Topic: Collection of 18.509 found and used Brainwallets - page 13. (Read 31129 times)

I saw someone mentioned in an earlier thread that their SHA256 brainwallets were also swiped on testnet, so I just tried a test transaction, sending to 50 random dictionary words that also appear as SHA256 wallets in the main blockchain:

https://testnet.blockchain.info/tx/8956ca8164d08087627e42eb6895984ac4960e61af3a04983de5bd0edbd100e8

This block explorer shows spent outputs:

https://live.blockcypher.com/btc-testnet/tx/8956ca8164d08087627e42eb6895984ac4960e61af3a04983de5bd0edbd100e8/

As I write this, only a few minutes after sending, the only output which hasn't been spent appears to be the change (which is a random wallet generated key). All of the SHA256 derived keys were swept within seconds, just like the bots do on mainnet.

I was planning to write a very simple bot to demonstrate (on testnet) how quickly funds can be stolen, but it looks like I don't need to bother. Mine would have been a clunky hack that took five or ten minutes to sweep the funds back to the testnet faucet... but it seems there's already something more sophisticated listening in!

These are the words I sent to:

disparities
aggrandize
perfectionists
genuinely
creations
earthworms
intimidated
lengthened
conquered
decrementing
gianni
astronomer
inapproachable
sterilizations
interruption
insulation
nationalize
demographic
cocoana
retransmitted
ammunition
antagonize
vacationing
complexion
trickiness
housebroken
embarrassing
distraught
brownness
juxtaposing
trigonometry
pernicious
arrowhead
scratchers
tempestuously
pornographer
luxuriant
geometrical
inorganic
reinserting
refinement
approachable
screening
broadcasted
normalize
superposed
formulating
screenplay
cannibalizing
glorifies

There's really no way to know how many SHA256 (or similar type) brainwallets exist, because the public information (the address, and possibly public key) looks just as random as something generated by a more traditional wallet client. It's not until you crack the passphrase that you know it's a SHA256 brainwallet.

As I've surmised previously in the thread, I suspect that a lot of thefts do not go reported, publicly anyway, because the typical person who uses a SHA256 brainwallet is probably not very technically minded, and may not think to find a forum such as BCT where they can ask for help. Pride may also play a part. I imagine there's a fair few exchange support tickets asking about a withdraw that "didn't work".

I think that showing how funds can be stolen within literally seconds is a pretty powerful indicator of the potential risk of using a SHA256 brainwallet ... but those same non technically minded people may never find that information.

I wonder, is there any way to estimate the % of brainwallets (either by number of accounts created or amount of funds deposited) that have been compromised? This would take more than just blockchain research but I'm curious as to whether researchers have taken a stab at understanding just how bad use of brainwallets really has been. 1%, 10%, 90% lost?

I'm doing a writeup on why SHA256 brainwallets are bad, and I'm working on a list of particularly bad passphrase choices:

- Using a single dictionary word. [Funds will be stolen instantly.]
- Using two to four dictionary words in sequence, such as the famous example "correct horse battery staple". [This does not imply that five or more words is necessarily secure.]
- Basing your passphrase on a pop culture reference, such as a quote from a movie, or a meme, or song lyrics.
- Repeating a dictionary word (or common string such as "123456789") multiple times to form a longer passphrase.
- Preprending or appending a few extra letters, numbers, or other characters, to the passphrase.
- Converting certain letters to form l33t speak (eg "hello" -> "h3ll0").
- Typing a sentence, or short sequence of random dictionary words, without spaces.
- Repeating a simple sequence of characters to form a longer passphrase.
- Any patterns related to keyboard layout, such as "qwerty" or "qazwsx".
- Part or all of a well known number, such as Pi, or the speed of light.

Any other suggestions?

Doing some quick back of the envelope calculations. Consider this a thought experiment rather than anything too accurate.

My server with a 2010 era quad core CPU can check about 300,000 keys per second. It could probably be pushed further with some tweaking.

Let's say (conservatively) that a more modern quad core CPU can do 500,000 and use that as the reference. That means it can check 43.2 billion keys per day.

Brute forcing the "correct horse battery staple" space

One dictionary that includes a rank of how commonly a word appears on the web ranks the least common word "staple" at 16904.

So let's use that hint (some mild cheating) and set our limits to the 20000 most common words.

Total keys to check (20000 x 20000 x 20000 x 20000) =
160 000 000 000 000 000
And a server can check this many keys in a day:
         43 200 000 000

So in this instance, we would need approximately 10,000 servers running for a year to brute force every combination of those 20000 words. Not practical, but certainly not impossible.

But what if we use only the most common 1000?

Total keys to check (1000 x 1000 x 1000 x 1000) =
     1 000 000 000 000
And a server can check this many keys in a day:
        43 200 000 000

In this case, we only need about 23 server days (one server running for 23 days, or 23 servers running for one day) to cover the space.

And if we try the top 500:

Total keys to check (500 x 500 x 500 x 500) =
        62 500 000 000
And a server can check this many keys in a day:
        43 200 000 000

Now a single server can cover the whole space in about one and a half days. That's actually (much) less time than to brute force a simple 6 character password.

I'm not suggesting that everyone's four-word-wallet can be cracked wide open in a day, but it does mean that low hanging fruit - think simple, common words - will be quickly found.

Blockchain+SHA256 brainwallets: the world's biggest encrypted password file...

This one seems to be just for fun:

"i killed the bank"

https://www.blockchain.com/btc/address/14GZ9Azv3bQqHv2pPDvyezAgHDJ7m1y9aJ

Funded with 1 Satoshi in 2012. (The transaction fee was 50000 Satoshis. )

This tiny balance was cleared out in 2015, along with the funds from at least one other brainwallet.

My system just found this wallet:

https://www.blockchain.com/btc/address/17EzdiY1PT1okKj9wnUx8a4eCXaddhgfgR

Another recent transaction, although not an immediate sweep, so hopefully not a theft. (The password is not listed in Google or haveibeenpwned.)

The funding transaction has lots of small outputs, and one large output, so I suspect this is the hot wallet of an exchange or similar payment service. Really scary that people are still making new SHA256 brain wallets. I wonder if this exchange offers that option?

The darker "L" shaped region in the bottom left has an obvious cut off at 12, and also between 28-31, representing a significant portion of people use either DD/MM or MM/DD as a pin. I would wager the majority of these are probably their own date of birth.

Lots of number patterns are very obvious too - 2468, 2345, 5678, 9876, 2580/0852 (straight down/up the middle of the keypad).

In short - people are bad at security.

But, but... this website says I can withdraw to a password.  

(Some of the still-existing SHA256 brainwallet generator sites do not make it clear just how risky choosing to use/continue using that type of wallet is. I'd say they're partially to blame for the more recent thefts.)

---

This is an interesting slide I came across, showing a visual depiction of the 4 digit PIN space, when chosen by humans:



I can see a few obvious patterns:

1. 1234 is a popular PIN. 4321 is also up there.
2. 69 is a popular part of a PIN.
3. Repeated double digit sequences are common, eg 1717 or 6969 (the latter appears to be the most popular repeated sequence)
4. 19xx and 20xx are popular; perhaps the year of birth of the card owner, or their offspring.

I'm not sure if it would be possible to represent SHA256 brainwallets in a similar visual way, but it would be interesting if there were some way to map phrases to a two or three dimensional space.

Oh for sure, but as I've mentioned before, the human brain is completely fragile. With no way to back up or recover data, and all it takes is a minor blow to make you forget you even have passphrase, let alone what it is.

Even if your brain wallet is more secure than a simple song lyric or something equally stupid, it's still a bad choice for storing your coins.

Yeah, but the term "brain wallet" is fairly broad. We're really only discussing simple privkey = sha256("user chosen passphrase") type wallets in this thread; I've probably failed to make that important distinction when writing my own replies. Brain wallets which use a passphrase generated by a computer, representing a cryptographically strong random private key expressed in text form, are on a completely different level. Even a key-stretched user-entered passphrase with salt is significantly more secure. It's a pity that the same term continues to be used for these more secure methods, because it probably gives some credence to the original wildly insecure version.


Yeah, I know what you mean about time. I've been spending a disproportionate amount of time on this, and also some cash (had to buy some extra HDs, and rent some server space). I'm probably at the point where I've grabbed most of the low hanging fruit by now, so to be honest, the buzz from finding a new (and good) passphrase and being able to trace the wallet's history is wearing off. Although it is interesting to come up with new data sources, and think about how to manipulate them into forms that may represent passphrases. Some of the user-entered data I've collected from websites I run, which have nothing to do with cryptocurrency or infosec, have resulted in SHA256 brainwallet hits.

I'm still trying to understand why someone would do this for money. Maybe in 2013 it may have worked, but these days the investment in effort (custom coding) and equipment (storage, virtual CPUs for cracking) seems to outweigh any potential benefit. Perhaps it's a criminal ego thing.

I have/had the same idea. Let me know if you're going to work on this. Otherwise I will pick it up. I already have all btc transactions in a database so I guess I already have the right tool in place. Now all I need is (more) time

Hell, even people who supposedly are "tech savvy" are using brain wallets. You see them advocated for all the time on these forums. McAfee's latest hardware wallet scam turned out to be a glorified brain wallet. It's no excuse though really - if you can figure out how to buy and transfer bitcoin, you know how to install an app on your phone and use a mobile wallet as a bare minimum. Sure it's not the best, but it's 1000x better than a brain wallet.

Brain wallets are for the brainless.

Hmm, that gives me an idea. It should be possible to do some basic (automated) analysis on brainwallet transactions, to find common theft destination addresses (such as https://www.blockchain.com/btc/address/1brain7kAZxPagLt2HRLxqyc3VgGSa1GR ) and then work back a level or two to find other potential compromised wallets. This may help flag wallets which were not instantly cleaned out - which is a red flag for sure - but where funds ultimately ended up at the same address as the more blatant thefts.


I'd say most of the people still using a brain wallet are simply not tech savvy, and see it as a low friction solution for storing their funds. No software is necessary, nor do you need to write down or print out any weird codes.

I've done Google searches for some of the plausible real brainwallets (ie not just dust intending to be found as a challenge) and often the only results are block explorer pages; no specific mention of a theft. Could it be that these non tech savvy users don't know who (or where) to ask about the theft, at least in a public forum, and so simply move on?

I suspect that in the past, and possibly even now, some services such as exchanges, block explorers, and online wallets offer a feature to withdraw directly to a brain wallet. What could be easier than storing your funds "in a password"?

Here's an article from 2013 which shows bots were active even back then: http://cointext.com/2013/11/04/brain-wallet-thefts-increasing/

This is crazy. Within 2 seconds of the Bitcoin being deposited to that address, 3 different people/bots tried to steal it, and 1 was successful. 1 of the failed attempts was to send it to this address:

https://bitaps.com/1GGctqw9UeUd2vUFRdz5fUvHQnmxAEiTAK

Every single one of the 104 transactions to this address is trying to empty another address within a second or two of a deposit being made. A lot of them are unsuccessful due to the funds being cleared by someone else first, but this address has still managed to steal 0.166 BTC. What's worse is you can look at pretty much any of those transactions and see two or three more addresses trying the exact same thing, all with their own extensive histories of clearing out other addresses within seconds a transaction being made.

If ever there was an argument against using a brain wallet, this is it. Your BTC will be stolen before you've even refreshed your browser and seen that your transaction has been confirmed.

I went through it and though I don't understand the specifics of how you did it, I am amazed at your findings! Thanks for sharing this!

Things were getting a bit boring because my system was only finding one or two new wallets per day, but today it suddenly found about 30 new ones.

Here's another (relatively) recent transaction, which was swept out immediately:

https://www.blockchain.com/btc/address/15jG7moSaWgQADbG45cbvc79sHjKBBnxBk

Alternate block explorer showing double spend attempts within the same couple of seconds:

https://bitaps.com/15jG7moSaWgQADbG45cbvc79sHjKBBnxBk

Nearly 1 BTC is not a small amount. Back then it was worth around $15k USD

Password is "letthegoodtimesroll"

---

This one lasted a bit longer, and uses a non english phrase that doesn't appear in my password lists or haveibeenpwned (so I won't reveal it here) : https://www.blockchain.com/btc/address/1AsUMTvY4bRXKXrFZ1tbQ8xi1Lz3DiBNHt

Hopefully the transfer out was by the rightful owner.

---

Some of these brainwallet funding transactions have multiple outputs, often with one large output (change?), so I suspect they're withdrawals from an exchange, and people are sending to this cool wallet thing they can generate safely without needing to install any software........

Don't use SHA256 brainwallets!

Yes, I can see you've spent some time collecting the data and making a nice interface to present it. Perhaps you should make a way for people to leave comments? For example, to link to a thread discussing that specific brainwallet. I'm thinking about approaching this from another perspective, making a website that displays (well known) passphrases to show how basic some of them are, and how quickly funds sent to those addresses were swept away. May even try sending small amounts to a few of them (like ryanc did live in one of his presentations) to demonstrate that the funds will be stolen within literally seconds.

Obviously, I need to do this in a way that makes it obvious how insecure passphrase brainwallets are, but without making it seem too easy for a would-be thief. (To make it clear: it's NOT easy, and I'd say that in 2018 we'd be beyond the point of diminishing returns.)


Still collecting, but I'll share at a later date. I forgot to mention that I'm also including Litecoin and Dogecoin, so some of those keys would not be for Bitcoin.


Yes, I think that's a point that some people will struggle to grasp, that the very first time they use their new brainwallet phrase the funds could be stolen instantly. And also that brainwallet thieves are not focussing on cracking any specific address; the method of cracking will find ANY insecure wallet. So both these arguments fail:

- I'm the only one who knows my passphrase
- No one cares enough about me to try hacking my wallet

This comment on Hacker News from the owner of 1brain... may provide some insight:

https://news.ycombinator.com/item?id=7368283

(That was the only thing that account posted on HN. No one ever replied to that comment.)

Thanks for bumping. I kind of felt there was not much interest in this before as I expected to get a lot more responses to the list I published. Publishing the results including proof cost me quite some time. But good to see another person with the same interest


I think your results share a lot of findings in my set. I am very much interested in the ones you found so I can update my list with the ones I missed. Any chance you can share your findings? (a list of found words/sentences you found would be enough)


Yes, there are a couple of bots active which monitor the mempool (using a modified bitcoind client) for incoming transactions. Each address found is then matched against a very large set of addresses composed on all kinds of brainwallets. In other words: Just because the brainwallet "Jack" hasn't been used yet doesn't mean it is a safe brainwallet. When you would deposit some coins into the attached address you can be sure they will be stolen within the blink of an eye.

I doubt such papers exist.

The answer to the question depends on repetition, though. You can commit a 12 word phrase to memory relatively easily, probably in under an hour. You'll remember it for a day or two, no problem, but you'll have forgotten most of it in a week or two unless you practice it a few times every day. There's no way most people will remember something like that for >10 years unless you are repeating it at least a couple of times a week.

And then, as I mentioned, all you need is a mild blow to the head or a bad infection and you've forgotten it.