Pages:
Author

Topic: (Successful) Dictionary Attack Against Private Keys - page 3. (Read 9452 times)

staff
Activity: 4284
Merit: 8808
They exist because of brainwallet.org. Amusingly, the site's creator started down his path much as you have, but then decided that "password derived" keys were useful so he setup a website.

Humans are unconditionally a terrible source of entropy. Many people using keys they sincerely believed were secure have been robbed. Often complicated "schemes", and even common password advice produce worse passwords instead of better ones.  This baddness is multiplied by the face that using JS tools make the performance of reasonable KDFs unacceptable and because the application prevents the use of effective salting, so the attacker gets an enormous simultaneous attack multiplier.

But there is really nothing that can be done except to keep telling people: Do Not Use Human Derived "entropy" for private keys.

It may be worth pointing out to you that a prudent person doesn't try doing this:  What happens if you find a key with 1000 BTC and can't determine the owner?  Your choice will be to rob them yourself or to leave it be and hope they move the coin before someone else robs them. If you don't want to potentially be in that situation you shouldn't be attempting to crack other people's ignorantly produced keys.
full member
Activity: 238
Merit: 100
Hey all,

Just wanted to post some interesting findings I am getting while running a sort of brute force against the blockchain.

Here is what I am doing:

Take a fairly long dictonary, get the sha256 of an entry, then calculate the bitcoin address using that hash as the private key.

So far I have found addresses for the following hashes:

love
test
fuckyou
password
1234
12345
123456

(I have not tried many.)

For example, the sha256 of "12345" is the address 18YXnSUCPDVNEpPGDFRVrdVye63RpH2MA4, which received a total of 0.11014424 BTC over its lifetime.

These addresses don't have any money in them currently, but have at some point.  In other words, if I had done the same thing when the address was in use I could have stole the bitcoins from the address.

I am unsure why these addresses exist, and why anyone would use them.  Some have been used fairly recently.
Pages:
Jump to: