Pages:
Author

Topic: Electrum vs Multibit (Read 6069 times)

newbie
Activity: 28
Merit: 0
November 03, 2017, 01:02:21 AM
#24
I'm figuring out which client to use. Could we discuss which one is better? Major factors to consider: security and ease of use.

electreum is the free software but it is more safe and secure. it can secure bit coin payments more secure. here has secure two factor authentication also. so no doubt about the security. electreum verifies your bit coin transaction in blockchain. electreum can run on any software so it has great security. electreum is fast, speed and secure wallet.in this has one great opportunity you can export your bit coin private key with bit coin users but it has no loss. and keep your keys offline and go online with a watching only wallet.
legendary
Activity: 1946
Merit: 1137
August 10, 2016, 07:37:32 AM
#23
-snip-
Yeah that sounds about right... 8 places, with 94 options per place is 94^8... which is around 6.095E+15 variations...

I guess the issue is that people are stupid and will made a password like Pass1234 and think it is secure. Most hackers are likely to just run a bruteforce on letters and numbers... 62^8 would only be around 27 years Wink

One question I do have, because I'm not sure how the password hashing functions used by the wallets (it was mentioned SHA256 and Scrypt) operate... but what is the risk of hash collision using the various functions? ie. From experience, I know of Excel spreadsheet brute forcing passwords will return a password that unlocks the sheet, but is completely different from the original password used. eg original password was Test1234 and the brute force showed aaaa1999. I assume this is due to checking the "hash" of the input password and the 2 inputs generating the same hash.

well of course security is all a matter of degrees. having an 8 character long password compared to having a 15 or having enough randomness and including symbols, ... these are all ways to increase this security.

and as for the second part of your question i am going to go with not possible but i am afraid my opinion on that matter is of no value since i have little information in that area.

maybe these can help: http://stackoverflow.com/a/4014407
https://www.google.com/search?q=sha256+hash+collision
member
Activity: 65
Merit: 10
August 10, 2016, 03:06:05 AM
#22
Multibit HD have a fee limit of 0.0005 per KB, Electrum does not.

Multibit HD have a repair wallet feature which is a fast way to delete any transaction that have been dropped from the network. Electrum doesn't have such feature, but some said recovering electrum wallet from seed does the same thing (haven't tried that so I don't know if it's true).

In Multibit HD you'll have to create a payment request for each deposit, Electrum doesn't need you to create a request and lists multiple address for you to choose.

I believe there are more, but I don't use Multibit HD all that much so there are some features that I'm not familiar with.

Edit:
For security, both appear to be at the same level for standard wallet. But in Electrum you have the option to create a 2FA wallet.

I am definitely love Multibit features which are not present at Electrum
But I can't import my Privatekey in form of text not file. How to import private key at Multibit? I only found import throught file at multibit.

At electrum I can import private key without a file just type the key 5HxZTeWe6BEg85ugNDYNm.........................
HCP
legendary
Activity: 2086
Merit: 4361
August 10, 2016, 01:42:36 AM
#21
when i said 8 i didn't really calculate anything but let me do it now here and you check if i am doing it right:

there are 26 letters in English
x2 because of lower case and upper case
there are 10 numbers
there are 32 signs (symbols) on the keyboard only (*, /, #, $, ,, ^) and i won't count the rest of the signs (ƒ, ¥,£,...)

this total is 94 so a random password like this: Df@m$Jdu (8 char long) has 6E+15 different possible variations.
and if i understand the picture above correctly the worst case scenario is going through 2.5E+5 passwords/s
so it would take 2.44e+10 sec or in other words it takes 773 years to go through the passwords.
Yeah that sounds about right... 8 places, with 94 options per place is 94^8... which is around 6.095E+15 variations...

I guess the issue is that people are stupid and will made a password like Pass1234 and think it is secure. Most hackers are likely to just run a bruteforce on letters and numbers... 62^8 would only be around 27 years Wink

One question I do have, because I'm not sure how the password hashing functions used by the wallets (it was mentioned SHA256 and Scrypt) operate... but what is the risk of hash collision using the various functions? ie. From experience, I know of Excel spreadsheet brute forcing passwords will return a password that unlocks the sheet, but is completely different from the original password used. eg original password was Test1234 and the brute force showed aaaa1999. I assume this is due to checking the "hash" of the input password and the 2 inputs generating the same hash.
legendary
Activity: 1946
Merit: 1137
August 07, 2016, 06:47:05 AM
#20
it is the password which is used to encrypt the wallet file and NO you do not need a 50-60 char long pass. brute force is done with a dictionary or similar ways so you are still pretty safe with a password which is 8 char long but it is random letter+number+signs

although i am interested to hear from f___o about the method he is talking about for breaking these encryptions, is it brute force the way i think or is it something else?
As he explained to me earlier... that graph shows the relative speed with which one can test passwords against the encrypted wallet file due to the hashing algorithms they use for comparing input password will file password.

Some algorithms are super fast, so you can test passwords faster... as you can compute their hashes faster to test against the encrypted file.

Of course, this is still brute forcing... so if you use a "secure" password which is nice and long (I hesitate to give a definite value, but certainly longer than 8 and the longer the better), and uses uppercase, lowercase, numbers and symbols... brute forcing is still going to take a "long" time to run through all the possible combinations... What the graph shows is just that one program (MultibitHD) would take considerably longer than the other (Electrum) due to password test speed.


when i said 8 i didn't really calculate anything but let me do it now here and you check if i am doing it right:

there are 26 letters in English
x2 because of lower case and upper case
there are 10 numbers
there are 32 signs (symbols) on the keyboard only (*, /, #, $, ,, ^) and i won't count the rest of the signs (ƒ, ¥,£,...)

this total is 94 so a random password like this: Df@m$Jdu (8 char long) has 6E+15 different possible variations.
and if i understand the picture above correctly the worst case scenario is going through 2.5E+5 passwords/s
so it would take 2.44e+10 sec or in other words it takes 773 years to go through the passwords.
HCP
legendary
Activity: 2086
Merit: 4361
August 06, 2016, 07:49:46 AM
#19
it is the password which is used to encrypt the wallet file and NO you do not need a 50-60 char long pass. brute force is done with a dictionary or similar ways so you are still pretty safe with a password which is 8 char long but it is random letter+number+signs

although i am interested to hear from f___o about the method he is talking about for breaking these encryptions, is it brute force the way i think or is it something else?
As he explained to me earlier... that graph shows the relative speed with which one can test passwords against the encrypted wallet file due to the hashing algorithms they use for comparing input password will file password.

Some algorithms are super fast, so you can test passwords faster... as you can compute their hashes faster to test against the encrypted file.

Of course, this is still brute forcing... so if you use a "secure" password which is nice and long (I hesitate to give a definite value, but certainly longer than 8 and the longer the better), and uses uppercase, lowercase, numbers and symbols... brute forcing is still going to take a "long" time to run through all the possible combinations... What the graph shows is just that one program (MultibitHD) would take considerably longer than the other (Electrum) due to password test speed.
hero member
Activity: 854
Merit: 1009
JAYCE DESIGNS - http://bit.ly/1tmgIwK
August 06, 2016, 06:48:51 AM
#18
-
Is that the password or the private key statistics?

Because if it's a password, then it can be easily defended if you put something 50-60 character long.

it is the password which is used to encrypt the wallet file and NO you do not need a 50-60 char long pass. brute force is done with a dictionary or similar ways so you are still pretty safe with a password which is 8 char long but it is random letter+number+signs

although i am interested to hear from f___o about the method he is talking about for breaking these encryptions, is it brute force the way i think or is it something else?

8 chars are you joking right?

You should have at least 20 chars, but that is pretty bad for longterm. So anything over 30 chars should be considered.
legendary
Activity: 1946
Merit: 1137
August 06, 2016, 06:29:35 AM
#17
-
Is that the password or the private key statistics?

Because if it's a password, then it can be easily defended if you put something 50-60 character long.

it is the password which is used to encrypt the wallet file and NO you do not need a 50-60 char long pass. brute force is done with a dictionary or similar ways so you are still pretty safe with a password which is 8 char long but it is random letter+number+signs

although i am interested to hear from f___o about the method he is talking about for breaking these encryptions, is it brute force the way i think or is it something else?
hero member
Activity: 854
Merit: 1009
JAYCE DESIGNS - http://bit.ly/1tmgIwK
August 06, 2016, 03:27:34 AM
#16
Electrum is without a doubt the best, its enough for any of you that think different to check the alternative clients both section of Multibit and Electrum you will see there that a lot more problems happen with Multibit than with Electrum. With this I don't want to say Multibit HD is bad , not at all but just want to underline less problems from Electrum as for the security both have seeds and allow a top notch password very difficult to be hacked by brute force. In security they are both very safe, but less problems happen with Electrum and Multibit HD is more prone to problems from what I have seen in the Multibit section.

Looks like you missed the post directly above yours. This is roughly my experience as well.

I'm figuring out which client to use. Could we discuss which one is better? Major factors to consider: security and ease of use.

Multibit HD is better protected against brute force attack.



Quoted so the picture shows.

Is that the password or the private key statistics?

Because if it's a password, then it can be easily defended if you put something 50-60 character long.
legendary
Activity: 1190
Merit: 1002
August 06, 2016, 02:18:05 AM
#15
about Multibit i have never used so i cannot say about it, but i have been using electrum for the past 12 months above and i am very much happy with it. The only problem is their that if the phassphrase keys are stolen then we cannot generate a new phassphrase for the wallet like i mean if the wallet got hacked and the hacker gets your seed key then he can operate your wallet from any where so if we want to change the seed key then it is not possible and we have to leave that wallet and create a new wallet and start from new. This is the problem faced by one of my friend as his computer got hacked and the hacker stole the seed key. now he is not able to use that wallet. So this is the only one problem faced.
hero member
Activity: 761
Merit: 606
August 05, 2016, 03:27:59 PM
#14
I have used both of these wallets and they appear to be very secure.  The only security issues I have ever read about while reading all over the net seem to come from operator error!  It is important for you to decide what actions are necessary before you select a wallet.  e.g. - I have somewhat recently moved to using a Trezor for wallets where I want quick access and security "on the fly".  Because of my use scenario I want to have a "decoy" wallet should I ever face a physical loss or a mild adversary.  Enter passphrases and that allows the Trezor to become a different wallet (in a sense).  While that is easy, be aware that many software products do not allow passphrases on the Trezor (incompatible).  So in this instance I cannot use MyCelium AND enjoy my passphrases as SOP.  I don't mean the PIN, I mean actual passphrases in tandem with the seed to generate the addresses.  MultiBit also creates issues for me in this application.

For others with different use needs; both of these two software products you are citing are great!
HCP
legendary
Activity: 2086
Merit: 4361
August 03, 2016, 06:08:01 AM
#13
Yes. Is more complex, but yes. See schildbach app, it uses scrypt(4096,8,1). This scrypt can be calculated fast like sha 256. I think because its for phone which is not fast for scrypt default. Multibit classic uses md5. md5 is little bit broken. multibit hd is a good improvement over this.

Do not think now electrum is not good wallet please. Its special attack. Use longer password and all is ok. Dont get your file stolen is even better.
Ahhh OK... excellent. I'm just a naturally skeptical person, so when people show pretty graphs that 1. I don't understand and 2. don't really explain what I'm looking at, I get curious Wink

I have faith that Electrum is still a relatively secure wallet... Alll this means is that Multibit is "a bit more" secure when it comes to someone trying to brute force my wallet file should it get stolen.
newbie
Activity: 9
Merit: 0
August 03, 2016, 03:39:03 AM
#12
Not sure know what I can disclose. Electrum uses two rounds SHA256. Multibit HD uses scrypt with 16384,8,1.
Tests on CPU clusters with 24 threads are similar. I can publish more when the thesis is finished. What you take from it now is electrum is not defended against brute force, multibit hd is. ThePokerTranslator asked about security, this attack must have a wallet file. It might not what they ask about.
Ok, so if I am correctly understanding what you are saying... is that 2 rounds of SHA256 is a lot "faster" to compute than Scrypt 16384,8,1... so that, as it currently stands with current technology and methodologies, you can test passwords faster against an Electrum "wallet.dat" than you can against a Multibit HD "wallet.dat", because you can hash the input password faster.

Is that correct?

NOTE: I am not disputing your findings... I was just curious as to the how and what that graph was depicting... and if it is as I have asked, this is indeed useful information to know.

Yes. Is more complex, but yes. See schildbach app, it uses scrypt(4096,8,1). This scrypt can be calculated fast like sha 256. I think because its for phone which is not fast for scrypt default. Multibit classic uses md5. md5 is little bit broken. multibit hd is a good improvement over this.

Do not think now electrum is not good wallet please. Its special attack. Use longer password and all is ok. Dont get your file stolen is even better.
HCP
legendary
Activity: 2086
Merit: 4361
August 02, 2016, 05:51:50 PM
#11
Not sure know what I can disclose. Electrum uses two rounds SHA256. Multibit HD uses scrypt with 16384,8,1.
Tests on CPU clusters with 24 threads are similar. I can publish more when the thesis is finished. What you take from it now is electrum is not defended against brute force, multibit hd is. ThePokerTranslator asked about security, this attack must have a wallet file. It might not what they ask about.
Ok, so if I am correctly understanding what you are saying... is that 2 rounds of SHA256 is a lot "faster" to compute than Scrypt 16384,8,1... so that, as it currently stands with current technology and methodologies, you can test passwords faster against an Electrum "wallet.dat" than you can against a Multibit HD "wallet.dat", because you can hash the input password faster.

Is that correct?

NOTE: I am not disputing your findings... I was just curious as to the how and what that graph was depicting... and if it is as I have asked, this is indeed useful information to know.
newbie
Activity: 9
Merit: 0
August 02, 2016, 06:54:11 AM
#10
Tests on CPU clusters with 24 threads are similar. I can publish more when the thesis is finished. What you take from it now is electrum is not defended against brute force, multibit hd is. ThePokerTranslator asked about security, this attack must have a wallet file. It might not what they ask about.
newbie
Activity: 9
Merit: 0
August 02, 2016, 06:42:50 AM
#9
Ok, so the graph is showing that there are several orders of magnitude more Passwords/s between Electrum and Multibit HD...

But, playing devils advocate here... what are the actual settings/circumstances being tested here? It doesn't really explain much... Is this purely just the number of passwords per second that one particular brute forcing app was able to test? If so, is that the ONLY brute forcing app in existence? If not, is there any proof that other brute forcing apps can't check Multibit HD Passwords just as fast? ie. is it because Multibit is deliberately slow and only allows a certain number of password entries per time period and ANY brute forcing app will show similar results?

Huh

Not sure know what I can disclose. Electrum uses two rounds SHA256. Multibit HD uses scrypt with 16384,8,1.
HCP
legendary
Activity: 2086
Merit: 4361
August 01, 2016, 07:31:47 PM
#8
Ok, so the graph is showing that there are several orders of magnitude more Passwords/s between Electrum and Multibit HD...

But, playing devils advocate here... what are the actual settings/circumstances being tested here? It doesn't really explain much... Is this purely just the number of passwords per second that one particular brute forcing app was able to test? If so, is that the ONLY brute forcing app in existence? If not, is there any proof that other brute forcing apps can't check Multibit HD Passwords just as fast? ie. is it because Multibit is deliberately slow and only allows a certain number of password entries per time period and ANY brute forcing app will show similar results?

Huh


copper member
Activity: 1498
Merit: 1528
No I dont escrow anymore.
August 01, 2016, 05:19:08 PM
#7
Electrum is without a doubt the best, its enough for any of you that think different to check the alternative clients both section of Multibit and Electrum you will see there that a lot more problems happen with Multibit than with Electrum. With this I don't want to say Multibit HD is bad , not at all but just want to underline less problems from Electrum as for the security both have seeds and allow a top notch password very difficult to be hacked by brute force. In security they are both very safe, but less problems happen with Electrum and Multibit HD is more prone to problems from what I have seen in the Multibit section.

Looks like you missed the post directly above yours. This is roughly my experience as well.

I'm figuring out which client to use. Could we discuss which one is better? Major factors to consider: security and ease of use.

Multibit HD is better protected against brute force attack.



Quoted so the picture shows.
copper member
Activity: 1442
Merit: 529
August 01, 2016, 11:41:31 AM
#6
Electrum is without a doubt the best, its enough for any of you that think different to check the alternative clients both section of Multibit and Electrum you will see there that a lot more problems happen with Multibit than with Electrum. With this I don't want to say Multibit HD is bad , not at all but just want to underline less problems from Electrum as for the security both have seeds and allow a top notch password very difficult to be hacked by brute force. In security they are both very safe, but less problems happen with Electrum and Multibit HD is more prone to problems from what I have seen in the Multibit section.
newbie
Activity: 9
Merit: 0
August 01, 2016, 04:48:53 AM
#5
I'm figuring out which client to use. Could we discuss which one is better? Major factors to consider: security and ease of use.

Multibit HD is better protected against brute force attack.

https://i.imgur.com/b59utxl.png
Pages:
Jump to: