Author

Topic: Is BIP38 encryption of private keys bruteforcable? (Read 571 times)

full member
Activity: 148
Merit: 106
Thanks a ton moccacino. Just the answer I was looking for.

Mod please feel free to delete the other thread started by me that asks exactly the question that was answered here.
legendary
Activity: 3612
Merit: 5297
https://merel.mobi => buy facemasks with BTC/LTC
I watched the following video on Youtube and it is scary how weak any passphrase is as a seed for brainwallet:

https://www.youtube.com/watch?v=foil0hzl4Pg

That makes me wonder if by the creation of paperwallets and encryption of privatekeys with a "weak" passphrase (I have no idea what would constitute a strong passphrase) we run the risk of accidentally found paper wallets with encrypted private keys being brute forced by the knowledgable finder of such a paper wallet?

This thread should satisfy your curiosity: https://bitcointalksearch.org/topic/im-bip38-curious-please-help-me-out-1014202

If you found it TL;DR, here's the bottom line:
A member put 1 BTC onto an addres whose private key was bip38 encrypted, he posted the encrypted private key + the fact that the password was only 6 letters. Later on he even gave a couple of clues about the password.
Two years later, he closed the contest and disclosed the password to be "zLwMiR", the price remained unclaimed (nobody succesfully bruteforced the password in 2 years, even with the prior knowledge the password was only 6 letters long).

So, if you pick a reasonably strong, completely random password, you should be relatively secure... Offcourse, if you're going to load your paper wallet with 1000's of BTC, you're giving a brute forcer a very big incentive to crack your passphrase...

legendary
Activity: 3038
Merit: 4418
Crypto Swap Exchange
Thanks for the answer.

So if I use something like Diceware and generate a radnom list of say 7 words sucha a passphrase should be easy to memorise but impossible to bruteforce at a rate of 1 key/second.
I'm not sure about diceware and I've never used it.
Is the password predictable? Is the password common? Is the password in a dictionary? Does the password only contain letters and/or numbers?

If you answer yes to anything above, it can be rather insecure. The point here is that the ability of guessing password at a slow rate does not matter if your password is weak. They can still employ botnets or large array of computers to bruteforce your password if its sufficiently weak. It is just so that it is not feasible for them to bruteforce it if your password is relatively strong.
full member
Activity: 148
Merit: 106
Thanks for the answer.

So if I use something like Diceware and generate a radnom list of say 7 words sucha a passphrase should be easy to memorise but impossible to bruteforce at a rate of 1 key/second.
legendary
Activity: 3038
Merit: 4418
Crypto Swap Exchange
I watched the following video on Youtube and it is scary how weak any passphrase is as a seed for brainwallet:

https://www.youtube.com/watch?v=foil0hzl4Pg
Brainwallet.org uses SHA256 to derive the keys and it is very easy to bruteforce at a decent speed.
That makes me wonder if by the creation of paperwallets and encryption of privatekeys with a "weak" passphrase (I have no idea what would constitute a strong passphrase) we run the risk of accidentally found paper wallets with encrypted private keys being brute forced by the knowledgable finder of such a paper wallet?
BIP38 uses AES to encrypt the BIP38 key. The key derivation is scrypt. Scrypt is very resource intensive and it takes a long time for someone to be able to decrypt the key for even once. For a normal desktop computer, it may be possible for a key to be bruteforced at a rate of 1 key per second. As long as you use a decent password that is not common or is not guessable by others, it is very safe.

Ultimately, the strength of your password is what that matters. Your password is not secure if you think it can be bruteforced.
full member
Activity: 148
Merit: 106
I watched the following video on Youtube and it is scary how weak any passphrase is as a seed for brainwallet:

https://www.youtube.com/watch?v=foil0hzl4Pg

That makes me wonder if by the creation of paperwallets and encryption of privatekeys with a "weak" passphrase (I have no idea what would constitute a strong passphrase) we run the risk of accidentally found paper wallets with encrypted private keys being brute forced by the knowledgable finder of such a paper wallet?
Jump to: