Topic: Solve a riddle, guess a 4 char password and add 10 BTC to your xmas... SOLVED!! - page 5. (Read 13586 times)

If you are throwing in the towel then please post a BTC address here (or send me one in a PM) so I can at least throw 1 BTC your way for the time spent on this.


Doh - just as I posted - well glad to see you haven't given up!

For those who dont have enough hashing power, u can send me patterns per PM and il test em, if they match u get a portion of the 10BTC (going to distribute it fair to all who helped, including me).

time is of the essence

All will be revealed in time but I will add now that the title of this topic was not inaccurate.

"Solve a riddle, guess a 4 char password and add 10 BTC to your xmas stocking!" <-- why not "Solve a riddle, bruteforce a 4 char password with an unknown salt and add 10 BTC to your xmas stocking! )"
dunno what to test, tested somany pattern.
Did you change ${password} too? asking because of the 1p.

Next hint to be posted after 400 confirmations (unless there is consensus here for me to give it earlier).

BTW don't know if you guys have read this: https://bitcoinfoundation.org/blog/?p=58

but I think a case could be made for some "grant" coins towards creating a GUI that could assist with creating a secret such as that so far elusive changed equation in my bash script.

and we still got tons of stuff to test this gonna be fun

Just woke up again to find that we are at confirmation # 202 so here is the next hint:

sure ty already.
Good opportunity to hack around with electrum.

Is anyone interested in an address that contains 230 satoshis? It's in an electrum wallet I'm about to delete and can't be bothered to try and salvage them without paying a fee, so if anyone wants them, they can have the wallet and get them!

Well it's very early now in Beijing but woke up wondering whether the 10 BTC was still there - and amazingly it still is (and I see now only another 15 confirmations before the next hint).

Although I respect the skepticism of any "brainwallet" approach I do hope that this "putting my money where my mouth is" approach will at least convince some that the idea can work (although even my much improved script could itself be improved through the use of say scrypt).

No. The line in that script is bash code and it forms a string to be hashed. So the brute force needs to scan ranges made up of any a-z, A-Z, and 0-9 but only 4 chars. Then it substitutes each pwd attempt into the pattern used in the script eg.  aaaa+aaaa=aaaaaaaa@L3AsT, except we know it's not that exact pattern. We have clues that likely it's the @L3AsT part that has changed but how is not known.

At least one person has tried over 200 variations on that line and still not found the right one. I've only tested about 10 variations but now that my pwd hashing code is working I can provide patterns in a file and it will run on them in sequence.

Just for interest these are the ones I've tried so far with no luck:


I guess I'll throw a bunch more in and let it spin. It's only running on one GPU as I couldn't get multiple to work. Not sure why but stops with some crash code.

I think you did read the "Security by Obscurity" wiki entry. At last ur bound to a 64 alpha numeric password which is long enough to not be crackable by a dictionary nowadays (and the future, unlike something drastically changes). Real Security comes by a good Design and not Obscurity, lets take scrypt as example -> scrypt takes compared to other hashing algos very long to complete. Now take a look at Armory for example where a scrypt hash (u define the scrypt parameters) of ur password is your deterministic wallet key. Now if scrypt is broken (there are collisions/attacks possible) then ur whole wallet gets insecure. A good way to take care of it is wrapping/nesting good (not a bad one, there are hashing algos that tell of what input they are generated which would be a major drawback!) hashing algos. Cascascius (Mike) was talking about this too i guess. If you do this the sheer amount of hashes you have to crack is so big that it isnt worth trying and it would be easier to search for a collision.

Pls let cryptograph specialist/programers/hackers decide if its safe or not, i see it so often that some dev thinks a hashing way is save and uses it everywhere (i had to fix a hacked system at my company, some stupid dev used base64 to "encrypt" the password) until u see its broken. Therefore picking a good way to Hash ur password and store it accordingly is the key to success.

PS: sry for typos, just woke up!

For those wondering exactly where I am headed with this concept - it is to ideally present to an end user a list of questions that will be able to then be used to automatically modify the password hashing script to generate an algorithm in a manner that is very secure (on a secured computer of course - more to come on this in the CIYAM Open thread) without too much effort (but the end user's creativity is and will always be the *key* ingredient with this approach).

I never said that this would be a trivial matter (or that this is the best solution to the problem) but I hope that this challenge has at least shown that the idea has some merit.

Also using this method I am fairly sure that I've now managed to secure all of CIYAM Open's future BTC tx's for an outlay of under 100 USD (shitty old notebooks are cheap here in China - but you should have seen the look on the salesman's face when my wife asked for the WiFi card to be *removed* because "she hates the internet" ).

BTW - I'd like to pass on a special thank you to the mods for allowing this thread to stay in Bitcoin Discussion.

Bitcointalk is a pretty awesome place to be!

Precisely!

As the Electrum guys say "protect the seed"!

Good point.

People are using their ow secret key obfuscating functions all the time. Here are some popular ones:

• Repeat the password twice
• Append 123 at the end
• Replace o with 0, t with 7, e with 3 etc. A.k.a. 1337-language

Some ppl might think that these things make their passwords much much stronger. Little do they know that all these cases are covered in a modern dictionary attack and therefore only add a few bits extra security.

You are suggesting some more advanced modification that is unlikely to be guessed. It's basically a part of your key and must either be protected or remembered.

We will not crack this challenge ass long as you have your algorithm protected!

Understood - that is why I am not giving the next hint until confirmation # 200 and that next hint may not be the last one either (really I just didn't want to drag this out too long in the same way that Mike Caldwell handled his similar challenge but if you guys think that it is worthwhile then we can keep at it - understand that in the *real* version the brute force cracking is going to be a hell of a lot tougher than for this trial - and we can have a challenge for that if people are interested in let's say 50 BTC).

I think you have to allow more time. If someone could crack my Electrum wallet seed in 24 hours I'd call it useless.