Bitcoin Forum>Bitcoin>Bitcoin Discussion
Author

Topic: brainwallet sillyness (Read 1038 times)

BurtW
legendary
Activity: 2646
Merit: 1137
All paid signature campaigns should be banned.
brainwallet sillyness
December 03, 2013, 08:39:29 AM
#10
Quote from: kuverty on December 03, 2013, 08:37:12 AM
Quote from: BurtW on December 03, 2013, 08:30:15 AM
Quote from: niothor on December 03, 2013, 08:09:01 AM
Yeah but you have to change them into privatekeys , and this is almost impossible for the sucker wanting to buy something like that... Smiley))

Don't understand your comment.  It sounds very easy:

1) Buy or get a list of the one million most common pass phrases and passwords.
2) Generate the one million private keys by doing PrivateKey = SHA(password)
3) Generate the one million Bitcoin addresses from the one million private keys
4) Set up to sweep all coins sent to any of these one million Bitcoin addresses into your personal wallet
5) Wait for some sucker to use one of those password/phrases and profit!

Or better yet do this with two million password/phrases.

Sure it would take a few hours to do but "almost impossible"?

I guess he meant that anyone who would buy such a list is not tech-savvy enough to do step 2... that would involve some very simple coding at least.
Oh, I see:  anyone who would buy such a list, as opposed to just downloading a free one = too stupid to know how to use it.  Got it.
kuverty
sr. member
Activity: 770
Merit: 250
Re: brainwallet sillyness
December 03, 2013, 08:37:12 AM
#9
Quote from: BurtW on December 03, 2013, 08:30:15 AM
Quote from: niothor on December 03, 2013, 08:09:01 AM
Yeah but you have to change them into privatekeys , and this is almost impossible for the sucker wanting to buy something like that... Smiley))

Don't understand your comment.  It sounds very easy:

1) Buy or get a list of the one million most common pass phrases and passwords.
2) Generate the one million private keys by doing PrivateKey = SHA(password)
3) Generate the one million Bitcoin addresses from the one million private keys
4) Set up to sweep all coins sent to any of these one million Bitcoin addresses into your personal wallet
5) Wait for some sucker to use one of those password/phrases and profit!

Or better yet do this with two million password/phrases.

Sure it would take a few hours to do but "almost impossible"?

I guess he meant that anyone who would buy such a list is not tech-savvy enough to do step 2... that would involve some very simple coding at least.
niothor
hero member
Activity: 826
Merit: 501
in defi we trust
Re: brainwallet sillyness
December 03, 2013, 08:35:34 AM
#8
Quote from: BurtW on December 03, 2013, 08:30:15 AM
Quote from: niothor on December 03, 2013, 08:09:01 AM
Yeah but you have to change them into privatekeys , and this is almost impossible for the sucker wanting to buy something like that... Smiley))

Don't understand your comment.  It sounds very easy:

1) Buy or get a list of the one million most common pass phrases and passwords.
2) Generate the one million private keys by doing PrivateKey = SHA(password)
3) Generate the one million Bitcoin addresses from the one million private keys
4) Set up to sweep all coins sent to any of these one million Bitcoin addresses into your personal wallet
5) Wait for some sucker to use one of those password/phrases and profit!

Or better yet do this with two million password/phrases.

Sure it would take a few hours to do but "almost impossible"?


You know the chances of actually be the one that wil make the transfers? There are lots of bots monitoring that correct battery address.
Will you bother to do the above? Probably no , because you know it's not worth.

But lot's of newbies around here thinks that they will hit the jackpot with such a tool. An usually the people who believe in such gains and not the most techie around.
BurtW
legendary
Activity: 2646
Merit: 1137
All paid signature campaigns should be banned.
Re: brainwallet sillyness
December 03, 2013, 08:30:15 AM
#7
Quote from: niothor on December 03, 2013, 08:09:01 AM
Yeah but you have to change them into privatekeys , and this is almost impossible for the sucker wanting to buy something like that... Smiley))

Don't understand your comment.  It sounds very easy:

1) Buy or get a list of the one million most common pass phrases and passwords.
2) Generate the one million private keys by doing PrivateKey = SHA(password)
3) Generate the one million Bitcoin addresses from the one million private keys
4) Set up to sweep all coins sent to any of these one million Bitcoin addresses into your personal wallet
5) Wait for some sucker to use one of those password/phrases and profit!

Or better yet do this with two million password/phrases.

Sure it would take a few hours to do but "almost impossible"?
niothor
hero member
Activity: 826
Merit: 501
in defi we trust
Re: brainwallet sillyness
December 03, 2013, 08:09:01 AM
#6
Quote from: kuverty on December 03, 2013, 07:54:49 AM
Quote from: niothor on December 03, 2013, 07:44:53 AM
Quote from: kuverty on December 03, 2013, 07:40:01 AM
I do think that if brainwallets get popular, it will be rewarding for a thief to keep a list of some good phrases.
Somebody was selling 200k passkeys for the most used passwords a while ago.

Huh? Passwords? I hope he didn't get any for that... such lists are easily available, aren't they. I've seen huge lists of leaked plaintext passwords, cracked md5's etc

Yeah but you have to change them into privatekeys , and this is almost impossible for the sucker wanting to buy something like that... Smiley))
kuverty
sr. member
Activity: 770
Merit: 250
Re: brainwallet sillyness
December 03, 2013, 07:54:49 AM
#5
Quote from: niothor on December 03, 2013, 07:44:53 AM
Quote from: kuverty on December 03, 2013, 07:40:01 AM
I do think that if brainwallets get popular, it will be rewarding for a thief to keep a list of some good phrases.
Somebody was selling 200k passkeys for the most used passwords a while ago.

Huh? Passwords? I hope he didn't get any for that... such lists are easily available, aren't they. I've seen huge lists of leaked plaintext passwords, cracked md5's etc
niothor
hero member
Activity: 826
Merit: 501
in defi we trust
Re: brainwallet sillyness
December 03, 2013, 07:44:53 AM
#4
Quote from: kuverty on December 03, 2013, 07:40:01 AM
I do think that if brainwallets get popular, it will be rewarding for a thief to keep a list of some good phrases.

There are already bots scanning addresses with simple passwords.
Somebody was selling 200k passkeys for the most used passwords a while ago.
CIYAM
legendary
Activity: 1890
Merit: 1086
Ian Knowles - CIYAM Lead Developer
Re: brainwallet sillyness
December 03, 2013, 07:42:08 AM
#3
Indeed - it has been pointed out many times that brainwallets are not something that most should even consider using.

At the very least if someone is considering using a brainwallet then the "pass phrase" that they use should actually be something that has first gone through some sort of hashing algo through multiple passes (and better to use multiple algos).

Although of course one would never recommend starting with "correct horse battery staple" but I would guess that if you hashed that say 99999 times (and of course now that would be useless because I just wrote that) then it would be a hell of a lot safer.

Bear in mind with broken RNG implementations you could also lose your BTC by just using a supposedly "random" address.
kuverty
sr. member
Activity: 770
Merit: 250
Re: brainwallet sillyness
December 03, 2013, 07:40:01 AM
#2
I do think that if brainwallets get popular, it will be rewarding for a thief to keep a list of some good phrases.
djalexr
member
Activity: 104
Merit: 10
Re: brainwallet sillyness
December 03, 2013, 07:31:44 AM
#1
I find it interesting how much activity the brainwallet address generated by "correct horse battery staple" generates!

This is the default brainwallet in place if you go to generate something at brainwallet.org.

https://blockchain.info/address/1JwSSubhmg6iPtRjtyqhUYYH7bZg3Lfy1T

You do see money frequently going in and out of this address, but somebody actually sent a whole 0.8651 BTC (worth more than $800 at the time) to the 'correct horse battery staple' address just two days ago...

Unsurprisingly, it left the account about 10's afterwards...

Sadly, the only sane explanation I can think for this happening...somebody went to generate a brainwallet using this site but accidentally refreshed and used the default 'correct horse battery staple' instead of their own passphrase Sad

This story on reddit about somebody managing to randomly guess a brainwallet with 400btc is also relevant

http://www.reddit.com/r/Bitcoin/comments/1ryj9s/help_i_might_have_access_to_your_wallet/

Anyway, I think the point is that given how much effort people will now be putting into trying all the possible brainwallet combo's highlights how this is really quite a foolish way of storing your coins.

If you are trying to think up a brainwallet passphrase with enough entropy...you may aswell just use a properly pure private key and keep it safely offline.






Bitcoin Forum>Bitcoin>Bitcoin Discussion
Jump to: