Topic: If you used Brainwallet.org - MUST READ! - Security Breach! - page 5. (Read 52829 times)

I wouldn't be surprised if some federal agents are creating distrust and hate in brainwallet.
If you use correctly it is the most secure form of wallet.
You can never loose it and nobody can confiscate from you.
However this is not a foolproof wallet.
You need to put a private part and a secret part in the passphrase. Then you need to import the generated private keys in a usual wallet to use it more comfortable.
I created for testing the security an easy memorable brainwallet with a passphrase containing my mother name and the 4 digit pin of my debit card and nobody has stolen it until now. If the secret part of the passphrase is even 3 characters longer and contains random characters then you are safe for the next 20 years.

It has to be the end user. If it is the manufacturer, they will keep the seed data justifying that it is for customer service. Then their database will get stolen and a bunch of people will lose their coins.

Don't buy a hardware wallet that does not allow you, the consumer, to create private keys that the manufacturer has absolutely no way of ever having seen.

Is this the same problem we are going to have with hardware wallets?

What are the hardware wallets seeded with, a security phrase of some sort? Who creates the security phrase, the manufacturer or the end user?

Good (and interesting) point.

a.k.a. "will likely be lost sooner or later". Bad idea.

Memorizing a passphrase of sufficient entropy is possible, but it should be thought of as a feat of mental effort equivalent in terms of difficulty and time investment required to doing this:

http://www.hundredpushups.com/

It's something that will require training, and effort, and continual practise in order to maintain.

We already have this though. Cheap smartphones (either low-quality, or old-and-used.) Restrict it to wifi instead of getting a mobile plan, and only have 2 or so apps on it (a bitcoin wallet and a QR-code reader.) That seems like a good enough first step to me, at least.

This +9000, I don't think the site is compromised.

Some people probably have tables up and running monitoring all possible addresses created from basic to medium complex pass phrases. Tbh I would not be surprised if the creator of the site is one of them.

Brain wallets are offline wallets.  That is not the issue.  The issues is passphrase entropy or lack of entropy.

think i'll stick to my offline wallets rather than any of the online versions. cant trust anything these days

People have been spamming up the network with it. (I remember adding it to my wallet, and a few days later my whole wallet was filled with transations )

What's happening with this address during the las couple of days?

https://blockchain.info/address/1JwSSubhmg6iPtRjtyqhUYYH7bZg3Lfy1T?offset=0&filter=0

One simple thing you can do that will avoid rainbow tables -

pass phrase + drivers license / ID number

Your drivers license number will act as a fairly effective salt.

That's very hard to say because we don't know the kind of resources that might be invested into calculating rainbow tables. It depends a lot on things we can't know,  like the cost of hardware and the future price of Bitcoins (that could be stolen). Also, over what time period? If someone extends their rainbow table every day and after 3 years is able to compromise your brainwallet, you're still going to be upset, even though it was secure for 3 years.

Also, to be super clear here when I say "brainwallet" I'm talking about the form where you turn a password like "stfu!" into a private key. It probably is possible to memorize a randomly generated private key, but it would certainly require some training in memory techniques that most people have never used, and assistance from software (e.g. to turn your private key into a series of words that you then convert into an imaginative story that you repeat to yourself every day).

So, the way Electrum does it can at least theoretically work, though I don't know if anyone has studied how memorizable the generated word lists really are, even with training. The way brainwallet.org does it cannot work because you just aren't going to randomly select words from your entire vocabulary, at best you'll come up with a long password that's just a grammatical sentence, and that significantly reduces the entropy because it'll be much more biased towards words like "the" and small sentence fragments that can reduce the search space.


If they were really random words then that's probably fine, the average adult has a vocab size of around 20,000 words so that's 20,000^5 combinations which is certainly not as good as a real private key but is likely good enough for now (it's about 71 bits of security instead of 128). But people are very bad at thinking up truly random things, so I'd question whether they were really unrelated or not.

Regardless if you're going to write something down, then it's not really a brainwallet is it? It's then a paper wallet and you may as well let the computer choose the random words for you, it will do a much better job.

Very colorful, here is the private key: 5KTJj2XjQiFCXMwNEhoJCpz9exodNBC9PMeQF5hhnABa4SVj2HL
I think the point is that it still does not have as much entropy as a randomly generated key since it uses real words which are finite.

That's crap for a start.....
"Mary had a little 公羊 it's prick was red as blood and every time that Mary bled the Ram surly understood"

None of the information is transmitted out of your browser.  In fact once the javascript is downloaded you can disconnect your computer from the Internet while you make your keys, etc.  So SSL is not as big of a deal as far as your keys are concerned.  The main concern is the javascript itself.

Also, the security or lack there of in regards to the javascript delivery is not the topic of this thread.  We know how the coins were stolen and it had nothing to do with the lack of SSL delivery and everything to do with the strength of the passphrase used.

srsly?

Connection Not Encrypted
The website brainwallet.org does not support encryption for the page you are viewing.
Information sent over the internet without encryption can be seen by other people while it is in transit.

Actually a valid point. You never asked anyone to deposit into your account nor did you steal a private key.

looks like a valuable contribution to the topic.