Pages:
Author

Topic: If you used Brainwallet.org - MUST READ! - Security Breach! - page 3. (Read 52821 times)

legendary
Activity: 3430
Merit: 3080
Does anyone know who runs that site or how to contact them? The site itself has no contact info on it, the source code is owned by a user just called "brainwallet", the only thing resembling a contact address is a twitter account also called "brainwallet", etc.

Whoever runs this site needs to shut it down now. It's negligent to do anything less.

For someone who lives in a direct democracy that has a lot of personal freedom, and hence, a lot of required personal responsibility, you sure as hell like to impose your moral standards on other people.

Bitcoin source code was authored by some unknowable pseudonym, SHUT IT DOWN, PADRE-MIKEHEARN SAYS NO ANONYMYMOUS CODINGZ!!!
hero member
Activity: 640
Merit: 771
BTC⇆⚡⇄BTC
BTW - I would not use the tx tab of brainwallet as it only works *online* and it requires you to provide your private key (so a malicious version could simply broadcast your private key).

I'd never suggest that too.

For everyone new to that script, I only suggest that you test it offline, then copy and paste the tx to blockchain.

Thanks for the help.

Cheers!
legendary
Activity: 1890
Merit: 1086
Ian Knowles - CIYAM Lead Developer
e.g: I was wondering if I could send from a total of 10BTC at address "x", 9BTC to address "y" and 1BTC remaining change back to same address "x".

Does that work through brainwallet.org?

P.s: fees disconsidered in order to simplify the example.

Yes - that's how it creates the tx by default (if you want change to go to another address you'd have to edit it).

BTW - I would not use the tx tab of brainwallet as it only works *online* and it requires you to provide your private key (so a malicious version could simply broadcast your private key).
hero member
Activity: 640
Merit: 771
BTC⇆⚡⇄BTC
Talking about that topic,

I got a doubt and maybe someone else have already done it, though I've never tried this out before:

At the "Transaction" function of brainwallet.org, is it possible to send BTC to same address: "Source Address" = "Destination Address"?

e.g: I was wondering if I could send from a total of 10BTC at address "x", 9BTC to address "y" and 1BTC remaining change back to same address "x".

Does that work through brainwallet.org?

P.s: fees disconsidered in order to simplify the example.
hero member
Activity: 560
Merit: 500
I am the one who knocks
The problem of this thread has nothing to do with online or offline.

Its a useful tool because it creates key/address from a passphrase. This is useful.
Not to mention all the other tools it has in it.

The problem is people *think* they know what they are doing, or think things like S00p3r53kri7 are secure.
hero member
Activity: 938
Merit: 500
https://youengine.io/
The brainwallet itself is actually a useful "offline" tool (and anyone silly enough to use it "online" well...).
The problem of this thread has nothing to do with online or offline.

Its a useful tool because it creates key/address from a passphrase. This is useful.
legendary
Activity: 3038
Merit: 1032
RIP Mommy
^

Does anyone know who runs that site or how to contact them? The site itself has no contact info on it, the source code is owned by a user just called "brainwallet", the only thing resembling a contact address is a twitter account also called "brainwallet", etc.

Whoever runs this site needs to shut it down now. It's negligent to do anything less.

Joric, I found him in #bitcoin-dev once, and IIRC he ragequit because of the core team bitching about bw.org

https://www.bitaddress.org has a brainwallet tab
Not to mention the "SHA256 hash calculators/generators" all over the net - hello, Private Key Hexadecimal Format.

Can't get security through obscurity...
legendary
Activity: 1890
Merit: 1086
Ian Knowles - CIYAM Lead Developer
Personally I think that if people are silly enough to "secure" their bitcoins with nothing more than a poorly chosen password or pass phrase then they probably are best to be relieved of them.

The brainwallet itself is actually a useful "offline" tool (and anyone silly enough to use it "online" well...).
legendary
Activity: 1526
Merit: 1134
Does anyone know who runs that site or how to contact them? The site itself has no contact info on it, the source code is owned by a user just called "brainwallet", the only thing resembling a contact address is a twitter account also called "brainwallet", etc.

Whoever runs this site needs to shut it down now. It's negligent to do anything less.
sr. member
Activity: 448
Merit: 254
Another case of cracked brainwallet where the funds were returned: http://www.reddit.com/r/Bitcoin/comments/1j9p2d/blockchaininfo_unauthorized_transactionhow_could/ .  The cracker said he's the same guy from this thread, only this time it was around 3 BTC.

This time the passphrase was quite a bit longer, but was a song title, so the rainbow table is pretty big.  Be smart and careful, people!
legendary
Activity: 1008
Merit: 1001
Let the chips fall where they may.
Perhaps Brainwallet.org should use their own rainbow table. You can still keep everything client-side for generating the address. However once the address is generated, it can be submitted to the site for checking. Users may be surprised to learn the the chorus from their favorite song (with common mishearings and spellings) is actually in the dictionary.

As has been mentioned earlier in this thread, if you can easily memorize it, it is probably not a secure passphrase. The rule of thumb I use is that If it has ever been published anywhere, it is probably not a secure password. Do you really think the sum total of human knowledge has over 64 bits of entropy? (that data-set is only about 46 bits of entropy).
hero member
Activity: 630
Merit: 500
Bitgoblin
Oh, I'm impressed by this turn of events Smiley

So you defend the stupid so they can continue using weak passwords on brainwallets? Why not take a 50% recovery fee? The money moved again? Is the account in his sig the the brainwallet(WTF!) ?
I'm puzzled as well.
dafuq happened?
legendary
Activity: 1890
Merit: 1086
Ian Knowles - CIYAM Lead Developer
OP - I think the "security breach" part of your topic title should be changed (a poor password that was cracked is hardly a security breach IMO) although it has been a good reminder for people that brainwallets are a dangerous thing (and should not be recommended to people without some specific education about how to go about creating a secure enough password).
legendary
Activity: 1764
Merit: 1000
I decided to mess around and make a brain wallet.  I used the website www.brainwallet.org.  Supposively, this javascript is client side only.  Anyway, I made a brain wallet and decided to test it.  I moved my spare change (I keep most of my BTC in cold storage) about 0.178 BTC to the new brain wallet I made "15WjmFwpZ1mp3fG55JGoGv3p5y9jtehEB2".  Literally within seconds, it was moved to a new bitcoin address not owned by me "1Lp3S4PajwhuFCyrAXSFdVGxLuqTsXtVQC" https://blockchain.info/address/15WjmFwpZ1mp3fG55JGoGv3p5y9jtehEB2


Mechs, the coins in question have been returned directly to the address in your sig:

https://blockchain.info/tx/8a91cca81bcb8ce4b9483e7d933b84b9363cd1dc0c40d37521f796403047e606

The brainwallet.org author is not the culprit, my bot is.  Since you don't come off as one of the people running a competing bot (and trust me there are lots), I'm fairly confident these coins are indeed yours and am happy to return them.

PSA: Picking a bad brainwallet password is like throwing your money on the sidewalk ... except instead of just the people around you scrambling to pick it up, the entire internet can and most of the internet has no interest in giving your money back.  Worse yet, it's actually impossible for someone wanting to give them back to do so with 100% confidence they are giving them to their rightful owner. 

I agree with the sentiment expressed in the thread that if it's memorable, it's eventually gonna find its way into someone's rainbow table and I leave all you brain wallet users with this to ponder: https://www.youtube.com/watch?v=a6iW-8xPw3k


wow, that turn of events!

+1
full member
Activity: 210
Merit: 100
Wow Jesse, that is very kind of you to return the funds! It is amazing you even by chance happen to read this threat.  I am definitely not running a competing bot, as you can tell by the weak brainwallet I created.  I was not even that upset about losing the change, it could have been much more than that.
Thank you again!
mechs


I decided to mess around and make a brain wallet.  I used the website www.brainwallet.org.  Supposively, this javascript is client side only.  Anyway, I made a brain wallet and decided to test it.  I moved my spare change (I keep most of my BTC in cold storage) about 0.178 BTC to the new brain wallet I made "15WjmFwpZ1mp3fG55JGoGv3p5y9jtehEB2".  Literally within seconds, it was moved to a new bitcoin address not owned by me "1Lp3S4PajwhuFCyrAXSFdVGxLuqTsXtVQC" https://blockchain.info/address/15WjmFwpZ1mp3fG55JGoGv3p5y9jtehEB2


Mechs, the coins in question have been returned directly to the address in your sig:

https://blockchain.info/tx/8a91cca81bcb8ce4b9483e7d933b84b9363cd1dc0c40d37521f796403047e606

The brainwallet.org author is not the culprit, my bot is.  Since you don't come off as one of the people running a competing bot (and trust me there are lots), I'm fairly confident these coins are indeed yours and am happy to return them.

PSA: Picking a bad brainwallet password is like throwing your money on the sidewalk ... except instead of just the people around you scrambling to pick it up, the entire internet can and most of the internet has no interest in giving your money back.  Worse yet, it's actually impossible for someone wanting to give them back to do so with 100% confidence they are giving them to their rightful owner. 

I agree with the sentiment expressed in the thread that if it's memorable, it's eventually gonna find its way into someone's rainbow table and I leave all you brain wallet users with this to ponder: https://www.youtube.com/watch?v=a6iW-8xPw3k

legendary
Activity: 1862
Merit: 1114
WalletScrutiny.com
I decided to mess around and make a brain wallet.  I used the website www.brainwallet.org.  Supposively, this javascript is client side only.  Anyway, I made a brain wallet and decided to test it.  I moved my spare change (I keep most of my BTC in cold storage) about 0.178 BTC to the new brain wallet I made "15WjmFwpZ1mp3fG55JGoGv3p5y9jtehEB2".  Literally within seconds, it was moved to a new bitcoin address not owned by me "1Lp3S4PajwhuFCyrAXSFdVGxLuqTsXtVQC" https://blockchain.info/address/15WjmFwpZ1mp3fG55JGoGv3p5y9jtehEB2


Mechs, the coins in question have been returned directly to the address in your sig:

https://blockchain.info/tx/8a91cca81bcb8ce4b9483e7d933b84b9363cd1dc0c40d37521f796403047e606

The brainwallet.org author is not the culprit, my bot is.  Since you don't come off as one of the people running a competing bot (and trust me there are lots), I'm fairly confident these coins are indeed yours and am happy to return them.

PSA: Picking a bad brainwallet password is like throwing your money on the sidewalk ... except instead of just the people around you scrambling to pick it up, the entire internet can and most of the internet has no interest in giving your money back.  Worse yet, it's actually impossible for someone wanting to give them back to do so with 100% confidence they are giving them to their rightful owner. 

I agree with the sentiment expressed in the thread that if it's memorable, it's eventually gonna find its way into someone's rainbow table and I leave all you brain wallet users with this to ponder: https://www.youtube.com/watch?v=a6iW-8xPw3k

Oh, I'm impressed by this turn of events Smiley

So you defend the stupid so they can continue using weak passwords on brainwallets? Why not take a 50% recovery fee? The money moved again? Is the account in his sig the the brainwallet(WTF!) ?
newbie
Activity: 29
Merit: 0
I decided to mess around and make a brain wallet.  I used the website www.brainwallet.org.  Supposively, this javascript is client side only.  Anyway, I made a brain wallet and decided to test it.  I moved my spare change (I keep most of my BTC in cold storage) about 0.178 BTC to the new brain wallet I made "15WjmFwpZ1mp3fG55JGoGv3p5y9jtehEB2".  Literally within seconds, it was moved to a new bitcoin address not owned by me "1Lp3S4PajwhuFCyrAXSFdVGxLuqTsXtVQC" https://blockchain.info/address/15WjmFwpZ1mp3fG55JGoGv3p5y9jtehEB2


Mechs, the coins in question have been returned directly to the address in your sig:

https://blockchain.info/tx/8a91cca81bcb8ce4b9483e7d933b84b9363cd1dc0c40d37521f796403047e606

The brainwallet.org author is not the culprit, my bot is.  Since you don't come off as one of the people running a competing bot (and trust me there are lots), I'm fairly confident these coins are indeed yours and am happy to return them.

PSA: Picking a bad brainwallet password is like throwing your money on the sidewalk ... except instead of just the people around you scrambling to pick it up, the entire internet can and most of the internet has no interest in giving your money back.  Worse yet, it's actually impossible for someone wanting to give them back to do so with 100% confidence they are giving them to their rightful owner. 

I agree with the sentiment expressed in the thread that if it's memorable, it's eventually gonna find its way into someone's rainbow table and I leave all you brain wallet users with this to ponder: https://www.youtube.com/watch?v=a6iW-8xPw3k
full member
Activity: 168
Merit: 100
Unfortunately, our intuition is not always a good guide about the level of entropy in a given string, nor does it necessarily help much when trying to factor in the risk from dictionary attacks.

Yup, the very first password I ever created when I first got my own internet connection, little did I know it happened to be identical to a part number of a popular ham radio component. I never played with ham radios.

When I was playing around with cracking tools (I think it was jtr) and it was quickly cracked, I was shocked to see it was in the dictionary and when I investigated, the dictionary had been made from an electronic parts catalog.

Granted by today's standards it is way too short even without being in a dictionary (7 alphanumeric characters) but still.
hero member
Activity: 560
Merit: 500
I am the one who knocks
sr. member
Activity: 330
Merit: 255
Yes - agreed - but because SHA256( SHA256( random ) ) is *intrinsic* to Bitcoin (i.e. a "meme" that is likely to be used) does sort of imply that some basic hashing checks might be useful (to stop people thinking that just because they use a hash algo somehow magically makes a simple password impossible to guess).

Not trying to "take the piss" - btw - just trying to suggest some possible improvements to the basic algo (as I'm sure you'd agree it won't take someone 150 years to crack hash( 'password' ) with any well known hash algo).

The main point being that "fools can be ingenious" (so of course you'll never help them all but perhaps we can stop the most idiotic - and if we are not trying to stop fools then why bother rating their passwords at all?).

Yep, I see what you mean. I think the person who wrote the zxcvbn checker works for Dropbox, and he just intended it to illustrate some of the pitfalls of common ways of measuring password strength, ways which could inadvertently give users bad advice. As you've just demonstrated, this seems like a case where it could do exactly that -- give bad advice.

As I understand it, this is the strength guesstimator which they are now using on the Dropbox registration page. (See his original article for more details.)
Pages:
Jump to: