Pages:
Author

Topic: If you used Brainwallet.org - MUST READ! - Security Breach! - page 8. (Read 52841 times)

legendary
Activity: 1896
Merit: 1353
Electrum users are advised not to type their seed in brainwallet.org (or any other website).
legendary
Activity: 3710
Merit: 1586
Sounds like a weak passphrase to me.  We already know that people have created huge 'rainbow tables' of bitcoin addresses generated from SHA256 of weak passphrases, and they just sit watching the blockchain for any of them to come up and then siphon off the funds.  This is yet another reason why a 'brain wallet' is such a terribly bad idea for anyone to do.

Will

A brain wallet when done right is perfectly fine. A deterministic wallet like electrum is like a brain wallet. 12 words that are the seed to all your bitcoin keys. Of course the entropy is greater than your typical brain wallet. 128 bits for electrum.
hero member
Activity: 714
Merit: 601
Since the coins are already gone, please post what password you used for your brain wallet.    We can then confirm to you that it was a bad and easily hackable password.

Don't try to be funny and drop the wrong password, everyone will know immediately.

+1, and its not like he can use the address again...
hero member
Activity: 767
Merit: 500
Sounds like a weak passphrase to me.  We already know that people have created huge 'rainbow tables' of bitcoin addresses generated from SHA256 of weak passphrases, and they just sit watching the blockchain for any of them to come up and then siphon off the funds.  This is yet another reason why a 'brain wallet' is such a terribly bad idea for anyone to do.

Will
newbie
Activity: 14
Merit: 0
Since the coins are already gone, please post what password you used for your brain wallet.    We can then confirm to you that it was a bad and easily hackable password.

Don't try to be funny and drop the wrong password, everyone will know immediately.
full member
Activity: 196
Merit: 100
Brainwallet just uses this python code ...

privkey_hex = hashlib.sha256(keyphrase).hexdigest()

(Not that actual code since its from one of my scripts, but something similar). Its trivial to do your own version and avoid the web site entirely (then import the private key into the wallet of your choice). The slightly more tricky part is obtaining the WIF key and addresses, I posted a simple script here https://bitcointalksearch.org/topic/m.2642261 but there are probably more professional versions elsewhere on this forum.

But as has been said earlier, if you don't understand what a script is doing, then don't use it.
legendary
Activity: 1526
Merit: 1134
The owner of that site needs to shut it down. This kind of thing was inevitable and we warned about it from the start. Someone has calculated a rainbow table and the passphrase you chose is in it.

Which wallet software did you import the key into? Do we need to put a warning about this site into wallet apps? We need to find some way to kill this stupid and dangerous site asap.
hero member
Activity: 504
Merit: 500
How could be compromised a brainwallet ?
Breaking known algorithms should we exclude because that would affect all kind of wallets.

You have a javascript brainwallet like brainwallet.org or bitaddress.org or namecoinia.org.
1. It has a connection to the internet and transmitting your private keys.
You can avoid this if you save the page on your computer and switch off the internet connection when you are generating the keypairs.
Alternatively you can do it in a virtualbox container which has no internet connection.
2. You are generating a random keypair however it isn't random in the reality, but follows a deterministic or stored pattern known to the brainwallet creator.
The source is known (javascript) but it is obfuscated and difficult to check it. In this case it doesn't matter if you are offline or online.

Best if you generate deterministic wallet with a passphrase which is random and long enough but you choose it and your computer is offline.
In this case I cannot imagine how could the brainwallet creator know the private keys.

Of  course they are other attack possibilities also but they are not brainwallet specific.
If you downloaded from a pishing site, you have some trojans on your computer or you have written the passphrase on a paper and let on the table on your bureau.
vip
Activity: 1316
Merit: 1043
👻
What passphrase did you use?

ireallylikecookies -> not ok
poweroutletsmmaybeeshockyuoifyuotuochit -> a lot better.
legendary
Activity: 1400
Merit: 1013
Is your passphrase just too simple?
Any passphrase you can memorize is almost too simple by definition.
legendary
Activity: 1862
Merit: 1114
WalletScrutiny.com
/sub

I used Brainwallet for a friend half a year ago on an offline pc with the code from github. The money is still there. I wouldn't trust the version that happens to be on any website but for now I do trust github to not mess with repos. I wish there was some signing involved though. If reputable dev would confirm to have seen nothing fishy about version [hash], I would pick up the changelog (if any) from there and decide if I use the signed version or the updated version. I picked the most recent version as it was old already, so I assumed it was reviewed by quite some people but I guess git's feature to mess with the history would allow to forge an old-looking head easily.
legendary
Activity: 1498
Merit: 1000
I don't think you can download the script from the site.  Regardless, whether it is the website author or a hacker, the site is compromised.  I don't think it had anything to do with my wallet.dat password being compromised - it is a very long, secure password and I do not believe there are any trojans on my system.

It is just javascript so you can just do Command-S or on window control-s and it will save the entire page. That is all you need.

and I meant maybe your brainwallet password was short not your wallet.dat password. It is probably a bot that instant created all private keys of a word list and then when a balance hit's it transfers it out.
legendary
Activity: 1890
Merit: 1086
Ian Knowles - CIYAM Lead Developer
You can save the website for offline usage or better yet get it from github.

I use from a computer with no internet access - and it works fine for generating the key pairs this way.
legendary
Activity: 1792
Merit: 1111
I decided to mess around and make a brain wallet.  I used the website www.brainwallet.org.  Supposively, this javascript is client side only.  Anyway, I made a brain wallet and decided to test it.  I moved my spare change (I keep most of my BTC in cold storage) about 0.178 BTC to the new brain wallet I made "15WjmFwpZ1mp3fG55JGoGv3p5y9jtehEB2".  Literally within seconds, it was moved to a new bitcoin address not owned by me "1Lp3S4PajwhuFCyrAXSFdVGxLuqTsXtVQC" https://blockchain.info/address/15WjmFwpZ1mp3fG55JGoGv3p5y9jtehEB2

I am very security conscience and am certain my wallet file was not compromised.  My only thought is the brainwallet website has been compromised instead and some bot is stealing the private keys generated there and then instantly transfering any funds deposited to these compromised wallets to their own bitcoin addresses.  DO NOT USE www.brainwallet.org and if you have used it, then immediately move your funds to a new location ASAP.

I am not complaining though, I only lost 0.178BTC - it could have been much worse.


Is your passphrase just too simple?
legendary
Activity: 1498
Merit: 1000
That is why you download it, and unplug your internet, then generator the public key. But I think your password was probably too short.
full member
Activity: 210
Merit: 100
I don't think you can download the script from the site.  Regardless, whether it is the website author or a hacker, the site is compromised.  I don't think it had anything to do with my wallet.dat password being compromised - it is a very long, secure password and I do not believe there are any trojans on my system.
full member
Activity: 210
Merit: 100
I decided to mess around and make a brain wallet.  I used the website www.brainwallet.org.  Supposively, this javascript is client side only.  Anyway, I made a brain wallet and decided to test it.  I moved my spare change (I keep most of my BTC in cold storage) about 0.178 BTC to the new brain wallet I made "15WjmFwpZ1mp3fG55JGoGv3p5y9jtehEB2".  Literally within seconds, it was moved to a new bitcoin address not owned by me "1Lp3S4PajwhuFCyrAXSFdVGxLuqTsXtVQC" https://blockchain.info/address/15WjmFwpZ1mp3fG55JGoGv3p5y9jtehEB2

I am very security conscience and am certain my wallet file was not compromised.  My only thought is the brainwallet website has been compromised instead and some bot is stealing the private keys generated there and then instantly transfering any funds deposited to these compromised wallets to their own bitcoin addresses.  DO NOT USE www.brainwallet.org and if you have used it, then immediately move your funds to a new location ASAP.

I am not complaining though, I only lost 0.178BTC - it could have been much worse.
Pages:
Jump to: