How few characters in a brain wallet before it gets really difficult to crack

DannyHamilton

legendary

Activity: 3472

Merit: 4801

Quote from: ivanol on March 06, 2013, 06:01:27 PM

- snip -
I meant the algorithm for converting a password into an address. The expensive bit of any brainwallet is going to be generating the keys from the wallet. If everyone using a brainwallet uses the same algorithm then a cracker who brute-forces possible passwords can check the generated public keys for each trial password against all existing public keys with significant funds in them very cheaply (eg. using a bloom filter). If the trial password matches anyone's brain wallet then he has a hit.

Yeah, I agree on that one. At the moment I'm pretty sure that most (all?) brainwallets are simply a single (or perhaps double) SHA-256 hash of the passphrase.

ivanol

newbie

Activity: 15

Merit: 0

Quote from: DannyHamilton on March 06, 2013, 05:32:05 PM

Wow, seems today is the day that people respond to threads without paying attention to what the OP is looking for:
- snip -

Quote from: ivanol on March 06, 2013, 03:49:30 PM

- snip -
The best defence is probably to make brain wallets slow to generate. If the cracker can crack brain wallets at 350billion per second then you need a long passphrase. If the first step of the brain wallet is to sha hash the passphrase 80 billion times
- snip -

And he should stamp the entire algorithm into the metal so he doesn't forget it?

OK, maybe not the best suggestion for the original poster, but it did answer the question in his first post - the number of characters required to make a brain wallet difficult to crack directly relates to the speed of the brain wallet algorithm. If there is only one existing brain wallet algorithm available online then that's not that helpful for him I agree. If there is more than one, then choose the slowest.

Quote from: DannyHamilton on March 06, 2013, 05:32:05 PM

Quote from: ivanol on March 06, 2013, 03:49:30 PM

- snip -
Note that if many brain wallets use the same generation code then a hacker can test all of them at the same time, so the important value is that stored in brain wallets using the same generation code as you, not that stored in your wallet.
- snip -

I'm not sure what you are trying to say there. Perhaps I'm just not paying close enough attention. When you say "generation code" do you mean password? Or do you mean algorithm for converting a password into an address?

I meant the algorithm for converting a password into an address. The expensive bit of any brainwallet is going to be generating the keys from the wallet. If everyone using a brainwallet uses the same algorithm then a cracker who brute-forces possible passwords can check the generated public keys for each trial password against all existing public keys with significant funds in them very cheaply (eg. using a bloom filter). If the trial password matches anyone's brain wallet then he has a hit.

DannyHamilton

legendary

Activity: 3472

Merit: 4801

Wow, seems today is the day that people respond to threads without paying attention to what the OP is looking for:

Quote from: mughat on March 06, 2013, 10:51:13 AM

- snip -
Stamping the chars in the metal takes time so I want to keep it to a minimum.

None of these suggestions seem like a good idea for keeping the number of characters to a minimum:

Quote from: xDan on March 06, 2013, 02:32:45 PM

Presumably 12 random words would also work?
- snip -

Quote from: Rygon on March 06, 2013, 02:45:18 PM

This seems appropriate for this conversation:

https://xkcd.com/936/

Oh, and assuming roughly 50,000 common words, 12 of them should be sufficient even against a dictionary attack.

Quote from: ivanol on March 06, 2013, 03:49:30 PM

- snip -
The best defence is probably to make brain wallets slow to generate. If the cracker can crack brain wallets at 350billion per second then you need a long passphrase. If the first step of the brain wallet is to sha hash the passphrase 80 billion times
- snip -

And he should stamp the entire algorithm into the metal so he doesn't forget it?

Quote from: Prattler on March 06, 2013, 02:47:04 PM

Quote from: pc on March 06, 2013, 11:38:25 AM

For making physical bitcoin tokens, you may want to use the same "minikey" format used by Casascius for his physical coins. See Mini private key format on the wiki. It's probably the closest thing there is to a standard.

This! Don't use a password

The Mini private key is a password, isn't it? I thought that the private key was simply a SHA-256 hash of the mini key (just like the private key of a brainwallet is just the SHA-256 hash of a password). Note, that means that the Minikey is just a 29 character password. As a checksum, a mini key with a ? added to the end will always create a hash that that has a first byte of 0x00. Since the minikey only uses 58 characters the gives you about 5.4X10⁴⁸ possible combinations. This would be equivalent to a 25 character password using all 94 characters. You'll have to decide for yourself it the benefits of a mini-key are worth the additional characters.

Quote from: ivanol on March 06, 2013, 03:49:30 PM

- snip -
Note that if many brain wallets use the same generation code then a hacker can test all of them at the same time, so the important value is that stored in brain wallets using the same generation code as you, not that stored in your wallet.
- snip -

I'm not sure what you are trying to say there. Perhaps I'm just not paying close enough attention. When you say "generation code" do you mean password? Or do you mean algorithm for converting a password into an address?

ivanol

newbie

Activity: 15

Merit: 0

How difficult is really difficult? It depends on how much in the way of computer resources someone is willing to expend on the attack, which depends on how much money you have stored in your brain wallet.

You need to test how many passphrases your computer can create brain wallets from per second. If your computer is old then multiply this up to a decent high end computer available now. How long will it take them to crack your password? (there are 3 x 10^7 seconds in a year).

Now work out the number of possible passphrases according to the scheme you are using. If you go with printable ascii characters then there are 95^x =~ 10 ^ (x * 2) possiblities, where x is the length of your password. If with a randomly chosen word from the most common 10000 words in english then 10 ^ (x * 4) possiblities where x is the number of words. eg.

8 characters =~ 4 words = 10 ^ 16 possibilities
12 characters =~ 6 words = 10 ^ 24 possibilities

I've just generated a sample 10 ^ 24 possiblity password for each of these so you can decide which type is easier to remember.
Lj0Z4c|==i5CJ heroin swallowed goddamn hustle serge imitating

If you assume the crackers top end hardware will depreciate to near nothing over 5 years, it is only worth them trying to crack your password if:
value_of_bitcoins_in_brain_wallets > cost_of_hardware * password_possibilities / (passphrases_per_second * 5 * 3 * 10^7)

Note that if many brain wallets use the same generation code then a hacker can test all of them at the same time, so the important value is that stored in brain wallets using the same generation code as you, not that stored in your wallet.

The best defence is probably to make brain wallets slow to generate. If the cracker can crack brain wallets at 350billion per second then you need a long passphrase. If the first step of the brain wallet is to sha hash the passphrase 80 billion times, it might take you 80000 seconds to create your brain wallet (just under a day) on your 1MH/s CPU, but even a cracker with a 80GH/s ASIC is only going to be able to try crack passphrases at one per second. A 3 word (or 6 random character) passphrase now takes them 100000 years to crack...

Ivanol

Prattler

full member

Activity: 192

Merit: 100

Quote from: pc on March 06, 2013, 11:38:25 AM

For making physical bitcoin tokens, you may want to use the same "minikey" format used by Casascius for his physical coins. See Mini private key format on the wiki. It's probably the closest thing there is to a standard.

This! Don't use a password

Rygon

hero member

Activity: 520

Merit: 500

This seems appropriate for this conversation:

https://xkcd.com/936/

Oh, and assuming roughly 50,000 common words, 12 of them should be sufficient even against a dictionary attack.

xDan

hero member

Activity: 688

Merit: 500

ヽ( ㅇㅅㅇ)ﾉ ~!!

Presumably 12 random words would also work? (i.e. like an Electrum wallet seed). It might be easier to remember.

Is that a sound approach?

pc

sr. member

Activity: 253

Merit: 250

For making physical bitcoin tokens, you may want to use the same "minikey" format used by Casascius for his physical coins. See Mini private key format on the wiki. It's probably the closest thing there is to a standard.

DannyHamilton

legendary

Activity: 3472

Merit: 4801

Quote from: mughat on March 06, 2013, 10:51:13 AM

Quote from: ffe on March 06, 2013, 10:49:00 AM

maybe 100 characters that are easy to remember like your email address plus 16 to 20 truly random alphanumeric characters.

The email address makes it specific to you so a general sweep of the block chain by a password cracker doesn't pick you up. The 16 to 20 truly random part gives you over 100 bits of entropy. Not ironclad but good.

You know you will forget the password unless you store it in a safe place. Why not just export a secret key generated by a good computer algorithm to paper?

I am making metal "brain" wallets. In copper and brass. 2 copies. one for backup. Fire proof Wink

Stamping the chars in the metal takes time so I want to keep it to a minimum.

Use a random selection of upper case, lower case, numbers, punctuation and other symbols. This will significantly decrease the odds of a rainbow table having your chosen string.

I think that gives you about 94 unique characters to select from. The number of possible combinations can then be computed as 94^x where x is the number of characters in your passphrase.

You'll have to make your own predictions about how fast brute forcing is likely to get in the future, but 350 billion attempts per second for the present is a good number to start with.

If you want to make sure that an attacker has less than a 1% chance of stumbling on your passphrase within 10 years, figure about 1.1x10²⁰ attempts in that time frame, so you'll want at least 1.1x10²² combinations.

94¹² = 4.76x10²³

If I haven't messed up my math anywhere (and that is definitely a possibility), it looks like you'll want at least 12 characters. Scale that up however you'd like to account for future increases in cracking speeds and reduction in chance of collision.

mughat

newbie

Activity: 37

Merit: 0

Quote from: ffe on March 06, 2013, 10:49:00 AM

maybe 100 characters that are easy to remember like your email address plus 16 to 20 truly random alphanumeric characters.

The email address makes it specific to you so a general sweep of the block chain by a password cracker doesn't pick you up. The 16 to 20 truly random part gives you over 100 bits of entropy. Not ironclad but good.

You know you will forget the password unless you store it in a safe place. Why not just export a secret key generated by a good computer algorithm to paper?

I am making metal "brain" wallets. In copper and brass. 2 copies. one for backup. Fire proof Wink

Stamping the chars in the metal takes time so I want to keep it to a minimum.

ffe

sr. member

Activity: 308

Merit: 250

maybe 100 characters that are easy to remember like your email address plus 16 to 20 truly random alphanumeric characters.

The email address makes it specific to you so a general sweep of the block chain by a password cracker doesn't pick you up. The 16 to 20 truly random part gives you over 100 bits of entropy. Not ironclad but good.

You know you will forget the password unless you store it in a safe place. Why not just export a secret key generated by a good computer algorithm to paper?

mughat

newbie

Activity: 37

Merit: 0

If you have a formula or a table that would be great.

Would 16 random chars be ok? How long would that take to brute force...

Thanks.

Topic: How few characters in a brain wallet before it gets really difficult to crack (Read 1757 times)