Topic: If you used Brainwallet.org - MUST READ! - Security Breach! - page 7. (Read 52768 times)

Clearly a new solution for the security issues it required for mass adoption for laypeople - the hardware wallets, if they can be made very affordable, will certainly be a move in that direction.

Which is great if you know what you are doing, but people in life are not prepared to lose money if their hard drive crashes or such. It doesn't matter how loud you yell at users for them to back up their private keys - they usually don't.

+1
Keep your private keys private

If you have no problem lying to people, implicitly calling others that set up services like brainwallet fraudsters, leave it as is. If honesty counts in your value system, maybe change it to the truth. This is not about saying that you didn't deserve better.

I still think this thread is very useful - I know you feel people who are new and not tech savvy deserve to lose their bitcoins, but that is not an attitude that will lead to widespread adoption.  I would be okay changing it to:  "If you use Brainwallet.org - MUST READ! - Security Risk!" if you think that is more accurate.  My post was not meant to be libel in anyway, it seemed like a security breach to me at the time and it is a vulnerability with brain wallets more people need to be made aware.

OP: mind changing the topic? I find it quite offensive to the guy who runs brainwallet.org despite the above mentioned reservations.
You only make a fool of yourself if you use a weak password like you did and then blame the service of stealing your money.

Thanks, it seems to me then compressed is more secure simply since less people use it so hackers less likely to include it in a rainbow table.  Clearly, though, that is not a replacement for a strong passphrase.

Somebody told me that he generated a keypair with the passphrase 'dog' one year ago when the bitcoin had a value of 10$ and deposited 0.01 BTC.
The amount was taken in a half an hour.
No human would make such an effort for 10 cents.
So it seems to be sure that some bots are scanning the network for  brainwallets.
But that doesn't mean that brainwallets are not secure if used correctly.

Since I'm here, I'll take a punt, but I'm no expert (and I expect a cross post will happen by the time I finish).

The public key is a 64 byte (512 bit) number derived by ECC algorithm from the private key. It consists of the X and Y coordinates of a point on the curve. However one of these coordinates is redundant, so the compressed key just uses the X coordinate which shortens the public key length by half. In practice both versions are hashed to 160bit hash value in the block chain. If you take a look at the script I linked above, you can see the procedure for generating both the uncompressed and compressed keys/addresses.

I assume they are equally secure (others may correct me). The reason that only the uncompressed stfu! was compromised is (I guess) that most people just use this one and the hacker did not bother to build the rainbow table for the compressed one (lazy hacker as the ECC is the expensive part, so the only cost of having both is storage space).

Hope this helps. (Yup, crosspost, but not on this topic so I'll post anyway)

I don't think you understand what a rainbow table is.

Somebody generated the exact same brainwallet you did, long before you ever thought of using that passphrase.

They've actually generated millions of brainwallets, and they're just waiting for someone naive enough to use the same weak passprases and deposit money into one of their addresses.

Anything less than 16 random words is too short as a passphrase. Not a 16 word phrase from your favourite work of literature, not some TV character's 16 word catchphrase with a few simple letter substitutions and random punctuation characters thrown in.

16 words that have never before been grouped together into the same context by any human that has ever lived.

If you can't generate and remember a random passphrase this long you shouldn't use brainwallets.

Btw, can someone expalin to me the difference between the compressed and uncompressed keys?  Seems both are accepted by Bitcoin-QT (though uncompressed priv key cannot be used to access compress public or vice-versa).  Is one type more secure than the other?  In my example, the stfu! compressed version was not compromised, only the uncompressed version was (I channeled the BTC through both bitcoin addresses).  The speed (seconds) with which the funds were redirected make it clear it was a bot.

As I said, it was a small loss - the equivalent of $12.  Could have been worse and hopefully others will learn from my errors.  Still, a warning on the website about the need to use a strong passphrase would be a good idea.  Ninja's bitaddress generator will not even create codes for such short passphrases I see to protect newbs from themselves.

stfu! looks correct ...


I feel for your loss, but its a useful wakeup call for the rest of us. I think I'll stick with bitcoin_qt for now.

I think we shouldn't make such of assertions without any evidence.
If someone calculated a rainbow table (and almost sure that have done more people) then it has nothing to do with the site owner.
It was the negligence of the user to use a simple password and the opportunism of a dishonest hacker which caused.
Is the Bank guilty if somebody take over your online account because you used 123456 as password ?
You shouldn't use something what you don't understand.

hey guys,
   Sorry I just logged back on.  As I said, I was just fooling around so I did use a very short passphrase "stfu!" just to see how it works and I imported in into Bitcoin-qt using the importprivkey command.  I actually made two keys from this - one with Point Compression and one without Point Compression - only the uncompressed address was compromised.
    Anyway, newbie mistake - glad I learned it on  .178BTC as opposed to much more.  Though this experience has taught me a brain wallet not for me - any phrase I could remember would not be secure and if I added enough misspellings and character substitutions I would likely forget it eventually.  Will just stick to my paper wallets I generated offline using Ninja's script at bitcoinaddress.org
    I feel better actually, since even though all my trojan scans came back negative, I was still worried maybe somehow my computer was compromised.  The only compromise was my noobness! Hope others learn from me error.
mechs

No. You just used a weak passphrase. They have *huge* lists of keys already calculated in advance from all kinds of weak passphrases, they knew your passphrase (and with it the key) already long before you even had the idea to use a brain wallet. They are sitting somewhere with a huge list of such weak keys, permanently scanning the network for new transactions and waiting for your coins to arrive at one of their addresses.

Next time you should use a long computer generated random passphrase. Use a tool like pwgen that creates pronounceable random nonsense (not in any dictionary) words, so its easy to remember but still completely random.

The owner of that site should at least warn that "correct horse battery staple" is a particularly bad password. The fact that barely any bitcoins flow through this one tells me that there is no significant amount of noobs using the site. With mass adoption I bet at least 1% of all users would be thankful for this "random" suggestion and go with it. Brainwallet instead should give the user feedback on how secure his key is, although this might make them feel safe where they shouldn't, it can tell them when they are not safe where they feel safe.
Else it should suggest to actually use it to use the github version and verify that the signature of these 4 persons confirms the version to not be tampered with.


If the minimized/obfuscated code reduces the entropy by doing something like changing this
privkey_hex = sha256(keyphrase).hexdigest() to this:
privkey_hex = sha256("evilhackersalt" + sha256(keyphrase)[:3]).hexdigest()
you would get "totally random" keys with every change to your input, but the attacker would actually be the only one to know your private key in a trivial list of a million keys.

You would only notice this once you try to use your password on a non-poisoned brainwallet. Good luck finding your money if you didn't also backup your priv key, just in case this attacker needs time to swipe your money.

Tell us what pass phrase you used already!!

indeed, it would make sense for an attacker to find as many compromised password lists as possible (hint: there was one for mtgox a while back) and use those as seeds as well.


Anything, done well, is perfectly fine!  The problem is that there are so many bad ways to do a brain wallet, for example:

 - picking a weak passphrase
 - forgetting your passphrase
 - not understanding Change addresses, and losing bitcoins

and it's so trivially easy to compromise a brain wallet with a bad passphrase, that it's probably better, for most users, to use an alternative form of key generation and storage.   I would never recommend a brain wallet to a new user, but I would recommend blockchain.info with OTP and a strong passphrase to a new user.

Will

I did a small investigation some time ago to see how widespread the problem was, and these were the results:

 - Sent 0.001 BTC to an address generated with a password you will find in any top 10 common password list. Taken immediately.
 - Sent 0.001 BTC to an address generated with a six digit password. Taken immediately.
 - Sent 0.001 BTC to an address generated with the same six digit password as above, but with Point Conversion set to "Compressed". Untouched.
 - Sent 0.001 BTC to an address generated with an upper/lower/digit six character randomly generated password, normal Point Conversion. Untouched.

Someone is definitely out there grabbing things from weak-passworded wallets, but even a six-character random password thwarts them.


Edit:
Mechs, tell us which password you used. It's already compromised, so there should be no harm in revealing it.
If you can't reveal it because you use that password in multiple places then guess what - that's how they got your password in the first place - by stealing it from some other place you used it.