 0

Quote from: tautvilis on August 09, 2015, 06:11:20 PM

Quote from: btcspry on August 09, 2015, 03:53:09 PM

Please do not take this warning lightly. Over 800BTC were available for theft (and lucky taken by a whitehat hacker - more information coming soon). Please ensure that your bitcoins are not part of the ones that are taken in the future. Save your bitcoins today, and transfer them to a safe storage system such as a Trezor or an Electrum Cold Storage wallet.

I were robbed of 22BTC by most likely a brainwallet cracker is there any chance I could get my BTC back for more info check my thread https://bitcointalksearch.org/topic/almost-surebrainwalletorg-stole-22btc-from-me-1146935

well check how much is 22 BTC now

Lowkeyxavier

newbie

Activity: 2

Merit: 0

Where I can find my wallet

Financisto

hero member

Activity: 630

Merit: 767

BTC⇆⚡⇄BTC

Quote from: Dabs on December 09, 2019, 10:05:01 AM

Yeah, no problem. I have a bunch of older paper wallet generators, some don't exist anymore due to the website disappearing (or removing the files). In the end I'm fairly convinced that using Electrum or one of those Electrum compatible seed generators using your own entropy (if you like to flip coins or roll dice) is more convenient.

I agree 100%!

Generating your own seed/passphrase using diceware (coin flipper, card shuffler, etc) is the safest way to go for sure...

But playing with brainwallets is still enjoyable! (For study purposes of course) Roll Eyes

If you know any other project that I didn't mention on my list, please share!

Cheers!

Dabs

legendary

Activity: 3416

Merit: 1912

The Concierge of Crypto

Yeah, no problem. I have a bunch of older paper wallet generators, some don't exist anymore due to the website disappearing (or removing the files). In the end I'm fairly convinced that using Electrum or one of those Electrum compatible seed generators using your own entropy (if you like to flip coins or roll dice) is more convenient.

Financisto

hero member

Activity: 630

Merit: 767

BTC⇆⚡⇄BTC

Quote from: ryanc on March 15, 2018, 09:47:17 PM

I plan to release an update adding support for this "passphrase plus xor" brainwallet variant, so don't go using it.

Is this "XOR implementation" really that useless (considering XOR + Warp Wallet variant)?

Quote from: Dabs on November 01, 2019, 03:01:09 PM

Someone forked Warp Wallet to spit out a 12 word seed (as well as the extended private key), but still haven't found one that directly goes to segwit addresses. You could do a multi-step procedure to use a randomly generated password to spit out yprivs and zprivs if you like to have a segwit brainwallet.

I found these:
https://github.com/Logicwax/PortalWallet <= used older Warp Wallet code, and doesn't have segwit.
https://www.nowallet.org/

The only use-case for a pure brainwallet, as others have mentioned, is when escaping a country or government or warzone with only the clothes on your back. Even in this case, you can probably sew on embroidered password under your clothes or otherwise write it down somewhere on your person.

Thanks @Dabs for mentioning nowallet.org

I just brought back from the ashes my old list of brainwallet projects here: https://bitcointalksearch.org/topic/list-compilation-of-open-source-brainwallet-projects-1164163

So I'm catching up all those yet operational and working projects...

Dabs

legendary

Activity: 3416

Merit: 1912

The Concierge of Crypto

Someone forked Warp Wallet to spit out a 12 word seed (as well as the extended private key), but still haven't found one that directly goes to segwit addresses. You could do a multi-step procedure to use a randomly generated password to spit out yprivs and zprivs if you like to have a segwit brainwallet.

I found these:
https://github.com/Logicwax/PortalWallet <= used older Warp Wallet code, and doesn't have segwit.
https://www.nowallet.org/

The only use-case for a pure brainwallet, as others have mentioned, is when escaping a country or government or warzone with only the clothes on your back. Even in this case, you can probably sew on embroidered password under your clothes or otherwise write it down somewhere on your person.

iparktur

jr. member

Activity: 119

Merit: 1

Quote from: ryanc on July 21, 2019, 09:03:11 PM

Don't use WarpWallet, the manual key management is a nightmare, and it uses uncompressed addresses. Just memorize a random 12 word seed phrase.

Hi ryanc !

Can you send me PM ?

pooya87

legendary

Activity: 3430

Merit: 10505

Quote from: asenski on September 13, 2019, 03:36:40 AM

Quote from: pooya87 on September 13, 2019, 01:50:16 AM

extending the password with a salt first and then using that for encryption is always a great idea. extending it with a strong key derivation function that is expensive to brute force such as scrypt (which uses a lot of memory) is even a better idea. setting the values for N=2¹⁸ and r=8 is also a good setting for this purpose https://tools.ietf.org/html/rfc7914#section-2

Am I understanding this correctly? You are saying that using scrypt with N=2¹⁸ and r=8 is just as good as WarpWallet, thus WarpWallet isn't achieving much by doing ton of iterations?

it is about at what layer this is being used.

* if scrypt is used to generate the mnemonic from a passphrase as it is with WarpWallet and brain wallets, it is a bad idea because even if it is a memory expensive KDF it still doesn't solve the problem of people using simple passwords and the attacker does NOT have to have access to anything to steal their coins. all they have to do is to iterate over most common words and rob them. look at this: https://bitcointalksearch.org/topic/collection-of-18509-found-and-used-brainwallets-4768828 it obviously will take a lot longer than SHA256 but it will not be impossible. if there is incentive, they will do it.

* but if it is used only for the encryption step, the attacker first has to gain physical access to your paper wallet for example and then attempt brute forcing that. so in this case scrypt is only used as one of the many security layers you are putting in place.

asenski

newbie

Activity: 8

Merit: 104

Quote from: pooya87 on September 13, 2019, 01:50:16 AM

extending the password with a salt first and then using that for encryption is always a great idea. extending it with a strong key derivation function that is expensive to brute force such as scrypt (which uses a lot of memory) is even a better idea. setting the values for N=2¹⁸ and r=8 is also a good setting for this purpose https://tools.ietf.org/html/rfc7914#section-2

Am I understanding this correctly? You are saying that using scrypt with N=2¹⁸ and r=8 is just as good as WarpWallet, thus WarpWallet isn't achieving much by doing ton of iterations?

Quote from: almightyruler on September 13, 2019, 03:28:18 AM

Seems to me you can stretch and obfuscate as much as you want, but you will never solve a couple of fundamental problems:

1. The original passphrase will still have lower entropy than a sequence of random bytes.

2. The more complicated you make the passphrase->rawkey generation process, the more likely you (or the beneficiaries in your will) are to lose funds.

It's interesting proposing new ways to make a brainwallet more secure, and I get that there are some extraordinary situations where use of a brainwallet may be justified, but otherwise... wouldn't you be better off sticking with something more conventional like a paper wallet?

Good points! I'm not suggesting using ONLY brain wallets. I just don't think they should be entirely dismissed because they were badly implemented at first.

I know this is more of a movie script than real life scenario, but interesting nonetheless:

Suppose somehow you are in a third world country robbed and left with nothing and you have a stash you can access via brain wallet just by passphrase and a salt.

(And I DON'T like that WarpWallet uses email for the salt, but could be anything that you are likely to remember forever)

almightyruler

legendary

Activity: 2268

Merit: 1092

Seems to me you can stretch and obfuscate as much as you want, but you will never solve a couple of fundamental problems:

1. The original passphrase will still have lower entropy than a sequence of random bytes.

2. The more complicated you make the passphrase->rawkey generation process, the more likely you (or the beneficiaries in your will) are to lose funds.

It's interesting proposing new ways to make a brainwallet more secure, and I get that there are some extraordinary situations where use of a brainwallet may be justified, but otherwise... wouldn't you be better off sticking with something more conventional like a paper wallet?

pooya87

legendary

Activity: 3430

Merit: 10505

Quote from: asenski on September 12, 2019, 02:01:33 PM

Quote from: pooya87 on September 08, 2019, 11:52:18 PM

Quote from: asenski on September 08, 2019, 05:56:47 PM

~
There is no way you can remember 12 words for years to come without writing them somewhere. Which also means that they could easily be stolen or lost.

true but as i explained, the alternative is still flawed so in my opinion storing the 12 words that is randomly generated is a lot safer than using a brainwallet even if it is susceptible to physical theft.
besides you can mitigate that by using some sort of encryption on it! for instance you could use the "brainwallet" as the password for encrypting the mnemonic phrase and then print the encrypted text instead and remember the password.

That is a fine idea!

What I don't like is using a simple SHA for a password. So even the password protected mnemonics if they fall in the wrong hands could easily be brute-forced.

So here is a thought perhaps we'd both agree on - what about WarpWallet type of encryption on top of the mnemonic phrases?

extending the password with a salt first and then using that for encryption is always a great idea. extending it with a strong key derivation function that is expensive to brute force such as scrypt (which uses a lot of memory) is even a better idea. setting the values for N=2¹⁸ and r=8 is also a good setting for this purpose https://tools.ietf.org/html/rfc7914#section-2

asenski

newbie

Activity: 8

Merit: 104

Quote from: pooya87 on September 08, 2019, 11:52:18 PM

Quote from: asenski on September 08, 2019, 05:56:47 PM

~
There is no way you can remember 12 words for years to come without writing them somewhere. Which also means that they could easily be stolen or lost.

true but as i explained, the alternative is still flawed so in my opinion storing the 12 words that is randomly generated is a lot safer than using a brainwallet even if it is susceptible to physical theft.
besides you can mitigate that by using some sort of encryption on it! for instance you could use the "brainwallet" as the password for encrypting the mnemonic phrase and then print the encrypted text instead and remember the password.

That is a fine idea!

What I don't like is using a simple SHA for a password. So even the password protected mnemonics if they fall in the wrong hands could easily be brute-forced.

So here is a thought perhaps we'd both agree on - what about WarpWallet type of encryption on top of the mnemonic phrases?

crypto_trader#43xzEXrP

full member

Activity: 1589

Merit: 214

Quote from: pooya87 on September 08, 2019, 11:52:18 PM

storing the 12 words that is randomly generated is a lot safer than using a brainwallet even if it is susceptible to physical theft.

This words can be encrypted by password, and saved in LocalStorage, in browser, like a seed on WAVES DEX.

Sometimes, warpwallet working good for me,
but sometimes, I see the "throw error" in console of my browser, when I try to run this WARPWALLET:

Code: ("Browser console (F12 button)")

event.returnValue is deprecated. Please use the standard event.preventDefault() instead.
Uncaught RangeError: Invalid array buffer length warp_1.0.9_SHA256_a2067491ab582bde779f4505055807c2479354633a2216b22cf1e92d1a6e4a87.html:10549
Scrypt.run warp_1.0.9_SHA256_a2067491ab582bde779f4505055807c2479354633a2216b22cf1e92d1a6e4a87.html:10549
(anonymous function) warp_1.0.9_SHA256_a2067491ab582bde779f4505055807c2479354633a2216b22cf1e92d1a6e4a87.html:10692
scrypt warp_1.0.9_SHA256_a2067491ab582bde779f4505055807c2479354633a2216b22cf1e92d1a6e4a87.html:10706
(anonymous function) warp_1.0.9_SHA256_a2067491ab582bde779f4505055807c2479354633a2216b22cf1e92d1a6e4a87.html:12650
exports.run.run warp_1.0.9_SHA256_a2067491ab582bde779f4505055807c2479354633a2216b22cf1e92d1a6e4a87.html:12660
Warper.click_submit warp_1.0.9_SHA256_a2067491ab582bde779f4505055807c2479354633a2216b22cf1e92d1a6e4a87.html:921
(anonymous function) warp_1.0.9_SHA256_a2067491ab582bde779f4505055807c2479354633a2216b22cf1e92d1a6e4a87.html:766
x.event.dispatch warp_1.0.9_SHA256_a2067491ab582bde779f4505055807c2479354633a2216b22cf1e92d1a6e4a87.html:692
v.handle warp_1.0.9_SHA256_a2067491ab582bde779f4505055807c2479354633a2216b22cf1e92d1a6e4a87.html:692

Someone can explain this, and repair?

pooya87

legendary

Activity: 3430

Merit: 10505

Quote from: asenski on September 08, 2019, 05:56:47 PM

~
There is no way you can remember 12 words for years to come without writing them somewhere. Which also means that they could easily be stolen or lost.

true but as i explained, the alternative is still flawed so in my opinion storing the 12 words that is randomly generated is a lot safer than using a brainwallet even if it is susceptible to physical theft.
besides you can mitigate that by using some sort of encryption on it! for instance you could use the "brainwallet" as the password for encrypting the mnemonic phrase and then print the encrypted text instead and remember the password.

asenski

newbie

Activity: 8

Merit: 104

Quote from: pooya87 on July 24, 2019, 12:30:55 AM

Quote from: asenski on June 14, 2019, 04:34:57 PM

Using a single step plain hash for brain wallets is definitely a bad idea. But I like the WarpWallet approach.

So far it has stood the test of time even with a password of just 8 alpha-numeric characters. (not even salt)

The key difference is that there are so many iterations instead of a single hash that brute-forcing those keys would not really be feasible (yet).

actually the main difference is in usage of a key derivation function called "scrypt" which is a memory expensive KDF and with decent settings it can become very expensive to break. N=2¹⁸ and r=8 are the "cost" that are making it expensive since you are basically deriving a 1024 byte long key and then mixing it in 8 blocks, 2¹⁸ times then deriving another key with that mixed key both times using PBKDF2.
by the way the "s2" variable it uses is quite pointless in my opinion, they could have just increase block size factor from 8 to a bigger value!

and finally i have to mention that even with this much complication, this implementation is also suffering from the same flaws as any other brain wallet: people are not capable of creating a truly random password. most of them will use simple terms which can be found/guesses easily.
setting a couple of complicated passwords as challenge doesn't mean the method is safe. you could do the same thing with other brainwallets too!

Agree that the s2 variable is pointless. The point I was making was that this is a much safer brain wallet, given that people don't use easy to guess input.
I'd still prefer WarpWallet to remembering 12 words. You can use things you'd never forget for master & salt, but are not that common or easy to guess.
There is no way you can remember 12 words for years to come without writing them somewhere. Which also means that they could easily be stolen or lost.

Quote from: ryanc on July 21, 2019, 09:03:11 PM

Don't use WarpWallet, the manual key management is a nightmare, and it uses uncompressed addresses. Just memorize a random 12 word seed phrase.

Yes, they should've generated compressed keys, but that can be fixed easily.

Quote from: almightyruler on July 22, 2019, 06:51:27 PM

Quote from: asenski on June 14, 2019, 04:34:57 PM

There are still 10 BTC sitting there as a reward to whoever can guess the 8 alphanumeric characters. (this one has pre-defined salt)

Do you mean "The WarpWallet Challenge 2"? Check the address, the 10 BTC was moved out in January 2018. The text also says that the challenge expires 1st Jan 2018.

https://www.blockchain.com/btc/address/1MkupVKiCik9iyfnLrJoZLx9RH4rkF3hnA

Right. They had the prior challenge for 2 years, and it wasn't cracked until the expiration date.

crypto_trader#43xzEXrP

full member

Activity: 1589

Merit: 214

Quote from: timisis on December 12, 2017, 09:51:12 AM

Quote from: crypto_trader#43xzEXrP on November 04, 2017, 09:15:51 PM

I have several times changed the source of https://brainwalletx.girhub.io/ for supporting a different coins,
but now I was not too lazy and took the time to write a universal brainwallet for all coins.
You can download test it here "CКAЧATЬ": http://rgho.st/8hlwbSy98
1. Unzip to the folder.
2. Drag and drop index.html -> to the tab of your browser.
3. See changes.txt

Just for you all I did add random_seed and XOR
and also I did unlock the "Secure random" button (just found it in the source code). Grin

Maybe need to add or change anything else? Just PM me.

Cant make up my mind if this is phishing or an honest typo, but the rating suggests phisher!

Hehheh. Open-source. Where you can see any phishing in the source code?
I did host it using github-pages, here: https://username1565.github.io/brainwallet.github.io/
Source code - here: https://github.com/username1565/brainwallet.github.io/

Best regards.

pooya87

legendary

Activity: 3430

Merit: 10505

Quote from: asenski on June 14, 2019, 04:34:57 PM

Using a single step plain hash for brain wallets is definitely a bad idea. But I like the WarpWallet approach.

So far it has stood the test of time even with a password of just 8 alpha-numeric characters. (not even salt)

The key difference is that there are so many iterations instead of a single hash that brute-forcing those keys would not really be feasible (yet).

actually the main difference is in usage of a key derivation function called "scrypt" which is a memory expensive KDF and with decent settings it can become very expensive to break. N=2¹⁸ and r=8 are the "cost" that are making it expensive since you are basically deriving a 1024 byte long key and then mixing it in 8 blocks, 2¹⁸ times then deriving another key with that mixed key both times using PBKDF2.
by the way the "s2" variable it uses is quite pointless in my opinion, they could have just increase block size factor from 8 to a bigger value!

and finally i have to mention that even with this much complication, this implementation is also suffering from the same flaws as any other brain wallet: people are not capable of creating a truly random password. most of them will use simple terms which can be found/guesses easily.
setting a couple of complicated passwords as challenge doesn't mean the method is safe. you could do the same thing with other brainwallets too!

almightyruler

legendary

Activity: 2268

Merit: 1092

Quote from: asenski on June 14, 2019, 04:34:57 PM

There are still 10 BTC sitting there as a reward to whoever can guess the 8 alphanumeric characters. (this one has pre-defined salt)

Do you mean "The WarpWallet Challenge 2"? Check the address, the 10 BTC was moved out in January 2018. The text also says that the challenge expires 1st Jan 2018.

https://www.blockchain.com/btc/address/1MkupVKiCik9iyfnLrJoZLx9RH4rkF3hnA

ryanc

member

Activity: 105

Merit: 59

Don't use WarpWallet, the manual key management is a nightmare, and it uses uncompressed addresses. Just memorize a random 12 word seed phrase.

asenski

newbie

Activity: 8

Merit: 104

What's your take on WarpWallet?

https://keybase.io/warp

Using a single step plain hash for brain wallets is definitely a bad idea. But I like the WarpWallet approach.

So far it has stood the test of time even with a password of just 8 alpha-numeric characters. (not even salt)

The key difference is that there are so many iterations instead of a single hash that brute-forcing those keys would not really be feasible (yet). Also you have the option of adding a salt.

There are still 10 BTC sitting there as a reward to whoever can guess the 8 alphanumeric characters. (this one has pre-defined salt)

Topic: BrainWallet Defcon Attack Discussion, Advice, Q&A, Brainflayer Info, etc. (Read 12417 times)