Pages:
Author

Topic: If you used Brainwallet.org - MUST READ! - Security Breach! (Read 52829 times)

hero member
Activity: 784
Merit: 1000
https://youtu.be/PZm8TTLR2NU
Does anyone know who runs that site or how to contact them? The site itself has no contact info on it, the source code is owned by a user just called "brainwallet", the only thing resembling a contact address is a twitter account also called "brainwallet", etc.

Whoever runs this site needs to shut it down now. It's negligent to do anything less.

For someone who lives in a direct democracy that has a lot of personal freedom, and hence, a lot of required personal responsibility, you sure as hell like to impose your moral standards on other people.

Bitcoin source code was authored by some unknowable pseudonym, SHUT IT DOWN, PADRE-MIKEHEARN SAYS NO ANONYMYMOUS CODINGZ!!!
I love you Carlton. Truly and with all my heart.
legendary
Activity: 2646
Merit: 1137
All paid signature campaigns should be banned.
Your worst nightmares has come to reality!!! Please read following post if you haven't seen it before.

https://bitcointalk.org/index.php?topic=421842.60

Dear obvious sock puppet princes12:

That thread is total bullshit.  See my response to that thread here:

https://bitcointalksearch.org/topic/m.4813821

and if you do not get the humor of that post, then try the more direct response here:

https://bitcointalksearch.org/topic/m.4814386
newbie
Activity: 7
Merit: 0
Your worst nightmares has come to reality!!! Please read following post if you haven't seen it before.

https://bitcointalk.org/index.php?topic=421842.60

legendary
Activity: 1862
Merit: 1114
WalletScrutiny.com
For noobs: Brain wallets are rat poison and will get people to loose their money.

For pros: I like brainwallets as it allows me to give bitcoins totally offline with only pen and paper. I told a friend to make up some 5 long completely unrelated, maybe slang words and write them down. I wrote them down, too and she paid me for one bitcoin back then when it was around $10. I sent a bitcoin there when I got home. Worst thing that can happen is that she loses a paper with meaningless words on it Smiley
hero member
Activity: 640
Merit: 771
BTC⇆⚡⇄BTC
Definitely, brain wallets are not for newbies!

Paper wallets are easier to manage at early learning stages.

Brain wallets are for pros!  Cool
sr. member
Activity: 770
Merit: 250
People are too worried about this. Everything that should be done is add a disclaimer not to use the Brainwallet site if you don't know what you're doing/can't come up with a proper passphrase. I like my brainwallet and I'll keep using it, it's a very nice idea. No surprise it's not suitable for the masses, just look at any list of leaked plaintext passwords. Or a list of leaked md5 passwords and see how many per cent you can crack.
legendary
Activity: 3038
Merit: 1032
RIP Mommy
Does anyone know who runs that site or how to contact them? The site itself has no contact info on it, the source code is owned by a user just called "brainwallet", the only thing resembling a contact address is a twitter account also called "brainwallet", etc.

You would think the Bitcoin "brain trust" would communicate with each other better:

I actually have IRC logs about the creation of the phrase brainwallet and brainwallet.org.  It was created by someone who introduction to the subject matter was his own efforts to crack peoples insecure keys, and he was irritated that he only found a few coins. No kidding.


Joric, I found him in #bitcoin-dev once, and IIRC he ragequit because of the core team bitching about bw.org

Also
https://github.com/brainwallet/brainwallet.github.com
legendary
Activity: 3682
Merit: 1580
Does anyone know who runs that site or how to contact them? The site itself has no contact info on it, the source code is owned by a user just called "brainwallet", the only thing resembling a contact address is a twitter account also called "brainwallet", etc.

You would think the Bitcoin "brain trust" would communicate with each other better:

I actually have IRC logs about the creation of the phrase brainwallet and brainwallet.org.  It was created by someone who introduction to the subject matter was his own efforts to crack peoples insecure keys, and he was irritated that he only found a few coins. No kidding.
legendary
Activity: 1148
Merit: 1018
Whoever runs this site needs to shut it down now. It's negligent to do anything less.

I like to set up and fund brainwallet accounts for people I know who are new to bitcoin.  Then, all I have to do is give them the passphrase.

How else can I achieve this, without either 1) waiting for action from the recipient before I get an address to fund, or 2) having to associate an online account with an email address - which is either mine (the wrong one) or theirs (and they are tipped off about the gift)?

Wow. If you think a brain wallet with a "memorable" password is secure you shouldn't be managing people's money at all. Why don't you just print out paper wallets?
donator
Activity: 1218
Merit: 1079
Gerald Davis
Whoever runs this site needs to shut it down now. It's negligent to do anything less.

I like to set up and fund brainwallet accounts for people I know who are new to bitcoin.  Then, all I have to do is give them the passphrase.

How else can I achieve this, without either 1) waiting for action from the recipient before I get an address to fund, or 2) having to associate an online account with an email address - which is either mine (the wrong one) or theirs (and they are tipped off about the gift)?

Paper wallet?  using a random (aka 256 bit of entropy) private key rather than some almost guaranteed to be bruted forced brainwallet scheme?

What a great way to introduce someone to Bitcoin, give them a brainwallet, later when it is worth a small  fortune they go to check on it and find out someone robbed it years ago.
newbie
Activity: 54
Merit: 0
Whoever runs this site needs to shut it down now. It's negligent to do anything less.

I like to set up and fund brainwallet accounts for people I know who are new to bitcoin.  Then, all I have to do is give them the passphrase.

How else can I achieve this, without either 1) waiting for action from the recipient before I get an address to fund, or 2) having to associate an online account with an email address - which is either mine (the wrong one) or theirs (and they are tipped off about the gift)?
legendary
Activity: 2646
Merit: 1137
All paid signature campaigns should be banned.
it has been asked many times for the simple snip-it of code that makes a private key. the answer is always view source of brainwallet. pfft i dont need all 1383 lines of code that do all the different functions. we just need the basic convert random characters + checksum and then convert to public. which should be under 100 lines of code

this will then allow people to make their own programs that hash words into giberish in any form they like. EG a mix of md5, sha256 followed by another passthrough of sha, before then converting.

then they atleast can make their own scripts to

take the first page of moby dick and MD5 it.
take the 6th page of the bible and MD5 it
take the 207th page of 50 shades of gray and MD5 it

put all 3 codes into a sha256
add a MD5 of Moses 10 commandments
sha256 again

and then put this through the 'brainwallet converter code'.

then next time they just put in those pages



Oops, now we know your brainwallet Wink
legendary
Activity: 4410
Merit: 4766
it has been asked many times for the simple snip-it of code that makes a private key. the answer is always view source of brainwallet. pfft i dont need all 1383 lines of code that do all the different functions. we just need the basic convert random characters + checksum and then convert to public. which should be under 100 lines of code

this will then allow people to make their own programs that hash words into giberish in any form they like. EG a mix of md5, sha256 followed by another passthrough of sha, before then converting.

then they atleast can make their own scripts to

take the first page of moby dick and MD5 it.
take the 6th page of the bible and MD5 it
take the 207th page of 50 shades of gray and MD5 it

put all 3 codes into a sha256
add a MD5 of Moses 10 commandments
sha256 again

and then put this through the 'brainwallet converter code'.

then next time they just put in those pages

hero member
Activity: 574
Merit: 500
This site just seem too much of a risk since you are either using a weak word or a difficult one which isn't easy to remember,it would be much simpler to just make a wallet (and add a password//encrypt keys) or just make paper ones.
legendary
Activity: 1722
Merit: 1217
The owner of that site needs to shut it down. This kind of thing was inevitable and we warned about it from the start. Someone has calculated a rainbow table and the passphrase you chose is in it.

Which wallet software did you import the key into? Do we need to put a warning about this site into wallet apps? We need to find some way to kill this stupid and dangerous site asap.

over-react much? of course someone has made rainbow tables, so what? the lesson to be learned here is not that we should crucify brainwallet.org, it is that we should make strong passphrases.
legendary
Activity: 4410
Merit: 4766
you could always use a sha256 generator first
my - 038468518ad8122e13112743f890c7ba96ac5665b71de548eceb23e9ef237805
m0m5 - f4b4dff4af48415ce1883a01d5589022fb11b1adb2c9b53aa9439cabd9273d5c
c00k135 - c092a98000322afadf557a9754f1fac6d97d21e8c0432e518edd1b5dc7e3c67f
4r3 - 9a55b85547d8d71b45fbd1000d7053fbb254571d11fe3c230592e41531bf6413
n1ce - 781d42e75cbf8d87d48dcbb54a20fdb1d9e70f02d6759124d1a3c7e68d5c9f92

combine the results to become 038468518ad8122e13112743f890c7ba96ac5665b71de548eceb23e9ef237805 f4b4dff4af48415ce1883a01d5589022fb11b1adb2c9b53aa9439cabd9273d5c c092a98000322afadf557a9754f1fac6d97d21e8c0432e518edd1b5dc7e3c67f 9a55b85547d8d71b45fbd1000d7053fbb254571d11fe3c230592e41531bf6413 781d42e75cbf8d87d48dcbb54a20fdb1d9e70f02d6759124d1a3c7e68d5c9f92

then put that into the brain wallet to add further randomness to the words.

or ofcourse run it through a sha256 again (without spaces) to give you f9640de45673cc0baacef1b9d4c407f06c453d72d06c99cf8870d19114d42d51. make your own checksum code to make it a private key more direct without using third party services.

full member
Activity: 209
Merit: 148
The speed (seconds) with which the funds were redirected make it clear it was a bot.
I don't think you understand what a rainbow table is.

Somebody generated the exact same brainwallet you did, long before you ever thought of using that passphrase.

They've actually generated millions of brainwallets, and they're just waiting for someone naive enough to use the same weak passprases and deposit money into one of their addresses.

Anything less than 16 random words is too short as a passphrase. Not a 16 word phrase from your favourite work of literature, not some TV character's 16 word catchphrase with a few simple letter substitutions and random punctuation characters thrown in.

16 words that have never before been grouped together into the same context by any human that has ever lived.

If you can't generate and remember a random passphrase this long you shouldn't use brainwallets.

Diceware: http://world.std.com/~reinhold/diceware.html

This. And there are a couple of nice tools on this forum that easily convert dice rolls into passphrases and bitcoin addresses.

Diceware SHOULD NOT be used with anything other than dice: the entropy is not the same otherwise.

Read my post again. The tools I saw WORK WITH DICE. So, full entropy. 
legendary
Activity: 1064
Merit: 1000
The speed (seconds) with which the funds were redirected make it clear it was a bot.
I don't think you understand what a rainbow table is.

Somebody generated the exact same brainwallet you did, long before you ever thought of using that passphrase.

They've actually generated millions of brainwallets, and they're just waiting for someone naive enough to use the same weak passprases and deposit money into one of their addresses.

Anything less than 16 random words is too short as a passphrase. Not a 16 word phrase from your favourite work of literature, not some TV character's 16 word catchphrase with a few simple letter substitutions and random punctuation characters thrown in.

16 words that have never before been grouped together into the same context by any human that has ever lived.

If you can't generate and remember a random passphrase this long you shouldn't use brainwallets.

Diceware: http://world.std.com/~reinhold/diceware.html

This. And there are a couple of nice tools on this forum that easily convert dice rolls into passphrases and bitcoin addresses.

Diceware SHOULD NOT be used with anything other than dice: the entropy is not the same otherwise.
full member
Activity: 209
Merit: 148
The speed (seconds) with which the funds were redirected make it clear it was a bot.
I don't think you understand what a rainbow table is.

Somebody generated the exact same brainwallet you did, long before you ever thought of using that passphrase.

They've actually generated millions of brainwallets, and they're just waiting for someone naive enough to use the same weak passprases and deposit money into one of their addresses.

Anything less than 16 random words is too short as a passphrase. Not a 16 word phrase from your favourite work of literature, not some TV character's 16 word catchphrase with a few simple letter substitutions and random punctuation characters thrown in.

16 words that have never before been grouped together into the same context by any human that has ever lived.

If you can't generate and remember a random passphrase this long you shouldn't use brainwallets.

Diceware: http://world.std.com/~reinhold/diceware.html

This. And there are a couple of nice tools on this forum that easily convert dice rolls into passphrases and bitcoin addresses.
legendary
Activity: 1064
Merit: 1000
The speed (seconds) with which the funds were redirected make it clear it was a bot.
I don't think you understand what a rainbow table is.

Somebody generated the exact same brainwallet you did, long before you ever thought of using that passphrase.

They've actually generated millions of brainwallets, and they're just waiting for someone naive enough to use the same weak passprases and deposit money into one of their addresses.

Anything less than 16 random words is too short as a passphrase. Not a 16 word phrase from your favourite work of literature, not some TV character's 16 word catchphrase with a few simple letter substitutions and random punctuation characters thrown in.

16 words that have never before been grouped together into the same context by any human that has ever lived.

If you can't generate and remember a random passphrase this long you shouldn't use brainwallets.

Diceware: http://world.std.com/~reinhold/diceware.html
Pages:
Jump to: