Pages:
Author

Topic: If you used Brainwallet.org - MUST READ! - Security Breach! - page 6. (Read 52821 times)

legendary
Activity: 1918
Merit: 1570
Bitcoin: An Idea Worth Spending
Looks like one of my comments made to this thread was deleted.
hero member
Activity: 938
Merit: 500
https://youengine.io/
If it is taking small amounts it is missing out on the larger amounts that will be deposited when the user thinks it is secure
This won't happen because if you don't take it immediately then someone else's bot will certainly do it. You have to be faster than all other bots or you won't get anything.

I guess for me the risk of being arrested for wire fraud
"Fraud? What fraud? Its my own brain wallet, I can do with it whatever I want."

full member
Activity: 168
Merit: 100
and I meant maybe your brainwallet password was short not your wallet.dat password. It is probably a bot that instant created all private keys of a word list and then when a balance hit's it transfers it out.
What kind of idiot would write a bot like that?
You wait until it has at least half a coin in it before transfering it out.
Wait until a competing bot decides to take the money? It would be an idiotic bot if it did not secure any available balance immediately.

If it is taking small amounts it is missing out on the larger amounts that will be deposited when the user thinks it is secure.

I guess for me the risk of being arrested for wire fraud and computer crimes for a small fraction of a bitcoin just seems moronic.
full member
Activity: 168
Merit: 100
A) If I die, my survivors have no way to access it.

Simply put the pass phrase and instructions on a piece of paper in your safe, just like you would your paper wallets.  This is not an issue.

But if it is going to be written down I might as well generate a completely random private key and be safer.
hero member
Activity: 938
Merit: 500
https://youengine.io/
and I meant maybe your brainwallet password was short not your wallet.dat password. It is probably a bot that instant created all private keys of a word list and then when a balance hit's it transfers it out.
What kind of idiot would write a bot like that?
You wait until it has at least half a coin in it before transfering it out.
Wait until a competing bot decides to take the money? It would be an idiotic bot if it did not secure any available balance immediately.
legendary
Activity: 1862
Merit: 1114
WalletScrutiny.com
There is a terrifying amount of misunderstanding of cryptography on this thread.

Brainwallet.org needs to be shut down, yesterday. The title of the thread is correct because the very fact that the site exists is a security breach.

Justus is telling the truth here. You cannot invent or memorise a private key, it isn't possible unless you are the kind of person who competes in international memorisation competitions for fun. And maybe not even then. This isn't about stupid users or smart users, there is absolutely nothing stopping someone from just generating a larger and larger rainbow table every day and that is quite obviously what is happening.

Please tell us which wallet app you imported the key into do we can ask the developers to put a warning in the ui about it. The community clearly needs to sound the alarm about this stupid concept much louder than we have done.

I totally agree that more noobs like the OP will lose their money which would be evitable if brainwallets were known only as a concept on well documented blogs and not easily accessible to noobs through sites like brainwallet.org. Still I can't see why it shouldn't be possible to memorize secure passwords. What is your estimate how long it would take for a sentence long, yet memorizable like this one to end up in a rainbowtable? With a mutation like every second word later? Without ever mentioning the sentence on the internet?

I ever only made one Brainwallet for a friend with one Bitcoin. She is of the non-smartphone-and-better-non-computer type, so I promised her to give her the bitcoin to "this piece of paper". I made her think up five long words that are mutually unrelated. She wrote them down and I consider this a safe password until I hear of more serious brain wallets being breached than stfu! (five closely related symbols)

Whatyourhowittakealong,memorizablethistoupaisestimatelongwouldforsentenceyetlikeoneendinrainbowtable <- memorizable password as of above
legendary
Activity: 2646
Merit: 1137
All paid signature campaigns should be banned.
A) If I die, my survivors have no way to access it.

Simply put the pass phrase and instructions on a piece of paper in your safe, just like you would your paper wallets.  This is not an issue.

Having said that I agree that the entire concept:

SHA256() -> private key

is very dangerous and should not be attempted by just about everyone (including myself here), hence the name of this thread should be changed to warn everyone about all brain wallets, not just those produced by brainwallet.org, this is not a brainwallet.org issue, it is a brain wallet issue.

brainwallet.org and bitaddress.org and any other sites that allow/help users to produce these things should at the very least warn their customers to only do it if they know what they are doing and outline the risks.
hero member
Activity: 630
Merit: 500
Bitgoblin
Clearly a new solution for the security issues it required for mass adoption for laypeople - the hardware wallets, if they can be made very affordable, will certainly be a move in that direction.
Yeah, that would be great.
You don't even need it to be a full featured wallet: as long as it's a "hardware containing private keys", that are used by a software, that would be a great first step.

There is a terrifying amount of misunderstanding of cryptography on this thread.

Brainwallet.org needs to be shut down, yesterday. The title of the thread is correct because the very fact that the site exists is a security breach.

Justus is telling the truth here. You cannot invent or memorise a private key, it isn't possible unless you are the kind of person who competes in international memorisation competitions for fun. And maybe not even then. This isn't about stupid users or smart users, there is absolutely nothing stopping someone from just generating a larger and larger rainbow table every day and that is quite obviously what is happening.

Please tell us which wallet app you imported the key into do we can ask the developers to put a warning in the ui about it. The community clearly needs to sound the alarm about this stupid concept much louder than we have done.
+1
legendary
Activity: 1890
Merit: 1086
Ian Knowles - CIYAM Lead Developer
It is possible to generate a "secure enough" brainwallet.

Indeed - I have a brainwallet and although it doesn't have much BTC (it was an experiment) it is still intact after nearly 1 year (and I have memorised the pass phrase).

I imported the private key into Bitcoin-QT using the importprivkey command in the console.

As was pointed out - the poor choice of password meant your private key was easily hacked.

If you are going to use a "password" (rather than a pass phrase) then the advice "if you can remember your password then it is not good enough" should be heeded.
full member
Activity: 210
Merit: 100
I imported the private key into Bitcoin-QT using the importprivkey command in the console.
vip
Activity: 1316
Merit: 1043
👻
Users are almost always the weak point. This is the case here.

It is possible to generate a "secure enough" brainwallet.
legendary
Activity: 1526
Merit: 1134
There is a terrifying amount of misunderstanding of cryptography on this thread.

Brainwallet.org needs to be shut down, yesterday. The title of the thread is correct because the very fact that the site exists is a security breach.

Justus is telling the truth here. You cannot invent or memorise a private key, it isn't possible unless you are the kind of person who competes in international memorisation competitions for fun. And maybe not even then. This isn't about stupid users or smart users, there is absolutely nothing stopping someone from just generating a larger and larger rainbow table every day and that is quite obviously what is happening.

Please tell us which wallet app you imported the key into do we can ask the developers to put a warning in the ui about it. The community clearly needs to sound the alarm about this stupid concept much louder than we have done.
full member
Activity: 196
Merit: 100
  I am not sure this is correct - when you go to http://brainwallet.org/ and toggle between compressed and uncompressed both the public and private key changes.  You cannot use the compressed private key to access the uncompressed public key or vice-verse without changing between the two. 

The private key (Wallet Import Format) changes because it is encoded with the flag character to indicate compressed/uncompressed form (see my post above). That 01 suffix changes the base58 value completely.

If you look ate the public key, the uncompressed version starts 04 followed by 128 characters (64 bytes) which are the X and Y coordinates.
Look at the compressed public key and its starts 02 or 03 (which is a flag to indicate the sign of the Y coordainate) followed by the same X coordinate value as the uncompressed public key.
full member
Activity: 196
Merit: 100
Why is it then that under the details tab on bitaddress.org is there an option of "Private Key WIF (compressed, 52 characters base58, starts with a 'K' or 'L')?"

Its just so the wallet that you are importing it into knows whether to use the compressed or uncompressed public key. It you convert the WIF key back to hex, the compressed private key is identical to the uncompressed one, with the addition of a '01' flag character at the end. I guess its done this way to make it foolproof (the user does not need to specify to the wallet whether to use the compressed or uncompressed public key to generate the address as it is already flagged in the WIF private key string).

Take a look at my script at https://bitcointalksearch.org/topic/m.2642261 as it shows the procedure to generate both of the WIF keys from the hex private key quite clearly (just search for WIF). Its simply an 80 prefix. followed by the key value, followed by an 01 suffix (for the compressed key only). To this is appended a double sha256 checksum (just the leading 4 bytes, ie 8 characters in hex), then the whole hex string is base 58 encoded.
full member
Activity: 210
Merit: 100
Btw, can someone expalin to me the difference between the compressed and uncompressed keys?  Seems both are accepted by Bitcoin-QT (though uncompressed priv key cannot be used to access compress public or vice-versa).  Is one type more secure than the other?  In my example, the stfu! compressed version was not compromised, only the uncompressed version was (I channeled the BTC through both bitcoin addresses).  The speed (seconds) with which the funds were redirected make it clear it was a bot.
Compressed or uncompressed only applies to public keys, not private keys.  All private keys are the same, there is no compressed form.  For every private key there is only one public key but the public key can be expressed in two different forms.  Each form maps to a different public key address.  So, every private key maps to two different public key addresses.

Not a bot, it was just that the address you generated was already set up to sweep to another address long before you generated it - as explained in other posts.

Btw, can someone expalin to me the difference between the compressed and uncompressed keys?
The public key is a 64 byte (512 bit) number derived by ECC algorithm from the private key. It consists of the X and Y coordinates of a point on the curve. However one of these coordinates is redundant, so the compressed key just uses the X coordinate which shortens the public key length by half. In practice both versions are hashed to 160bit hash value in the block chain. If you take a look at the script I linked above, you can see the procedure for generating both the uncompressed and compressed keys/addresses.

I assume they are equally secure (others may correct me). The reason that only the uncompressed stfu! was compromised is (I guess) that most people just use this one and the hacker did not bother to build the rainbow table for the compressed one (lazy hacker as the ECC is the expensive part, so the only cost of having both is storage space).

Hope this helps. (Yup, crosspost, but not on this topic so I'll post anyway)
Almost.  For completeness:
Since every X coordinate in the finite prime field corresponds to exactly two Y coordinates in the finite prime field, one positive and one negative, it is possible to define the exact X,Y coordinate of the public key by using the X coordinate and a sign indicator to tell you which of the two possible Y coordinates to use.

Both forms of the public key are equally secure in that a) they both describe exactly the same information and b) given the X,Y coordinates of a point in either form it is equally difficult to calculate the private key used to generate the public key point.

Yes the ECC is the "hard part" of the calculation but going from uncompressed to compressed public key form is trivial and then the extra hashes to calculate the two different public key addresses is also trivial.  I expect "lazy hacker" if the compressed form was not compromised.

Thanks, it seems to me then compressed is more secure simply since less people use it so hackers less likely to include it in a rainbow table.  Clearly, though, that is not a replacement for a strong passphrase.
Whether you use the compressed or uncompressed public key to generate the public key address does not matter at all since the issue here is the passphrase used to create the private key.

Given a very large numer of private keys generated from a very large number of common/simple pass phrases they will simply set up sweeps of both versions of the public key address generated from each private key.

I still think this thread is very useful - I know you feel people who are new and not tech savvy deserve to lose their bitcoins, but that is not an attitude that will lead to widespread adoption.  I would be okay changing it to:  "If you use Brainwallet.org - MUST READ! - Security Risk!" if you think that is more accurate.  My post was not meant to be libel in anyway, it seemed like a security breach to me at the time and it is a vulnerability with brain wallets more people need to be made aware.

Yes, I think that you should (please) change the title to "If you use any brain wallet - MUST READ! - Security Risk!"  as this issue of losing your BTC when using a common/simple pass phrase applies to any brain wallet, not just those from brainwallet.org.

The most important thing new users should learn before using Bitcoin is how to protect their key.
+1
Keep your private keys private
The issue here was that the passphrase for a brain wallet was too simple.  Not that the private key was not kept private.





Burt,
  I am not sure this is correct - when you go to http://brainwallet.org/ and toggle between compressed and uncompressed both the public and private key changes.  You cannot use the compressed private key to access the uncompressed public key or vice-verse without changing between the two. 
hero member
Activity: 672
Merit: 500
Compressed or uncompressed only applies to public keys, not private keys.  All private keys are the same, there is no compressed form.

Why is it then that under the details tab on bitaddress.org is there an option of "Private Key WIF (compressed, 52 characters base58, starts with a 'K' or 'L')?"
full member
Activity: 168
Merit: 100
The speed (seconds) with which the funds were redirected make it clear it was a bot.
I don't think you understand what a rainbow table is.

Somebody generated the exact same brainwallet you did, long before you ever thought of using that passphrase.

They've actually generated millions of brainwallets, and they're just waiting for someone naive enough to use the same weak passprases and deposit money into one of their addresses.

Anything less than 16 random words is too short as a passphrase. Not a 16 word phrase from your favourite work of literature, not some TV character's 16 word catchphrase with a few simple letter substitutions and random punctuation characters thrown in.

16 words that have never before been grouped together into the same context by any human that has ever lived.

If you can't generate and remember a random passphrase this long you shouldn't use brainwallets.

Another thing you can do is repeat hash hundreds and hundred of times. And use a salt - with the original phrase and added to each hash. You can even have a simple formula that changes the salt each hash.

57899@##$% as me salt.
"I like big butts" as my passphrase.

Each hash I change the salt according to the number performed and add it to the previous hash, changing the salt so it grows each time, resulting in a huge salt by last hash.

Reapeat, say, 722 times.

All I have to remember is the salt (write it down), the pass phrase, and the algorythm I used to alter the salt each iteration.

Try cracking that from a rainbow table.

But I still don't like brain wallets. Paper for me. Stored in a secure place.

KISS
full member
Activity: 168
Merit: 100
and I meant maybe your brainwallet password was short not your wallet.dat password. It is probably a bot that instant created all private keys of a word list and then when a balance hit's it transfers it out.

What kind of idiot would write a bot like that?
You wait until it has at least half a coin in it before transfering it out.

Well I guess for really common words it has to be fast or someone else gets it.

-=-

I have two problems with brain wallets -

A) If I die, my survivors have no way to access it.

B) No matter how clever I think I am, if the pass phrase is something I can remember, it has a higher liklihood of being brute forced than a key that is high entropy random generated.

Paper wallets for me.
sr. member
Activity: 448
Merit: 254
I think we shouldn't make such of assertions without any evidence.
If someone calculated a rainbow table (and almost sure that have done more people) then it has nothing to do with the site owner.

He's just saying SHA256 brain private keys are a bad idea, and sites like Brainwallet.org should be taken down so that is not easy for misinformed people to create weak private keys.  How hard we should try to protect people from themselves, I guess that's a philosophical/ideological debate that is OT.

As for the evidence of a rainbow table, how about this:

I did a small investigation some time ago to see how widespread the problem was, and these were the results:

 - Sent 0.001 BTC to an address generated with a password you will find in any top 10 common password list. Taken immediately.
 - Sent 0.001 BTC to an address generated with a six digit password. Taken immediately.
 - Sent 0.001 BTC to an address generated with the same six digit password as above, but with Point Conversion set to "Compressed". Untouched.
 - Sent 0.001 BTC to an address generated with an upper/lower/digit six character randomly generated password, normal Point Conversion. Untouched.

Someone is definitely out there grabbing things from weak-passworded wallets, but even a six-character random password thwarts them.

The only thing slightly surprising to me is that mechs's password "stfu!" has punctuation, but I just checked and that verbatim string is in the Rockyou password dump, and anyway it's not much more creative than just "stfu" alone.

Yes, I think that you should (please) change the title to "If you use any brain wallet - MUST READ! - Security Risk!"  as this issue of losing your BTC when using a common/simple pass phrase applies to any brain wallet, not just those from brainwallet.org.

Agreed.  More accurate, less alarming, more applicable.
legendary
Activity: 2646
Merit: 1137
All paid signature campaigns should be banned.
Btw, can someone expalin to me the difference between the compressed and uncompressed keys?  Seems both are accepted by Bitcoin-QT (though uncompressed priv key cannot be used to access compress public or vice-versa).  Is one type more secure than the other?  In my example, the stfu! compressed version was not compromised, only the uncompressed version was (I channeled the BTC through both bitcoin addresses).  The speed (seconds) with which the funds were redirected make it clear it was a bot.
Compressed or uncompressed only applies to public keys, not private keys.  All private keys are the same, there is no compressed form.  For every private key there is only one public key but the public key can be expressed in two different forms.  Each form maps to a different public key address.  So, every private key maps to two different public key addresses.

Not a bot, it was just that the address you generated was already set up to sweep to another address long before you generated it - as explained in other posts.

Btw, can someone expalin to me the difference between the compressed and uncompressed keys?
The public key is a 64 byte (512 bit) number derived by ECC algorithm from the private key. It consists of the X and Y coordinates of a point on the curve. However one of these coordinates is redundant, so the compressed key just uses the X coordinate which shortens the public key length by half. In practice both versions are hashed to 160bit hash value in the block chain. If you take a look at the script I linked above, you can see the procedure for generating both the uncompressed and compressed keys/addresses.

I assume they are equally secure (others may correct me). The reason that only the uncompressed stfu! was compromised is (I guess) that most people just use this one and the hacker did not bother to build the rainbow table for the compressed one (lazy hacker as the ECC is the expensive part, so the only cost of having both is storage space).

Hope this helps. (Yup, crosspost, but not on this topic so I'll post anyway)
Almost.  For completeness:
Since every X coordinate in the finite prime field corresponds to exactly two Y coordinates in the finite prime field, one positive and one negative, it is possible to define the exact X,Y coordinate of the public key by using the X coordinate and a sign indicator to tell you which of the two possible Y coordinates to use.

Both forms of the public key are equally secure in that a) they both describe exactly the same information and b) given the X,Y coordinates of a point in either form it is equally difficult to calculate the private key used to generate the public key point.

Yes the ECC is the "hard part" of the calculation but going from uncompressed to compressed public key form is trivial and then the extra hashes to calculate the two different public key addresses is also trivial.  I expect "lazy hacker" if the compressed form was not compromised.

Thanks, it seems to me then compressed is more secure simply since less people use it so hackers less likely to include it in a rainbow table.  Clearly, though, that is not a replacement for a strong passphrase.
Whether you use the compressed or uncompressed public key to generate the public key address does not matter at all since the issue here is the passphrase used to create the private key.

Given a very large numer of private keys generated from a very large number of common/simple pass phrases they will simply set up sweeps of both versions of the public key address generated from each private key.

I still think this thread is very useful - I know you feel people who are new and not tech savvy deserve to lose their bitcoins, but that is not an attitude that will lead to widespread adoption.  I would be okay changing it to:  "If you use Brainwallet.org - MUST READ! - Security Risk!" if you think that is more accurate.  My post was not meant to be libel in anyway, it seemed like a security breach to me at the time and it is a vulnerability with brain wallets more people need to be made aware.

Yes, I think that you should (please) change the title to "If you use any brain wallet - MUST READ! - Security Risk!"  as this issue of losing your BTC when using a common/simple pass phrase applies to any brain wallet, not just those from brainwallet.org.

The most important thing new users should learn before using Bitcoin is how to protect their key.
+1
Keep your private keys private
The issue here was that the passphrase for a brain wallet was too simple.  Not that the private key was not kept private.



Pages:
Jump to: