Pages:
Author

Topic: If you used Brainwallet.org - MUST READ! - Security Breach! - page 5. (Read 52829 times)

hero member
Activity: 504
Merit: 500
I wouldn't be surprised if some federal agents are creating distrust and hate in brainwallet.
If you use correctly it is the most secure form of wallet.
You can never loose it and nobody can confiscate from you.
However this is not a foolproof wallet.
You need to put a private part and a secret part in the passphrase. Then you need to import the generated private keys in a usual wallet to use it more comfortable.
I created for testing the security an easy memorable brainwallet with a passphrase containing my mother name and the 4 digit pin of my debit card and nobody has stolen it until now. If the secret part of the passphrase is even 3 characters longer and contains random characters then you are safe for the next 20 years.
full member
Activity: 168
Merit: 100
Is this the same problem we are going to have with hardware wallets?

What are the hardware wallets seeded with, a security phrase of some sort? Who creates the security phrase, the manufacturer or the end user?


It has to be the end user. If it is the manufacturer, they will keep the seed data justifying that it is for customer service. Then their database will get stolen and a bunch of people will lose their coins.

Don't buy a hardware wallet that does not allow you, the consumer, to create private keys that the manufacturer has absolutely no way of ever having seen.
member
Activity: 91
Merit: 10
Is this the same problem we are going to have with hardware wallets?

What are the hardware wallets seeded with, a security phrase of some sort? Who creates the security phrase, the manufacturer or the end user?
hero member
Activity: 630
Merit: 500
Bitgoblin
Clearly a new solution for the security issues it required for mass adoption for laypeople - the hardware wallets, if they can be made very affordable, will certainly be a move in that direction.
Yeah, that would be great.
You don't even need it to be a full featured wallet: as long as it's a "hardware containing private keys", that are used by a software, that would be a great first step.

We already have this though. Cheap smartphones (either low-quality, or old-and-used.) Restrict it to wifi instead of getting a mobile plan, and only have 2 or so apps on it (a bitcoin wallet and a QR-code reader.) That seems like a good enough first step to me, at least.

Good (and interesting) point.

It's something that will require training, and effort, and continual practise in order to maintain.
a.k.a. "will likely be lost sooner or later". Bad idea.
legendary
Activity: 1400
Merit: 1013
Also, to be super clear here when I say "brainwallet" I'm talking about the form where you turn a password like "stfu!" into a private key. It probably is possible to memorize a randomly generated private key, but it would certainly require some training in memory techniques that most people have never used, and assistance from software (e.g. to turn your private key into a series of words that you then convert into an imaginative story that you repeat to yourself every day).
Memorizing a passphrase of sufficient entropy is possible, but it should be thought of as a feat of mental effort equivalent in terms of difficulty and time investment required to doing this:

http://www.hundredpushups.com/

It's something that will require training, and effort, and continual practise in order to maintain.
legendary
Activity: 980
Merit: 1004
Firstbits: Compromised. Thanks, Android!
Clearly a new solution for the security issues it required for mass adoption for laypeople - the hardware wallets, if they can be made very affordable, will certainly be a move in that direction.
Yeah, that would be great.
You don't even need it to be a full featured wallet: as long as it's a "hardware containing private keys", that are used by a software, that would be a great first step.

We already have this though. Cheap smartphones (either low-quality, or old-and-used.) Restrict it to wifi instead of getting a mobile plan, and only have 2 or so apps on it (a bitcoin wallet and a QR-code reader.) That seems like a good enough first step to me, at least.
full member
Activity: 182
Merit: 100
The issues is passphrase entropy or lack of entropy.

This +9000, I don't think the site is compromised.

Some people probably have tables up and running monitoring all possible addresses created from basic to medium complex pass phrases. Tbh I would not be surprised if the creator of the site is one of them.

* Insu Dra runs off to create a new vps for his new rainbow tables ....
legendary
Activity: 2646
Merit: 1137
All paid signature campaigns should be banned.
think i'll stick to my offline wallets rather than any of the online versions. cant trust anything these days Wink
Brain wallets are offline wallets.  That is not the issue.  The issues is passphrase entropy or lack of entropy.
full member
Activity: 238
Merit: 100
KUPO!
think i'll stick to my offline wallets rather than any of the online versions. cant trust anything these days Wink
hero member
Activity: 658
Merit: 502
Doesn't use these forums that often.
What's happening with this address during the las couple of days?

https://blockchain.info/address/1JwSSubhmg6iPtRjtyqhUYYH7bZg3Lfy1T?offset=0&filter=0
People have been spamming up the network with it. (I remember adding it to my wallet, and a few days later my whole wallet was filled with transations Smiley)
legendary
Activity: 1148
Merit: 1018
full member
Activity: 168
Merit: 100
One simple thing you can do that will avoid rainbow tables -

pass phrase + drivers license / ID number

Your drivers license number will act as a fairly effective salt.
legendary
Activity: 1526
Merit: 1134
I totally agree that more noobs like the OP will lose their money which would be evitable if brainwallets were known only as a concept on well documented blogs and not easily accessible to noobs through sites like brainwallet.org. Still I can't see why it shouldn't be possible to memorize secure passwords. What is your estimate how long it would take for a sentence long, yet memorizable like this one to end up in a rainbowtable? With a mutation like every second word later? Without ever mentioning the sentence on the internet?

That's very hard to say because we don't know the kind of resources that might be invested into calculating rainbow tables. It depends a lot on things we can't know,  like the cost of hardware and the future price of Bitcoins (that could be stolen). Also, over what time period? If someone extends their rainbow table every day and after 3 years is able to compromise your brainwallet, you're still going to be upset, even though it was secure for 3 years.

Also, to be super clear here when I say "brainwallet" I'm talking about the form where you turn a password like "stfu!" into a private key. It probably is possible to memorize a randomly generated private key, but it would certainly require some training in memory techniques that most people have never used, and assistance from software (e.g. to turn your private key into a series of words that you then convert into an imaginative story that you repeat to yourself every day).

So, the way Electrum does it can at least theoretically work, though I don't know if anyone has studied how memorizable the generated word lists really are, even with training. The way brainwallet.org does it cannot work because you just aren't going to randomly select words from your entire vocabulary, at best you'll come up with a long password that's just a grammatical sentence, and that significantly reduces the entropy because it'll be much more biased towards words like "the" and small sentence fragments that can reduce the search space.

Quote
I ever only made one Brainwallet for a friend with one Bitcoin. She is of the non-smartphone-and-better-non-computer type, so I promised her to give her the bitcoin to "this piece of paper". I made her think up five long words that are mutually unrelated. She wrote them down and I consider this a safe password until I hear of more serious brain wallets being breached than stfu! (five closely related symbols)

If they were really random words then that's probably fine, the average adult has a vocab size of around 20,000 words so that's 20,000^5 combinations which is certainly not as good as a real private key but is likely good enough for now (it's about 71 bits of security instead of 128). But people are very bad at thinking up truly random things, so I'd question whether they were really unrelated or not.

Regardless if you're going to write something down, then it's not really a brainwallet is it? It's then a paper wallet and you may as well let the computer choose the random words for you, it will do a much better job.
full member
Activity: 210
Merit: 100
Very colorful, here is the private key: 5KTJj2XjQiFCXMwNEhoJCpz9exodNBC9PMeQF5hhnABa4SVj2HL
I think the point is that it still does not have as much entropy as a randomly generated key since it uses real words which are finite.
sr. member
Activity: 399
Merit: 250
Is your passphrase just too simple?
Any passphrase you can memorize is almost too simple by definition.

That's crap for a start.....
"Mary had a little 公羊 it's prick was red as blood and every time that Mary bled the Ram surly understood"
legendary
Activity: 2646
Merit: 1137
All paid signature campaigns should be banned.
Connection Not Encrypted
The website brainwallet.org does not support encryption for the page you are viewing.
Information sent over the internet without encryption can be seen by other people while it is in transit.
srsly?

None of the information is transmitted out of your browser.  In fact once the javascript is downloaded you can disconnect your computer from the Internet while you make your keys, etc.  So SSL is not as big of a deal as far as your keys are concerned.  The main concern is the javascript itself.

Also, the security or lack there of in regards to the javascript delivery is not the topic of this thread.  We know how the coins were stolen and it had nothing to do with the lack of SSL delivery and everything to do with the strength of the passphrase used.
hero member
Activity: 630
Merit: 500
Bitgoblin
Connection Not Encrypted
The website brainwallet.org does not support encryption for the page you are viewing.
Information sent over the internet without encryption can be seen by other people while it is in transit.
srsly?
hero member
Activity: 899
Merit: 1002
Connection Not Encrypted
The website brainwallet.org does not support encryption for the page you are viewing.
Information sent over the internet without encryption can be seen by other people while it is in transit.

full member
Activity: 168
Merit: 100
"Fraud? What fraud? Its my own brain wallet, I can do with it whatever I want."

Actually a valid point. You never asked anyone to deposit into your account nor did you steal a private key.
legendary
Activity: 1862
Merit: 1114
WalletScrutiny.com
Looks like one of my comments made to this thread was deleted.
looks like a valuable contribution to the topic.
Pages:
Jump to: