Topic: Collection of 18.509 found and used Brainwallets - page 9. (Read 31239 times)

No, that would be security through obscurity. It's fun to have some cool secret way to generate your key, but if it's too complex, you (or your benefactors, say if you suddenly die) could risk losing the funds.

The point is that if you must use a brainwallet, the random seed will at least make it more secure against untargeted privkey hunters. Remember that each ATTEMPT at brute forcing the passphrase+seed takes 2 days, so in theory, even a reasonably common dictionary word as your passphrase could take years to crack. (In practice, a cracker is going to be using multiple cores and possibly optimised cracking methods, so it will take less time.)

Multiple seeds can be used, for example:

1. Seed #0, which is an internal seed that is not disclosed or stored. This must be brute forced when re-generating the private key, so it is quite weak. It is intended as some extra protection against an attack.
2. Seed #1 (stored in one location) which takes ~1 day to brute force if lost.
3. Seed #2 (stored in another location) which takes ~1 day to brute force if lost.

If the user has the passphrase, seed #1, and seed #2, all it takes is (say) 60 seconds to brute force the internal seed, and generate the correct privkey.

If the user loses either of the seeds, it takes 60 seconds + 1 day.

If the user loses both seeds, it takes 60 seconds + 1 day + 1 day.

Sure. It is absolutely right.

But we are started talking about brain wallets and brain wallet feed could be generated randomly. I can keep in mind 16 random generated words, but  problem that words are already existed and could be generated again.  Good way to change 1 word from this 16 to your own created word.

I realised the other day that I still remember a few (randomly generated) 10 character passwords that I haven't used for years, and if I put them together, they could form a fairly strong 40 character brainwallet phrase. The difference with those passwords is that they were protecting access to a server, and if I forgot them, I could recover access in some other way (boot with rescue disk, phone call to data centre etc). Different matter if I forgot my brainwallet password. 

---------

I've seen someone (I think ryanc) mention before using a combination of a passphrase plus a random (weakish) seed. The seed needs to be printed out and stored somewhere safely. The beauty of this arrangement is that the seed is weak enough to be expendable, but strong enough to add some extra protection against casual hunting. If the seed is lost, you can use a program to brute force it until it finds a match for your brainwallet address. The strength of the seed is chosen so that some time (say one to two days) of brute forcing would be required.

It won't stop an attacker who is focussed specifically on you, but it will add extra protection against people who are just hunting for any passphrase matches.

You could also store some funds using the passphrase alone, using that brainwallet as a canary to alert you that someone has discovered your passphrase. For example:

10 BTC in the brainwallet-with-seed "MYPASSPHRASE_sVjH$4R"

0.1 BTC in the canary brainwallet "MYPASSPHRASE"

Disclaimer: I mention this only out of interest and don't represent that it would necessarily be secure. I don't think SHA256 brainwallets are secure anyway, so...

Yes. Random key it is the best decision, but problem that it is easy forget this random key. You should keep this random key or feed in other place than your mind, so it is additional risk.

Maybe a bit, but not really.

An attacker with the skills and resources to create and scan a precomputed list of brainwallets based on the most common words and phrases will likely also start scanning the most common permutations eventually.

So it's safer in the sense that the coins will probably only be snatched after a couple of days instead of after a couple of seconds.

Granted, given a long enough passphrase or a complex enough "cipher" your coins should be reasonably secure. However it's hard to guess at which point this is the case, which is why one should resort to more reliable methods. It's probably not at 4-word phrases with single-letter-replacements though.

Most likely yes, but :
1. It's useless if attacker know you use brainwallet & know this method
2. Unless you write down passphrase for brain wallet, you will forget your passphrase or/and your clever method
3. It's still far less secure than simply use CSPRNG to generate your private key/seed

I think the point of this entire thread can be summed up as follows:

Give up and use a secure random number generator based on a qualified true random number source of entropy unless you want to lose your Bitcoins.

What if you add your own personal coding to the obvious phrase?

Lets say, replace all the letters A with B.

For example "cbptbining finbncial conservbtism mbyonnbise" instead of "captaining financial conservatism mayonnaise"

Will it more difficult to get the key?

Occam's razor? I guess so, although it would seem more likely if only a single address (say, for change) was the odd one out.

Just for fun, I quickly hacked together something to generate four random words and filter the output so that the first bytes of the address are b0, 9a, 09 (which match the last passphrase I mentioned in this thread). The same could be done with real-world phrases if you had a sufficient number of them. A crude form of SHA256 brainwallet vanity address generation.

1H6nTM5TVQc31YqhVzVPrRUmNsL9pGJAwV b09a091fccb7e1f2f0a8120f3e17117a79759920 "captaining financial conservatism mayonnaise"

1H6nTPYd9sKto7bn7ptVqGWzD3mUdByNMy b09a0947f10d65c58ad6f7bc551b85d6d399b3b5 "gladiator playmates reduction disseminates"

1H6nTZUuqwmwKy6C64UK5jAdZATAMfpasK b09a09e9865339e6a5beabd64682380bd7862fd3 "physicists rottenness displaces processed"


=== ADDED LATER ===

Here's some real-world phrases which happen to match the simple vanity address requirements from above. I forgot about it and left things running for longer than I should have.

1H6nTagcotDzbyM3W3ymWRBRcwuJV1Cpvd b09a09fd11c309d6ae2321406c3cd8540cee9174 "scott and andrea"

1H6nTRxrjZ3PiiPvwLwegQFrtBURsKvjUo b09a096f42e5efd99614509be6625e7c1119b539 "colonel edward mandell house"

1H6nTUtXkLPgU36ufJeVEpTmPvbVGXLypV b09a099ed5ce28e7f241ce53893045ad88d48da3 "never gonna be as big as jesus"

(Note: These are examples from my vanity generation experiment, not actual cracked passphrases.)

My guess: someone created a list of addresses, sorted it, and copied a part of it to be funded. I don't think there's much more behind it.

I thought at first you were onto something, but when you look more closely, it is not cleanly sorted.  For example, the address 1Ct2qiAXf6iYHQ3iUB3sfinR5SfzhYQf4u (output 86) is alphabetically lower than the address 1FuicRGD8kQoPmnsXTirEoeoVtVwrjQs7T (output 0)

Here is the raw transaction:

https://www.almightycoins.org/cc5e0d2d0f46b56ab57027e236ed3ebff4ed7157238947db2ae59cddca60e08b.txt

And the output scripts only, which show the RIPEMD160 hex representation of the addresses:

https://www.almightycoins.org/cc5e0d2d0f46b56ab57027e236ed3ebff4ed7157238947db2ae59cddca60e08b-outputscript.txt

You can see here the outputs are loosely but not perfectly sorted.

There is still something unusual about this selection of addresses, because for 92 of the 101 outputs, the first byte of the RIPEMD160 hash is between a3 and cf. This includes the address which is generated from the passphrase "just let the lovin take ahold" (first byte is b0). If the addresses were truly random, you would expect a much wider distribution over 101 values, but only 9 values fall outside of that cluster. So there's some kind of filtering going on, for whatever reason.

You can see that addresses are arranged alphabetically, sorted by first two letters (first is always lowercase).
Looks like addresses were generated by vanitygen.

I think there are still many many more to be found out there my guess.
Interesting find on the 6 words are those song lyrics by any chance?

https://www.blockchain.com/btc/address/b09a09458fe9bb86b0d897b4c244b05432bad28d

This one is interesting for a number of reasons...

- It seems to be a relatively early use of a SHA256 brainwallet (January 2012).

- The transaction originally funding this brainwallet split 1 BTC into neat sets of 0.001 and 0.005 BTC. Could other outputs from this transaction - there are 101 in total - also be brainwallets, or some other kind of special address? Some are still unspent, 7.5 years later.

- A second set of funds (6.08 BTC) was sent a couple of weeks later, then all funds were swept the following year. Over time, the value of 6.08 BTC appreciated from around $USD 35 in February 2012, to almost $USD 600 in July 2013. (The sweep output is still unspent; 6.08 BTC is now worth nearly $60,000. Hope the owner still has the privkey!)

The passphrase is just let the lovin take ahold

The real issues is the weak PK values here and education on how to create secure keys.
I tested lot's of the tools that are available out there even going as far as to parse the entire blockchain into MySQL table while running ABE and BF and a few other scanners I have there are still 100's of un-secure wallets out there waiting to be picked up by the sweepers (just for the record I don't sweep funds and never will.)

But it's quite a concern that many people seem to have funds laying out there which any competent person with python and a word list could find.
I also ran some checking on the old style electrum seeds with a "modified" word list and have had some wallets return with funds highest was around 0.15 BTC.

I am unable to post the results as the wallets seems to be active.

I posted in this thread a few months ago that even on testnet funds get swiped instantly.

Doesn't mean many people still bother running them.

Sweep bots existed long before this thread was started...

I wanted to say someone's watching this thread, but I think $400 is a bit too much to waste on proving a point. I wonder how many more tried to steal those coins.

Pure speculation here - I'm not very good at following transaction trails - but the source wallet has a high number of transactions and large cumulative balance, so I'm guessing it could be an exchange wallet, and that 0.25 BTC was a withdrawal by a customer. Question is, how did the funds end up being sent to that address? Was this some internal software deliberately stealing funds, or did this key get imported into someone's wallet somehow?

IDEA: exchanges and any other services which allow customers to withdraw should maintain a blacklist of addresses with weak keys / broken brainwallets, so that any attempts to send to such an address are blocked.