Pages:
Author

Topic: Stop the "correct horse battery staple" debacle. (Read 2619 times)

legendary
Activity: 1918
Merit: 1018
If your username is not public it is pretty hard to enter your account

The blockchain system seems pretty efficient where your username is complicated and not public

username? Sounds like you are talking about the site blockchain.info, rather than the blockchain.

Yes I meant the blockchain.info wallet
hero member
Activity: 625
Merit: 500
If your username is not public it is pretty hard to enter your account

The blockchain system seems pretty efficient where your username is complicated and not public

username? Sounds like you are talking about the site blockchain.info, rather than the blockchain.
legendary
Activity: 1918
Merit: 1018
If your username is not public it is pretty hard to enter your account

The blockchain system seems pretty efficient where your username is complicated and not public
donator
Activity: 1218
Merit: 1079
Gerald Davis
I see. Thanks for your help.

No problem.  Entropy (and randomness in general) is a hard thing for most people to grasp so if you get it, you are already ahead of the pack.  The entropy of truly random passwords is just a straightforward equation.  For human chosen passwords it gets a lot fuzzier.  Honestly humans are so bad at choosing strong passwords, most methods for estimating them are probably too optimistic.  Most human passwords can be easily broken unless per record salt and key stretching is used.  The bad news for users of a website for example is you have no idea how the site is storing passwords.  MtGox for example stored passwords using MD5 hash and no per record salt.  This site IIRC uses SHA-256 but doesn't employ any key stretching.  If users had a strong assurance how the password was used they could actually use shorter random passwords with confidence.  Also if the password is already compromised (and there are dictionaries of tens of millions of previously compromised passwords) the entropy is essentially zero.

A seed is encoded with 12 words from a 1626 words dictionary.

I am not sure why 12 words from 1,626 was chosen but I am sure there is a reason.  At first glance it would seem a larger wordlist could have easily been used.

Code:
Wordlist  Words for 128bit  Notes
     1,626     12            "Special English" word lists for those learning English ~1,500 words (i.e. Voice of America word list)
     3,184     11            The average vocbulary for a non-native speaker is ~4,500 words
     7,132     10            A good subset of common vocabulary without too many overly complex words
    19,113      9            The average adult US native speaker has a vocabulary of ~20,000 words  (although a much smaller portion is used daily)
    65,536      8            Oxford English Dictionary (full 20 volume set) has 171,476
   319,558      7            Google books project has indexed ~1 million unique non-scientific words
 2,642,246      6     Beyond the limit of any single dictionary list. Including all unique record English words the upper limit is closer to 5M+ words.
50,859,009      5            I am taking a guess here but this is probably beyond the limit of all unique combinations of latin letters ever used in all languages on the planet.

So 12 words is probably using a shorter list than necessary but it only adds one or two words to the length of the key.
11 or 10 words is a good starting point if someone was developing a new system (could take out the ~600 least common words from diceware).
9 words might be possible but with 19,113 words needed you are looking at ~200KB in storage and probably going to need some less commonly known words.
8 or less is probably a poor design choice as to save one or two words you end up needing to use a dictionary with less common words like "jargogle" or "apricity".



The english language has grown significantly in the last century.
hero member
Activity: 577
Merit: 504

BTW, how is the entropy of the password calculated?

Well since each word is random and there are 7776 possible outcomes that means each word has Log(7776) = 12.925 bits of entropy each.   The entropy of the password would be # of words * entropy of each word.

5 words = ~64 bits
6 words = ~78 bits
7 words = ~90 bits
8 words = ~102 bits
9 words = ~116 bits
10 words = ~130 bits

I see. Thanks for your help.

I now finally understand why Electrum seed is just 128 bits when it has 12 words, it is simply because log1626/log 2*12 = 128.005
A seed is encoded with 12 words from a 1626 words dictionary.
donator
Activity: 1218
Merit: 1079
Gerald Davis
It actually will as long as they are RANDOM words.  The random is the hard part.  Humans are actually very bad at coming up with random values.  If you ask people to pick a random number between one and ten a significant portion (usually 20% to 50%) will randomly pick seven and very few will pick one or ten.

Apart from the "random" issue, there is one more problem.
The site quoted is using a list of 7776 English words, but if you ask me to pick a few words myself, I would probably be picking the words from just a few hundred words (probably items in my house, people's name, brand name etc.).

BTW, how is the entropy of the password calculated?

Well since each word is random and there are 7776 possible outcomes that means each word has Log(7776) = 12.925 bits of entropy each.   The entropy of the password would be # of words * entropy of each word.

5 words = ~64 bits    <- sufficient for low security applications*
6 words = ~78 bits
7 words = ~90 bits    <- sufficient for medium security applications*
8 words = ~102 bits   <- sufficient for high security applications* which rely on an additional factor (i.e. bitcoin wallet requires passphrase AND the actual wallet.dat)
9 words = ~116 bits   
10 words = ~130 bits  <- beyond brute force of nation states both today and into the conceivable future

* This assumes the passwords are stored securely using a key derivation function (strong hash, thousands of rounds, per record salt)

DISCLAIMER: I strongly recommend against using a brain wallet for any reason but if someone is going to use them they should have a realistic understanding of what level of entropy is necessary to prevent compromise.

Brain wallets require no second factor so the only security is a sequence which simply can't be brute forced by anything possible today (even by nation states) or for the foreseeable future.  >128 bits of password strength is considered beyond brute force due to the sheer energy requirements necessary to search that keyspace.  Remember with a brain wallet attacker(s) can simply precompute all probable keys (and that would include shorter diceware sequences).  They can continue forever and slowly expand the database of know addresses.  So the only real security would be a passphrase which is beyond brute force, anything else could have already been broken before you ever used it, or could be broken at any point in the future. 

So for RANDOM passphrases we are talking about:

Dicewords (7,776 words) = 10 symbols (words)
All keyboard symbols (95 unique printable symbols on standard US keyboard) = 20 symbols
Case sensitive alphanumeric (a-z, A-Z, 0-9) = 22 symbols
Case insensitive alphanumeric (a-z, 0–9) = 26 symbols
Case insensitive Latin alphabet (a-z) = 28 symbols
Arabic numerals (0–9) = 40 symbols

So of these sequences I know which one is the easiest for me to memorize
chive edt oat puffy crust kiss long omaha lucky bank
2q4$7hG33d$EAV$gsaR4
NSQPYAFSNTAKNPMVZDRRKWXXACVW
TU9MQW97U99D42Y7TS4J6EGGKN
3363486927993949454245366885937555332592

Remember this only applies to truly random sequences.  Human "random" passwords, ones based on symbol substitution (p@ssw0rd!), or taken from a book/move/song have significantly less entropy.  For most of those it is only a matter of time until they are precomputed by attackers.
hero member
Activity: 577
Merit: 504
It actually will as long as they are RANDOM words.  The random is the hard part.  Humans are actually very bad at coming up with random values.  If you ask people to pick a random number between one and ten a significant portion (usually 20% to 50%) will randomly pick seven and very few will pick one or ten.

Apart from the "random" issue, there is one more problem.
The site quoted is using a list of 7776 English words, but if you ask me to pick a few words myself, I would probably be picking the words from just a few hundred words (probably items in my house, people's name, brand name etc.).

BTW, how is the entropy of the password calculated?
donator
Activity: 1218
Merit: 1079
Gerald Davis
To be honest, I don't think the idea illustrated is correct.
Combining a few common words won't give you a great password at all.

It actually will as long as they are RANDOM words.  The random is the hard part.  Humans are actually very bad at coming up with random values.  If you ask people to pick a random number between one and ten a significant portion (usually 20% to 50%) will randomly pick seven and very few will pick one or ten.

Using a true random source like rolling dice is a good method to generate a secure passphrase.  Here is an example:
http://world.std.com/~reinhold/diceware.html

These were rolled randomly
chive eat oat puffy crust kiss = 63 bits of entropy (probably better than 99% of the non-random passwords used on this site right now)
chive eat oat puffy crust kiss long = ~80 bits of entropy (strong enough for most applications, roughly the equivalent of 12 digit random alphanumeric (Y22N^56a%$98)
chive edt oat puffy crust kiss long omaha lucky bank = ~128 bits of entropy (considered beyond brute force regardless of the computing power of the attacker)
hero member
Activity: 619
Merit: 500
Every single satoshi should be given to xkcd, its his password after all.



source: https://xkcd.com/936/

To be honest, I don't think the idea illustrated is correct.
Combining a few common words won't give you a great password at all.
copper member
Activity: 1498
Merit: 1528
No I dont escrow anymore.
Every single satoshi should be given to xkcd, its his password after all.



source: https://xkcd.com/936/
legendary
Activity: 1918
Merit: 1018
People still arrive on http://brainwallet.org/#generator and think they are generating their own private brain wallet and they send to 1JwSSubhmg6iPtRjtyqhUYYH7bZg3Lfy1T...
cp1
hero member
Activity: 616
Merit: 500
Stop using branwallets
I tried to import it into armory.py and got a seg fault.  I might try the new version.
legendary
Activity: 1652
Merit: 1016
The private key is publicly known. But why all the double spends?
You just answered your own question. Because the private key is known, the instant anyone sends coins to that address, somebody will attempt to transfer those coins to their own addresses before anyone else does. But since everybody else has the exact same plan, the result is a great many transactions from many different people all trying to spend the same coins.

I thought of this but had the idea someone will get their transaction first (maybe a few milliseconds quicker) and that one would be accepted. All the rest that followed would double spend.
full member
Activity: 196
Merit: 100
Looks like people have been trying to sweep this address automatically and manually...

Not just this address either. Brain wallets are dangerously insecure unless care is taken selecting the passphrase. Discussed at length in this thread https://bitcointalksearch.org/topic/if-you-used-brainwalletorg-must-read-security-breach-251037

NEWBIES ... read that thread before you use a brainwallet. A badly chosen passphrase will lose your coin.
sr. member
Activity: 440
Merit: 250
Do not even try to add the private key to your wallet  Smiley
And because many people try to spend the coins, it is not worth to try to do the same  Wink
legendary
Activity: 4522
Merit: 3183
Vile Vixen and Miss Bitcointalk 2021-2023
The private key is publicly known. But why all the double spends?
You just answered your own question. Because the private key is known, the instant anyone sends coins to that address, somebody will attempt to transfer those coins to their own addresses before anyone else does. But since everybody else has the exact same plan, the result is a great many transactions from many different people all trying to spend the same coins.
legendary
Activity: 1652
Merit: 1016
I've never really understood what's going on with that account? The private key is publicly known. But why all the double spends?

the system is being tested for exploitability

I thought that was what the testnet is for.
newbie
Activity: 38
Merit: 0
I've never really understood what's going on with that account? The private key is publicly known. But why all the double spends?

the system is being tested for exploitability
legendary
Activity: 1652
Merit: 1016
I've never really understood what's going on with that account? The private key is publicly known. But why all the double spends?
cp1
hero member
Activity: 616
Merit: 500
Stop using branwallets
I've always wondered what the fees would cost to do that.
Pages:
Jump to: