Pages:
Author

Topic: It took 10 seconds for the brainwallet "password1" to be taken (Read 15343 times)

sr. member
Activity: 378
Merit: 255
So if my coinbase has an easy pw, when I do a transaction someone may use the public key to track me and try to crack my pw?  

Is that the way it works?

New to this but want to be secure.

No.  They know your e-mail address and they guess your password and transfer the coins.  That's why you should set up the Authy authentication so they can't do that.

Also, you should only keep spending money in there, not $10,000.
newbie
Activity: 11
Merit: 0
There are safer ways to hold into btc's ,it's clear that some people generated thousands if not millions of wallets and are using bots with bruteforce to break any weak passwords. To have a somehow moderate wallet you might need to enter a semi-impossible to imagine word with letters/number/signs etc... making it hard for you to remember. Paper wallets might be more useful.

Perhaps not using words would be prudent as lists exist which have fancy titles like DICTIONARY etc Smiley

Skynet's new 12nm ASIC chip is able to learn at a geometric rate and can crack passwords at 500T/flop/s whilemining / coordinating missile strikes under WIN7/Ubuntu. Also it is self-conscious.

Fancy computers can quite easily hack passwords so beware!
newbie
Activity: 14
Merit: 0
So if my coinbase has an easy pw, when I do a transaction someone may use the public key to track me and try to crack my pw? 

Is that the way it works?

New to this but want to be secure.
newbie
Activity: 14
Merit: 0
How about a coinbase wallet?   Is it secure?

Its as secure as the owner is. But remember, if you don't control the keys, you don't control the bitcoin.

Blockchain.info is a much better wallet because you get to keep control of your keys

And your blockchain.info wallet is as secure as the password you set it up with?

Sorry for the noob q's
legendary
Activity: 1320
Merit: 1007
How about a coinbase wallet?   Is it secure?

Its as secure as the owner is. But remember, if you don't control the keys, you don't control the bitcoin.

Blockchain.info is a much better wallet because you get to keep control of your keys
newbie
Activity: 14
Merit: 0
How about a coinbase wallet?   Is it secure?
hero member
Activity: 588
Merit: 500
There are safer ways to hold into btc's ,it's clear that some people generated thousands if not millions of wallets and are using bots with bruteforce to break any weak passwords. To have a somehow moderate wallet you might need to enter a semi-impossible to imagine word with letters/number/signs etc... making it hard for you to remember. Paper wallets might be more useful.
sr. member
Activity: 770
Merit: 250
so could there be a possible collision?  Huh

If you use a password to create a private key it is very easy for computers to generate the private keys and check the balance.  You need to create the private keys randomly and not from a password.  In other words, no brain wallets.  people can run large supercomputers and check passwords all day long so don't even try it.

the best way to go is use a deterministic wallet like armory or electrum.  that was you have one long key you have to save and back up.  Then all your addresses are created from that.
It will suffice to use a good password. Supercomputers can't beat good passwords. Just don't use anything that could be beaten with wordlists etc., do not use lyrics from your favourite song and so on. The problem is the same as choosing a good password. It's totally doable if you use some sense. Put something personal in it, something that is not found in a word list. That way if the attacker wants to really crack it he would have to focus on cracking just your password.

If we look at passwords like "correct horse battery staple"
The words
correct - 1822nd most common (Wolfram Alpha)
horse - 1315th most common (Wolfram Alpha)
battery - 3222nd most common (http://www.wordfrequency.info/free.asp?s=y)
staple - Huh, but not in the top 5000

So, one would most probably need a word list of at least 2000 words to be able to have all those words. This means 16000000000000 different combinations of four words. Assume an attacker could hash passwords at 10 TH/s. She would need 1.6 seconds to surely find the key. So not safe for the future attacker. Add a fifth word, it will take an hour now. Add punctuation, substitute a letter for a number, do a strange error in spelling... something you can remember. The key will become impossible to guess. Remember something personal. Also in practice the word list would have to include way more than 2000 words.
Anyway, think this for yourself, but it's not difficult to come up with a safe passphrase that you can also surely remember. I have a mixed Finnish/English passphrase I know I really can't forget but it's also quite impossible for anyone to come up with.
Just remember something random or personal as well, there are around 7 billion people on this planet and  if you think no one else likes that obscure quote or poem you're using, you might as well be wrong.
legendary
Activity: 1008
Merit: 1001
Let the chips fall where they may.
It is safer to properly generate the entropy and store the result on paper.

Due to to nature of cryptographic hash functions, there is no limit to the length of the pass-phrase. It can be the King James Bible (which is well known enough, it may very well be guessed by dedicated pass-phrase crackers).

My rule of thumb: if it has ever been published, it is not a good pass-phrase.
newbie
Activity: 6
Merit: 0
I have been wanting to participate in this discussion, and am now happily past the newbie speedbump.  Smiley

I like the concept of deterministic wallets, and am thinking of an approach that lets me create deterministic and encrypted paper wallets.

It starts with a brainwallet created at bitaddress.org with a 230+ bit entropy passphrase.  I then encrypt the private key at bit2factor.org which implements BIP38 to create an encrypted private key.  For this encryption, I use a different 230+ bit entropy passhprase.  I then use the encrypted private keys as the successive brainwallet passphrases to create more encrypted private keys in a deterministic manner.

I have read this full post and others like it, and am aware of the need for high entropy passphrases.  I can use even higher entropy passphrases than what I am thinking of, and I can reliably re-create the passphrases when I need to.  But I am interested in knowing how much entropy bitcoin passphrases can handle.

My questions are:
1) what is the limit for the number of characters a passphrase can have to create a private key at bitaddress.org?
2) what is the limit for the number of characters a passphrase can have to encrypt a private key at bit2factor.org for the BIP38 implementation?

Thanks.
full member
Activity: 200
Merit: 100
Quick question.

In making my 'paper' (brass) wallets,  I'm going to use bitaddress_org html file and it so happens that it's the 'brain wallet' creating function that I need to use to be able to enter a passphrase.

So let's imagine I roll a dice 50 times and toss a coin 50 times and I enter those results with some added text of my own as a passphrase.

This is the passphrase that you would remember if it was indeed a brain wallet you were creating.

Clearly I would be unable to actually remember the newly created passphrase.

This is because I am only interested in the public address and corresponding private key which come from the above process.

So my question is simple.  

Is it okay for me to disregard the passphrase and never make a record of it as I'll already have everything I'll ever need for my cold storage brass wallets?

I am using cold storage the same way you were talking about. Only difference was I was livebooting from Ubuntu and then opening bitaddress in html file offline to generate a key pair using brainwallet (as stated, don't trust RNG).
But seeing you won't use the computer afterwards it should be perfectly fine - just don't go online on it again.


I'm not so sure about how you would go and import one of these on an offline client like the armory/official client, however I would just sweet it on a Blockchain.info account with Google 2-FA and then transfer the funds to whatever destination.
legendary
Activity: 2072
Merit: 1006
this space intentionally left blank
can I use http://passwordsgenerator.net/ to generate a 50 char password such as

Code:
Mdv6)2uU)'_9K!X+Lb'er#6[.aJxc>r!a`J5?QL;W)/J.=MR

and use the phonetic output

Code:
MUSIC drip visa 6 ) 2 usa USA ) ' _ 9 KOREAN ! XBOX + LAPTOP bestbuy ' egg rope # 6 [ . apple JACK xbox coffee > rope ! apple ` JACK 5 ? QUEEN LAPTOP ; WALMART ) / JACK . = MUSIC ROPE < yelp 


as seed for a resonably secure wallet?
hero member
Activity: 546
Merit: 500
hm
Quick question.

In making my 'paper' (brass) wallets,  I'm going to use bitaddress_org html file and it so happens that it's the 'brain wallet' creating function that I need to use to be able to enter a passphrase.

So let's imagine I roll a dice 50 times and toss a coin 50 times and I enter those results with some added text of my own as a passphrase.

This is the passphrase that you would remember if it was indeed a brain wallet you were creating.

Clearly I would be unable to actually remember the newly created passphrase.

This is because I am only interested in the public address and corresponding private key which come from the above process.

So my question is simple.  

Is it okay for me to disregard the passphrase and never make a record of it as I'll already have everything I'll ever need for my cold storage brass wallets?


Why don't you just put in 1000 random characters with the keyboard on bitaddress? The private key is just a SHA-256 key of that string. And the public address will get created out of this private key. So you get the maximum entropy... But in this way you don't have a backdoor to access your coins in your head.
hero member
Activity: 602
Merit: 500
myBitcoin.Garden
That should be fine, but why bother with a passphrase at all?  Why not just let bitaddress randomly generate your addressed using their "single wallet" or "bulk wallet" option?

Thanks for the reply.

It's just as protection in case there are security flaws with that method. 



legendary
Activity: 1204
Merit: 1002
Gresham's Lawyer
Don't panic. If you use correctly brainwallets are the most secure.
But they are not newbie proof.

Looking at the extraordinary hoops folks are jumping through in order to secure their bitcoin, is a decent measure of how very far we have to go yet to get to mainstream adoption.
These are early days.
Like hearing grandpa talking about starting their cars with a crank.
hero member
Activity: 532
Merit: 500
Don't panic. If you use correctly brainwallets are the most secure.
But they are not newbie proof.

My blockchain password goes in the format of "chippy2370spence2721" .

I assume this would be a crap brainwallet password and quickly cracked and my BTC stolen?

M
hero member
Activity: 504
Merit: 500
That should be fine, but why bother with a passphrase at all?  Why not just let bitaddress randomly generate your addressed using their "single wallet" or "bulk wallet" option?
Because of this:
http://www.bbc.co.uk/news/technology-24048343
https://www.schneier.com/blog/archives/2013/09/surreptitiously.html
But if you use random number generator with mouse input or keyboard input for entropy collection then it is OK.
If the entropy is collected only from the own hardware then it is not safe because it is predictable. A deterministic wallet or a random wallet with human input is not predictable.
sr. member
Activity: 354
Merit: 250
That should be fine, but why bother with a passphrase at all?  Why not just let bitaddress randomly generate your addressed using their "single wallet" or "bulk wallet" option?
hero member
Activity: 602
Merit: 500
myBitcoin.Garden
Quick question.

In making my 'paper' (brass) wallets,  I'm going to use bitaddress_org html file and it so happens that it's the 'brain wallet' creating function that I need to use to be able to enter a passphrase.

So let's imagine I roll a dice 50 times and toss a coin 50 times and I enter those results with some added text of my own as a passphrase.

This is the passphrase that you would remember if it was indeed a brain wallet you were creating.

Clearly I would be unable to actually remember the newly created passphrase.

This is because I am only interested in the public address and corresponding private key which come from the above process.

So my question is simple.  

Is it okay for me to disregard the passphrase and never make a record of it as I'll already have everything I'll ever need for my cold storage brass wallets?
legendary
Activity: 1008
Merit: 1001
Let the chips fall where they may.

Here are 12 "words" that I can remember that aren't in any dictionary

thingy
depribe
weenus
integrous
prollums
pompatous
dickfor
tigger
"xxxxxxxx" (my last name, shared by fewer than 100 people worldwide - okay, that's probably on some list)
sadistics
skullfuck
dickstain


Are you sure? The link has essentially the entire text of the Internet. While de-duplication would be tricky for common phrases (including misspellings), it should be trivial to pull all unique "words".

Are you saying none of the 100 people using your last name have a web-page on the Internet?

The hardest part would be trying all 12 word permutations. 4 word permutations should be doable.

Don't panic. If you use correctly brainwallets are the most secure.
But they are not newbie proof.

I would say paper wallets are most secure. Remember: you are not only trying to guard against theft, but also data-loss. Memory is notoriously unreliable. If you are hit by a vehicle, even if you survive, you may forget your passphrase.

With paper, you can store the passphrase is more than one physical location. You can use Multi-party signatures to require data from m of n locations (Pay to Script hash (BIP16) ,+ Multi-signature transactions (BIP11))

My offline wallet will survive a city-destroying event. Can't make the same claim about any "brain wallet" in my head.
Pages:
Jump to: