How long, strong should a bitcoin wallet pass-phrase be?

Amph

legendary

Activity: 3248

Merit: 1070

Quote from: Muhammed Zakir on April 23, 2015, 11:49:17 AM

Quote from: Amph on April 23, 2015, 11:35:27 AM

Quote from: funnycoin on April 23, 2015, 11:30:00 AM

Quote from: ranochigo on April 23, 2015, 08:46:30 AM

The keylogger will only get your password if you type it in. It won't know it immediately when infected. If you are using the passphrase to create a password, you would definitely need a random password that is seriously random. You can try to recite it to yourself three times per day or write it down on somewhere safe. If you are encrypting wallet keys, password will only protect you in the event of someone gaining control of your PC.

Can the keylogger get my password if I copy-and-paste it (no typing)?

yes, you need to use the keyboard of your pc(virtual keyboard) or typing it in a way to camouflage it(for example, your password is "my name is", instead you write my.name.is, then you delete those two dot, using the mouse)

use zemna antikeylogger free, it help a lot

You know there are mouse loggers, right?

yeah but it doesn't change that a logger memorize every characters you type, in sequence...., so their password in that case would be the first plus two "back space" and two underline of the mouse, resulting in 14 characters in total, versus the original 10

Muhammed Zakir

hero member

Activity: 560

Merit: 509

I prefer Zakir over Muhammed when mentioning me!

Quote from: Amph on April 23, 2015, 11:35:27 AM

Quote from: funnycoin on April 23, 2015, 11:30:00 AM

Quote from: ranochigo on April 23, 2015, 08:46:30 AM

The keylogger will only get your password if you type it in. It won't know it immediately when infected. If you are using the passphrase to create a password, you would definitely need a random password that is seriously random. You can try to recite it to yourself three times per day or write it down on somewhere safe. If you are encrypting wallet keys, password will only protect you in the event of someone gaining control of your PC.

Can the keylogger get my password if I copy-and-paste it (no typing)?

yes, you need to use the keyboard of your pc(virtual keyboard) or typing it in a way to camouflage it(for example, your password is "my name is", instead you write my.name.is, then you delete those two dot, using the mouse)

use zemna antikeylogger free, it help a lot

You know there are mouse loggers, right?

Quote from: randy8777 on April 23, 2015, 11:43:59 AM

so even if i generate a password with a pass generator it can still be seen by keyloggers? what if you disconnect your pc from the net while setting a password? is that better?

It depends on how your keylogger does the job. Some keyloggers try to upload/share instantly which can be prevented if you are offline but some save the log and upload/share as soon as you connect to internet which can't be resolved without removing them. Most of the keyloggers are infected in pirated OS copies.

randy8777

legendary

Activity: 896

Merit: 1000

Quote from: Amph on April 23, 2015, 11:35:27 AM

Quote from: funnycoin on April 23, 2015, 11:30:00 AM

Quote from: ranochigo on April 23, 2015, 08:46:30 AM

The keylogger will only get your password if you type it in. It won't know it immediately when infected. If you are using the passphrase to create a password, you would definitely need a random password that is seriously random. You can try to recite it to yourself three times per day or write it down on somewhere safe. If you are encrypting wallet keys, password will only protect you in the event of someone gaining control of your PC.

Can the keylogger get my password if I copy-and-paste it (no typing)?

yes, you need to use the keyboard of your pc(virtual keyboard) or typing it in a way to camouflage it(for example, your password is "my name is", instead you write my.name.is, then you delete those two dot, using the mouse)

use zemna antikeylogger free, it help a lot

so even if i generate a password with a pass generator it can still be seen by keyloggers? what if you disconnect your pc from the net while setting a password? is that better?

Amph

legendary

Activity: 3248

Merit: 1070

Quote from: funnycoin on April 23, 2015, 11:30:00 AM

Quote from: ranochigo on April 23, 2015, 08:46:30 AM

The keylogger will only get your password if you type it in. It won't know it immediately when infected. If you are using the passphrase to create a password, you would definitely need a random password that is seriously random. You can try to recite it to yourself three times per day or write it down on somewhere safe. If you are encrypting wallet keys, password will only protect you in the event of someone gaining control of your PC.

Can the keylogger get my password if I copy-and-paste it (no typing)?

yes, you need to use the keyboard of your pc(virtual keyboard) or typing it in a way to camouflage it(for example, your password is "my name is", instead you write my.name.is, then you delete those two dot, using the mouse)

use zemna antikeylogger free, it help a lot

funnycoin

member

Activity: 61

Merit: 10

Quote from: ranochigo on April 23, 2015, 08:46:30 AM

The keylogger will only get your password if you type it in. It won't know it immediately when infected. If you are using the passphrase to create a password, you would definitely need a random password that is seriously random. You can try to recite it to yourself three times per day or write it down on somewhere safe. If you are encrypting wallet keys, password will only protect you in the event of someone gaining control of your PC.

Can the keylogger get my password if I copy-and-paste it (no typing)?

ranochigo

legendary

Activity: 3038

Merit: 4418

Crypto Swap Exchange

Quote from: Mountain Jew on April 22, 2015, 05:42:45 AM

It just needs to be strong not ridiculously long. The longer or more complex it is the more likely you'll forget it. Keeping your wallet safe and your over safety of your comp is most important. If you have a key logger it doesn't matter what your password is as they'll know it immediately.

The keylogger will only get your password if you type it in. It won't know it immediately when infected. If you are using the passphrase to create a password, you would definitely need a random password that is seriously random. You can try to recite it to yourself three times per day or write it down on somewhere safe. If you are encrypting wallet keys, password will only protect you in the event of someone gaining control of your PC.

Mountain Jew

member

Activity: 60

Merit: 10

It just needs to be strong not ridiculously long. The longer or more complex it is the more likely you'll forget it. Keeping your wallet safe and your over safety of your comp is most important. If you have a key logger it doesn't matter what your password is as they'll know it immediately.

Lorenzo

sr. member

Activity: 406

Merit: 250

Quote from: Rude Boy on April 19, 2015, 10:23:47 PM

12 letter is enough, if you combine both upper & lower case, numbers and special characters.
See my wifi password below:
U>u^ZT[jehlNz
this password might take years to brute force (even with super computers).
But the thing is you've to remember you password.
And change your password frequently.

~Rude Boy

It's certainly very safe today but it might not be so safe in the future. According to Amph's link, that password would take about 100 million years to crack using a desktop PC. Moore's law states that processing power doubles every 18 months so after 35 years, we would have ((2050-2015)*12)/18 = 23 doublings. 100 million years halved 23 times is 11 years. Now imagine a supercomputer that is 1,000 times more powerful than a desktop PC and your password could then be cracked in days.

pedrog

legendary

Activity: 2786

Merit: 1031

Quote from: btchris on April 21, 2015, 02:27:43 PM

Quote from: pedrog on April 21, 2015, 02:20:56 PM

Quote from: Amph on April 19, 2015, 02:15:45 PM

https://howsecureismypassword.net/

The kind of passwords I use:

Quote

It would take a desktop PC about
285 nonillion years
to crack your password

Don't put your faith in password estimators (read the rest of this thread), but if you insist on doing so, at least use one of the others mentioned here. howsecureismypassword.net isn't very good.

edit: actually, it's terrible. For the password "passwords99", it has an estimate of 1 year! zxcvbn estimates that same password at 16 seconds, much better.

Checked with zxcvbn at https://dl.dropboxusercontent.com/u/209/zxcvbn/test/index.html

Quote

entropy:   123.233
crack time (seconds):   6.247157023824979e+32
crack time (display):   centuries
score from 0 to 4:   4
calculation time (ms):   23

btchris

hero member

Activity: 672

Merit: 504

a.k.a. gurnec on GitHub

Quote from: pooya87 on April 21, 2015, 01:06:45 PM

Quote from: gadman2 on April 19, 2015, 03:05:36 PM

This might be of better use: https://howsecureismypassword.net/

this is a cool link, i bookmarked it for later references. and according to it the kind of passwords i use will require 8 quintillion years to be cracked by a desktop pc Cheesy

...and...

Quote from: pedrog on April 21, 2015, 02:20:56 PM

Quote from: Amph on April 19, 2015, 02:15:45 PM

https://howsecureismypassword.net/

The kind of passwords I use:

Quote

It would take a desktop PC about
285 nonillion years
to crack your password

Don't put your faith in password estimators (read the rest of this thread), but if you insist on doing so, at least use one of the others mentioned here. howsecureismypassword.net isn't very good.

edit: actually, it's terrible. For the password "passwords99", it has an estimate of 1 year! zxcvbn estimates that same password at 16 seconds, much better.

pedrog

legendary

Activity: 2786

Merit: 1031

Quote from: Amph on April 19, 2015, 02:15:45 PM

you can try this, to see how strong your password is

https://howsecureismypassword.net/

usually something with 10-12 is good enough, just change the combination for every site

The kind of passwords I use:

Quote

It would take a desktop PC about
285 nonillion years
to crack your password

"It should be pretty safe."

pooya87

legendary

Activity: 3472

Merit: 10611

Quote from: gadman2 on April 19, 2015, 03:05:36 PM

Quote from: Amph on April 19, 2015, 02:15:45 PM

you can try this, to see how strong your password is

http://www.tomshardware.com/reviews/nvidia-geforce-gtx-980-970-maxwell,3941-12.html

usually something with 10-12 is good enough, just change the combination for every site

I have a feeling that's not the right link lol.

This might be of better use: https://howsecureismypassword.net/

this is a cool link, i bookmarked it for later references. and according to it the kind of passwords i use will require 8 quintillion years to be cracked by a desktop pc Cheesy

btchris

hero member

Activity: 672

Merit: 504

a.k.a. gurnec on GitHub

Quote from: virtualx on April 21, 2015, 11:20:45 AM

The conclusion of one of the papers:

Quote

The password as an authentication mechanism is headed for obsolence, as the password lengths required to thwart rainbow table attacks are rapidly approaching unmanageable (or unrememberable) proportions.

I admit I didn't read the referenced papers, however that conclusion is ridiculous. A simple 8+ byte random salt as already used by most* Bitcoin wallet software today easily defeats rainbow table attacks.

* Electrum (1.x and 2.x) and MultiBit HD are two notable exceptions of wallets which don't use salt.

virtualx

hero member

Activity: 672

Merit: 508

LOTEO

Quote from: KonstantinosM on April 19, 2015, 02:04:07 PM

10 characters, 20? 25?

Letters, numbers, special characters?

What if a user used only letters and numbers for example?

Say a hacker gets a wallet.dat with the pass-phrase helloworld, would it break in seconds? Now what if it is helloworld!~~ or HelloWorld!~~!

Are all these "weak" pass-phrases?

What if the wallet is than also backed up online which is known as a bad practice. What are the implications of that?

The search space increases with 20, 25. Bad guys use rainbow tables, dictionary attacks, brute force and everything they can find. Do not use phrases like 'helloworld' and little variations of that because they are compromised. Expect bad guys to try 10.000 passwords or more per second. Some scientific papers on this issue:

All in a day's work: Password cracking for the rest of us
http://www.sintef.no/upload/IKT/9013/dayswork.pdf

Password Strength: An Empirical Analysis
http://www.eurecom.fr/~michiard/downloads/infocom10.pdf

Proactive Password Strength Analyzer Using Filters and Machine Learning Techniques
http://www.ijcaonline.org/volume7/number14/pxc3871788.pdf

The conclusion of one of the papers:

Quote

The password as an authentication mechanism is headed for obsolence, as the password lengths required to thwart rainbow table attacks are rapidly approaching unmanageable (or unrememberable) proportions.

Pick a password as random and long as a bitcoin address and you should be good for now.

If you have backed up online then at least one person other than you has access to your wallet file.

Bitcoin Explorer

hero member

Activity: 854

Merit: 500

Have a look at this, its quite good, but you should consider skipping substantial parts.
You should have all types of characters, which are:
1. Upper case
2. Lower case
3. Numbers
4. Special characters

Moreover, you should make it quite long

btchris

hero member

Activity: 672

Merit: 504

a.k.a. gurnec on GitHub

Quote from: Amph on April 21, 2015, 10:19:42 AM

Quote from: btchris on April 21, 2015, 10:01:31 AM

As long as we're talking about favorite strength checkers, here's mine: https://dl.dropboxusercontent.com/u/209/zxcvbn/test/index.html

It's the open source javascript-only checker used by Dropbox. There's a description of its strengths and weaknesses here: https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/

i don't know who is right, but with "my name is" the first that i posted say 3 hours, instead your say 1 year approximately

also it say crack time 35M seconds which is about 1 year and then crack time display 3 years? are those two not the same thing?

I don't understand.... when I try "my name is" in the one I linked above (zxcvbn), I get back 5 hours. More on point, it turns out the first one (my1login.com) is using the same underlying zxcvbn javascript library (but maybe a different version of it).

Regardless, the answer to "who is right" is: nobody. As the article I linked above discusses, estimating crack times of a password is very hard, and often attackers have access to resources (e.g. gigantic n-gram tables) which are just too impractical for javascript checkers like these to include.

btchris

hero member

Activity: 672

Merit: 504

a.k.a. gurnec on GitHub

Quote from: Bizmark13 on April 20, 2015, 11:29:28 PM

Quote from: KonstantinosM on April 19, 2015, 02:04:07 PM

What if the wallet is than also backed up online which is known as a bad practice. What are the implications of that?

I would think that an encrypted wallet with a strong enough password should still be secure even when stored on the cloud although obviously it's not as secure as keeping it completely offline.

I agree, however "strong enough password" is a difficult thing to measure. Also, the list of transactions is not password protected for most wallets (there are exceptions).

Quote from: Bizmark13 on April 20, 2015, 11:29:28 PM

Wifi passwords are notoriously easy to crack. I believe even WPA2 can be cracked in a few days. The underlying AES encryption standard is pretty secure but there are workarounds and vulnerabilities which can reduce the effort required to crack these passwords significantly.

WEP and Wi-Fi Protected Setup PINs are both completely broken, and have been for a number of years.

WPA1/2-TKIP (uses an RC4 cipher) has a number of weaknesses, including a practical data injection weakness and an almost-practical plaintext recovery weakness.

WPA1/2-CCMP (uses an AES-128 cipher) has no serious weaknesses, however it doesn't use a very good KDF which lends itself to offline brute-forcing attacks when weak passwords are used. This is especially true if a common SSID is also used (because it makes rainbow table based attacks possible).

(The AES cipher is believed to be very secure; there are no known practical attacks against it, although there are some concerns about the key scheduler in AES-192/256 (but not 128) possibly being vulnerable to related-key attacks one day; good news is that only poorly designed software uses related keys).

Amph

legendary

Activity: 3248

Merit: 1070

Quote from: btchris on April 21, 2015, 10:01:31 AM

Quote from: Amph on April 21, 2015, 02:01:26 AM

Quote from: Bizmark13 on April 20, 2015, 11:29:28 PM

I don't think that link accommodates dictionary attacks though. Putting "hello my name is" shows that it would take 2 billion years to crack it and "good morning" gives a result of 546 years. Obviously, neither of these are true.

yeah it's a bit off, i found one that is much better https://www.my1login.com/content/password-strength-test.php

As long as we're talking about favorite strength checkers, here's mine: https://dl.dropboxusercontent.com/u/209/zxcvbn/test/index.html

It's the open source javascript-only checker used by Dropbox. There's a description of its strengths and weaknesses here: https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/

i don't know who is right, but with "my name is" the first that i posted say 3 hours, instead your say 1 year approximately

also it say crack time 35M seconds which is about 1 year and then crack time display 3 years? are those two not the same thing?

btchris

hero member

Activity: 672

Merit: 504

a.k.a. gurnec on GitHub

Quote from: Amph on April 21, 2015, 02:01:26 AM

Quote from: Bizmark13 on April 20, 2015, 11:29:28 PM

I don't think that link accommodates dictionary attacks though. Putting "hello my name is" shows that it would take 2 billion years to crack it and "good morning" gives a result of 546 years. Obviously, neither of these are true.

yeah it's a bit off, i found one that is much better https://www.my1login.com/content/password-strength-test.php

As long as we're talking about favorite strength checkers, here's mine: https://dl.dropboxusercontent.com/u/209/zxcvbn/test/index.html

It's the open source javascript-only checker used by Dropbox. There's a description of its strengths and weaknesses here: https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/

LewiesMan

sr. member

Activity: 384

Merit: 250

If you had a vault full of gold how strong would the password be to unlock it? And if you have $ 100 in your wallet how strong would the password be everytime you want to use your cash?

For your "safe" at home you'll want to use a very strong password and for your phone wallet you can use a weak password.

Topic: How long, strong should a bitcoin wallet pass-phrase be? (Read 1874 times)