If you used Brainwallet.org - MUST READ! - Security Breach!

Beliathon

hero member

Activity: 784

Merit: 1000

https://youtu.be/PZm8TTLR2NU

Quote from: Carlton Banks on August 11, 2013, 08:13:51 AM

Quote from: Mike Hearn on July 30, 2013, 05:00:39 AM

Does anyone know who runs that site or how to contact them? The site itself has no contact info on it, the source code is owned by a user just called "brainwallet", the only thing resembling a contact address is a twitter account also called "brainwallet", etc.

Whoever runs this site needs to shut it down now. It's negligent to do anything less.

For someone who lives in a direct democracy that has a lot of personal freedom, and hence, a lot of required personal responsibility, you sure as hell like to impose your moral standards on other people.

Bitcoin source code was authored by some unknowable pseudonym, SHUT IT DOWN, PADRE-MIKEHEARN SAYS NO ANONYMYMOUS CODINGZ!!!

I love you Carlton. Truly and with all my heart.

BurtW

legendary

Activity: 2646

Merit: 1136

All paid signature campaigns should be banned.

Quote from: princes12 on January 28, 2014, 05:42:12 PM

Your worst nightmares has come to reality!!! Please read following post if you haven't seen it before.

https://bitcointalk.org/index.php?topic=421842.60

Dear obvious sock puppet princes12:

That thread is total bullshit. See my response to that thread here:

https://bitcointalksearch.org/topic/m.4813821

and if you do not get the humor of that post, then try the more direct response here:

https://bitcointalksearch.org/topic/m.4814386

princes12

newbie

Activity: 7

Merit: 0

Your worst nightmares has come to reality!!! Please read following post if you haven't seen it before.

https://bitcointalk.org/index.php?topic=421842.60

giszmo

legendary

Activity: 1862

Merit: 1105

WalletScrutiny.com

For noobs: Brain wallets are rat poison and will get people to loose their money.

For pros: I like brainwallets as it allows me to give bitcoins totally offline with only pen and paper. I told a friend to make up some 5 long completely unrelated, maybe slang words and write them down. I wrote them down, too and she paid me for one bitcoin back then when it was around $10. I sent a bitcoin there when I got home. Worst thing that can happen is that she loses a paper with meaningless words on it

Financisto

hero member

Activity: 633

Merit: 768

BTC⇆⚡⇄BTC

Definitely, brain wallets are not for newbies!

Paper wallets are easier to manage at early learning stages.

Brain wallets are for pros! Cool

kuverty

sr. member

Activity: 770

Merit: 250

People are too worried about this. Everything that should be done is add a disclaimer not to use the Brainwallet site if you don't know what you're doing/can't come up with a proper passphrase. I like my brainwallet and I'll keep using it, it's a very nice idea. No surprise it's not suitable for the masses, just look at any list of leaked plaintext passwords. Or a list of leaked md5 passwords and see how many per cent you can crack.

TheButterZone

legendary

Activity: 3010

Merit: 1031

RIP Mommy

Quote from: Abdussamad on December 23, 2013, 06:34:56 AM

Quote from: Mike Hearn on July 30, 2013, 05:00:39 AM

Does anyone know who runs that site or how to contact them? The site itself has no contact info on it, the source code is owned by a user just called "brainwallet", the only thing resembling a contact address is a twitter account also called "brainwallet", etc.

You would think the Bitcoin "brain trust" would communicate with each other better:

Quote from: gmaxwell on October 16, 2013, 03:22:25 AM

I actually have IRC logs about the creation of the phrase brainwallet and brainwallet.org. It was created by someone who introduction to the subject matter was his own efforts to crack peoples insecure keys, and he was irritated that he only found a few coins. No kidding.

Quote from: TheButterZone on July 30, 2013, 05:33:39 AM

Joric, I found him in #bitcoin-dev once, and IIRC he ragequit because of the core team bitching about bw.org

Also
https://github.com/brainwallet/brainwallet.github.com

Abdussamad

legendary

Activity: 3612

Merit: 1564

Quote from: Mike Hearn on July 30, 2013, 05:00:39 AM

Does anyone know who runs that site or how to contact them? The site itself has no contact info on it, the source code is owned by a user just called "brainwallet", the only thing resembling a contact address is a twitter account also called "brainwallet", etc.

You would think the Bitcoin "brain trust" would communicate with each other better:

Quote from: gmaxwell on October 16, 2013, 03:22:25 AM

I actually have IRC logs about the creation of the phrase brainwallet and brainwallet.org. It was created by someone who introduction to the subject matter was his own efforts to crack peoples insecure keys, and he was irritated that he only found a few coins. No kidding.

Rampion

legendary

Activity: 1148

Merit: 1018

Quote from: bitcoinbeliever on December 23, 2013, 01:42:12 AM

Quote from: Mike Hearn on July 30, 2013, 05:00:39 AM

Whoever runs this site needs to shut it down now. It's negligent to do anything less.

I like to set up and fund brainwallet accounts for people I know who are new to bitcoin. Then, all I have to do is give them the passphrase.

How else can I achieve this, without either 1) waiting for action from the recipient before I get an address to fund, or 2) having to associate an online account with an email address - which is either mine (the wrong one) or theirs (and they are tipped off about the gift)?

Wow. If you think a brain wallet with a "memorable" password is secure you shouldn't be managing people's money at all. Why don't you just print out paper wallets?

DeathAndTaxes

donator

Activity: 1218

Merit: 1079

Gerald Davis

Quote from: bitcoinbeliever on December 23, 2013, 01:42:12 AM

Quote from: Mike Hearn on July 30, 2013, 05:00:39 AM

Whoever runs this site needs to shut it down now. It's negligent to do anything less.

I like to set up and fund brainwallet accounts for people I know who are new to bitcoin. Then, all I have to do is give them the passphrase.

How else can I achieve this, without either 1) waiting for action from the recipient before I get an address to fund, or 2) having to associate an online account with an email address - which is either mine (the wrong one) or theirs (and they are tipped off about the gift)?

Paper wallet? using a random (aka 256 bit of entropy) private key rather than some almost guaranteed to be bruted forced brainwallet scheme?

What a great way to introduce someone to Bitcoin, give them a brainwallet, later when it is worth a small fortune they go to check on it and find out someone robbed it years ago.

bitcoinbeliever

newbie

Activity: 54

Merit: 0

Quote from: Mike Hearn on July 30, 2013, 05:00:39 AM

Whoever runs this site needs to shut it down now. It's negligent to do anything less.

I like to set up and fund brainwallet accounts for people I know who are new to bitcoin. Then, all I have to do is give them the passphrase.

How else can I achieve this, without either 1) waiting for action from the recipient before I get an address to fund, or 2) having to associate an online account with an email address - which is either mine (the wrong one) or theirs (and they are tipped off about the gift)?

BurtW

legendary

Activity: 2646

Merit: 1136

All paid signature campaigns should be banned.

Quote from: franky1 on November 25, 2013, 12:48:42 PM

it has been asked many times for the simple snip-it of code that makes a private key. the answer is always view source of brainwallet. pfft i dont need all 1383 lines of code that do all the different functions. we just need the basic convert random characters + checksum and then convert to public. which should be under 100 lines of code

this will then allow people to make their own programs that hash words into giberish in any form they like. EG a mix of md5, sha256 followed by another passthrough of sha, before then converting.

then they atleast can make their own scripts to

take the first page of moby dick and MD5 it.
take the 6th page of the bible and MD5 it
take the 207th page of 50 shades of gray and MD5 it

put all 3 codes into a sha256
add a MD5 of Moses 10 commandments
sha256 again

and then put this through the 'brainwallet converter code'.

then next time they just put in those pages

Oops, now we know your brainwallet Wink

franky1

legendary

Activity: 4270

Merit: 4534

it has been asked many times for the simple snip-it of code that makes a private key. the answer is always view source of brainwallet. pfft i dont need all 1383 lines of code that do all the different functions. we just need the basic convert random characters + checksum and then convert to public. which should be under 100 lines of code

this will then allow people to make their own programs that hash words into giberish in any form they like. EG a mix of md5, sha256 followed by another passthrough of sha, before then converting.

then they atleast can make their own scripts to

take the first page of moby dick and MD5 it.
take the 6th page of the bible and MD5 it
take the 207th page of 50 shades of gray and MD5 it

put all 3 codes into a sha256
add a MD5 of Moses 10 commandments
sha256 again

and then put this through the 'brainwallet converter code'.

then next time they just put in those pages

howzar

hero member

Activity: 574

Merit: 500

This site just seem too much of a risk since you are either using a weak word or a difficult one which isn't easy to remember,it would be much simpler to just make a wallet (and add a password//encrypt keys) or just make paper ones.

Anon136

legendary

Activity: 1722

Merit: 1217

Quote from: Mike Hearn on July 06, 2013, 04:18:00 AM

The owner of that site needs to shut it down. This kind of thing was inevitable and we warned about it from the start. Someone has calculated a rainbow table and the passphrase you chose is in it.

Which wallet software did you import the key into? Do we need to put a warning about this site into wallet apps? We need to find some way to kill this stupid and dangerous site asap.

over-react much? of course someone has made rainbow tables, so what? the lesson to be learned here is not that we should crucify brainwallet.org, it is that we should make strong passphrases.

franky1

legendary

Activity: 4270

Merit: 4534

you could always use a sha256 generator first
my - 038468518ad8122e13112743f890c7ba96ac5665b71de548eceb23e9ef237805
m0m5 - f4b4dff4af48415ce1883a01d5589022fb11b1adb2c9b53aa9439cabd9273d5c
c00k135 - c092a98000322afadf557a9754f1fac6d97d21e8c0432e518edd1b5dc7e3c67f
4r3 - 9a55b85547d8d71b45fbd1000d7053fbb254571d11fe3c230592e41531bf6413
n1ce - 781d42e75cbf8d87d48dcbb54a20fdb1d9e70f02d6759124d1a3c7e68d5c9f92

combine the results to become 038468518ad8122e13112743f890c7ba96ac5665b71de548eceb23e9ef237805 f4b4dff4af48415ce1883a01d5589022fb11b1adb2c9b53aa9439cabd9273d5c c092a98000322afadf557a9754f1fac6d97d21e8c0432e518edd1b5dc7e3c67f 9a55b85547d8d71b45fbd1000d7053fbb254571d11fe3c230592e41531bf6413 781d42e75cbf8d87d48dcbb54a20fdb1d9e70f02d6759124d1a3c7e68d5c9f92

then put that into the brain wallet to add further randomness to the words.

or ofcourse run it through a sha256 again (without spaces) to give you f9640de45673cc0baacef1b9d4c407f06c453d72d06c99cf8870d19114d42d51. make your own checksum code to make it a private key more direct without using third party services.

RoxxR

full member

Activity: 208

Merit: 148

Quote from: btcdrak on November 25, 2013, 06:08:37 AM

Quote from: RoxxR on November 25, 2013, 06:07:02 AM

Quote from: btcdrak on November 25, 2013, 05:43:21 AM

Quote from: justusranvier on July 06, 2013, 12:04:10 PM

Quote from: mechs on July 06, 2013, 11:51:14 AM

The speed (seconds) with which the funds were redirected make it clear it was a bot.

I don't think you understand what a rainbow table is.

Somebody generated the exact same brainwallet you did, long before you ever thought of using that passphrase.

They've actually generated millions of brainwallets, and they're just waiting for someone naive enough to use the same weak passprases and deposit money into one of their addresses.

Anything less than 16 random words is too short as a passphrase. Not a 16 word phrase from your favourite work of literature, not some TV character's 16 word catchphrase with a few simple letter substitutions and random punctuation characters thrown in.

16 words that have never before been grouped together into the same context by any human that has ever lived.

If you can't generate and remember a random passphrase this long you shouldn't use brainwallets.

Diceware: http://world.std.com/~reinhold/diceware.html

This. And there are a couple of nice tools on this forum that easily convert dice rolls into passphrases and bitcoin addresses.

Diceware SHOULD NOT be used with anything other than dice: the entropy is not the same otherwise.

Read my post again. The tools I saw WORK WITH DICE. So, full entropy.

btcdrak

legendary

Activity: 1064

Merit: 1000

Quote from: RoxxR on November 25, 2013, 06:07:02 AM

Quote from: btcdrak on November 25, 2013, 05:43:21 AM

Quote from: justusranvier on July 06, 2013, 12:04:10 PM

Quote from: mechs on July 06, 2013, 11:51:14 AM

The speed (seconds) with which the funds were redirected make it clear it was a bot.

I don't think you understand what a rainbow table is.

Somebody generated the exact same brainwallet you did, long before you ever thought of using that passphrase.

They've actually generated millions of brainwallets, and they're just waiting for someone naive enough to use the same weak passprases and deposit money into one of their addresses.

Anything less than 16 random words is too short as a passphrase. Not a 16 word phrase from your favourite work of literature, not some TV character's 16 word catchphrase with a few simple letter substitutions and random punctuation characters thrown in.

16 words that have never before been grouped together into the same context by any human that has ever lived.

If you can't generate and remember a random passphrase this long you shouldn't use brainwallets.

Diceware: http://world.std.com/~reinhold/diceware.html

This. And there are a couple of nice tools on this forum that easily convert dice rolls into passphrases and bitcoin addresses.

Diceware SHOULD NOT be used with anything other than dice: the entropy is not the same otherwise.

RoxxR

full member

Activity: 208

Merit: 148

Quote from: btcdrak on November 25, 2013, 05:43:21 AM

Quote from: justusranvier on July 06, 2013, 12:04:10 PM

Quote from: mechs on July 06, 2013, 11:51:14 AM

The speed (seconds) with which the funds were redirected make it clear it was a bot.

I don't think you understand what a rainbow table is.

Somebody generated the exact same brainwallet you did, long before you ever thought of using that passphrase.

They've actually generated millions of brainwallets, and they're just waiting for someone naive enough to use the same weak passprases and deposit money into one of their addresses.

Anything less than 16 random words is too short as a passphrase. Not a 16 word phrase from your favourite work of literature, not some TV character's 16 word catchphrase with a few simple letter substitutions and random punctuation characters thrown in.

16 words that have never before been grouped together into the same context by any human that has ever lived.

If you can't generate and remember a random passphrase this long you shouldn't use brainwallets.

Diceware: http://world.std.com/~reinhold/diceware.html

This. And there are a couple of nice tools on this forum that easily convert dice rolls into passphrases and bitcoin addresses.

btcdrak

legendary

Activity: 1064

Merit: 1000

Quote from: justusranvier on July 06, 2013, 12:04:10 PM

Quote from: mechs on July 06, 2013, 11:51:14 AM

The speed (seconds) with which the funds were redirected make it clear it was a bot.

I don't think you understand what a rainbow table is.

Somebody generated the exact same brainwallet you did, long before you ever thought of using that passphrase.

They've actually generated millions of brainwallets, and they're just waiting for someone naive enough to use the same weak passprases and deposit money into one of their addresses.

Anything less than 16 random words is too short as a passphrase. Not a 16 word phrase from your favourite work of literature, not some TV character's 16 word catchphrase with a few simple letter substitutions and random punctuation characters thrown in.

16 words that have never before been grouped together into the same context by any human that has ever lived.

If you can't generate and remember a random passphrase this long you shouldn't use brainwallets.

Diceware: http://world.std.com/~reinhold/diceware.html

Topic: If you used Brainwallet.org - MUST READ! - Security Breach! (Read 52768 times)